CC3200: Failure to connect to AWS IoT Broker

You can't use the 2 server's root CA's together.

If you configured your AWS account to use your certificate - this is the root CA that needs to be provided. Otherwise you should use AWS root CA.

The error log provided doesn't give enough info.

Please recompile the mqtt lib with "DEBUG_NET_DEV" compile flag.

(either add as project's predefined symbol or you can add "#define  DEBUG_NET_DEV" in "cc32xx_sl_net.h")

Thank you Kobi Leibovitch. 

As suggested I did both the changes. 

1. Use our own rootCA certificate and

2. Defined macro DEBUG_NET_DEV in cc32xx_sl_net.h

After making the above changes we are unable to connect to AWS server. It throws an error code -456. Please let us know how to fix this issue. Thanks. 

Please see below for the log.

[Tue Jan 12 16:24:51.766 2021] *************************************************
[Tue Jan 12 16:24:51.792 2021] CC3200 MQTT_Client Application
[Tue Jan 12 16:24:51.792 2021] *************************************************
[Tue Jan 12 16:24:51.792 2021]
[Tue Jan 12 16:24:51.792 2021]
[Tue Jan 12 16:24:51.792 2021]
[Tue Jan 12 16:24:52.527 2021] Host Driver Version: 1.0.0.10
[Tue Jan 12 16:24:52.548 2021] Build Version 2.12.2.8.31.1.5.0.10.1.0.3.37
[Tue Jan 12 16:24:52.580 2021] [WLAN ERROR]Device disconnected from the AP AP: , BSSID: 0:0:0:0:0:0 on an ERROR..!!
[Tue Jan 12 16:24:52.873 2021] Device is configured in default state
[Tue Jan 12 16:24:53.625 2021] Started SimpleLink Device: STA Mode
[Tue Jan 12 16:24:54.217 2021] [WLAN EVENT] STA Connected to the AP: factoryNetwork , BSSID: ba:77:99:1c:69:dd
[Tue Jan 12 16:24:54.329 2021] [NETAPP EVENT] IP acquired by the device
[Tue Jan 12 16:24:54.457 2021]
[Tue Jan 12 16:24:54.457 2021] Device has connected to factoryNetwork
[Tue Jan 12 16:24:54.478 2021] Device IP Address is 172.20.10.3
[Tue Jan 12 16:24:54.478 2021]
[Tue Jan 12 16:24:54.478 2021] Connected to an AcessPoint
[Tue Jan 12 16:24:56.459 2021] Version: Client LIB 1.0.3, Common LIB 1.1.1.
[Tue Jan 12 16:24:56.459 2021] MQTT Client lib initialization ---> PASS
[Tue Jan 12 16:24:56.459 2021] Create MQTT Client CTX
[Tue Jan 12 16:24:56.459 2021] Done MQTT Client CTX
[Tue Jan 12 16:24:56.459 2021] Client ID: Success
[Tue Jan 12 16:24:56.459 2021] Connect to AWS Broker
[Tue Jan 12 16:24:58.009 2021]
[Tue Jan 12 16:24:58.009 2021] ERROR: Could not establish connection to server.
[Tue Jan 12 16:24:58.009 2021]
[Tue Jan 12 16:24:58.009 2021] ERROR(#-456): Closing the socket.
[Tue Jan 12 16:24:58.009 2021]
[Tue Jan 12 16:24:58.009 2021] Broker connect fail for conn no. 1
[Tue Jan 12 16:24:58.009 2021]
[Tue Jan 12 16:24:58.009 2021] Exiting the Application

Also, wanted to mention that our goal is to perform JITR once the product connects to AWS IoT Core. We have it working on other product that uses Linux OS underneath. 

-456 means BAD CERTIFICATE. 

Either the certificate format is wrong or the path to the certificate is wrong.

Please find more details in https://www.ti.com/lit/pdf/swpu332

Br,

Kobi

Got it. After correcting the path to the certificate. I get the following error. 

Connect to AWS Broker

ERROR: Could not establish connection to server.

ERROR(#-155): Closing the socket.

Broker connect fail for conn no. 1

Exiting the Application.

I have also attached below image to indicate that all certificates are in .der format.

looks like the rootCA you provided (in the reference mqtt client example check the definition of SL_SSL_CA_CERT in the mqtt app's main.c) is not the right root CA for verifying the server.

Please make sure you use the right root CA for the AW server.

https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html

Br,

Kobi

Thank Kobi Leibovitch.  The document provided helped us. Prior to this we didn't know .pem format was supported by CC3200. 

After knowing that we did the following thing. We are now providing 3 certificates to AWS IoT Core. 

1. rootCA.pem (registered by us) + Client certificate.pem = Combined.pem

2. private key.der 

3. rootCA.der (provided by Amazon)

After doing this, we do see some back and forth happening between CC3200 and AWS IoT Core. However, the connection drops after a while. Please see below for the logs. 

Connected to an AcessPoint
Version: Client LIB 1.0.3, Common LIB 1.1.1.
MQTT Client lib initialization ---> PASS
Create MQTT Client CTX
Done MQTT Client CTX
Client ID: Success
Connect to AWS Broker

Connected to server ....

TCP send invoked for data with len 21

Sent Data : 10 13 00 06 4d 51 49 73 64 70 03 02 00 19 00 05
75 73 65 72 31
C: FH-B1 0x10 to net 80, Sent (21 Bytes) [@ 12]

successfully set socket recv_timeout_option 30

TCP recv invoked ...

Received a message with len 1
20

successfully set socket recv_timeout_option 30

TCP recv invoked ...

Received a message with len 1
02

successfully set socket recv_timeout_option 30

TCP recv invoked ...

Received a message with len 2
00 00
C: Rcvd msg Fix-Hdr (Byte1) 0x20 from net 80 [@ 14]
C: Cleaning session for net 80
C: Msg w/ ID 0x0000, processing status: Good
Done connecting to
successfully set socket recv_timeout_option 25

TCP recv invoked ...
AWS Broker
Subscribe to topics

TCP send invoked for data with len 163

Sent Data : 82 a0 01 00 01 00 23 24 61 77 73 2f 74 68 69 6e
67 73 2f 31 32 33 34 35 36 39 38 37 30 41 42 2f
73 68 61 64 6f 77 2f 67 65 74 00 00 2c 24 61 77
73 2f 74 68 69 6e 67 73 2f 31 32 33 34 35 36 39
38 37 30 41 42 2f 73 68 61 64 6f 77 2f 75 70 64
61 74 65 2f 64 65 6c 74 61 00 00 22 2f 70 72 6f
64 75 63 74 73 2f 53 54 33 30 30 37 2f 31 32 33
34 35 36 39 38 37 30 41 42 2f 63 63 74 32 00 00
21 2f 70 72 6f 64 75 63 74 73 2f 53 54 33 30 30
37 2f 31 32 33 34 35 36 39 38 37 30 41 42 2f 63
63 74 00
C: FH-B1 0x82 to net 80, Sent (163 Bytes) [@ 14]
[SOCK ERROR] -close socket (80) operationconnection less mode, rx packet fragmentation
> 16K, packet is being released[SOCK ERROR] -close socket (80) operationremote side down from secure to unsecure
unknown sock async event: 2

Received a message with len -452
C: Net 80, Raw Error -1, Time Out: N
C: RX closing Net 80 [-1]
C: Cleaning session for net 80
C: Net 80 now closed

Subscription Error for conn no. 1
Disconnecting from the broker

Exiting the Application

Kobi Leibovitch Please take look at the NWP logs attached here

Hope this will help you in providing an insight into problem we are facing.

Seems that the TLS connection to AWS cloud was opened correctly. So no certificate issues.

However the server disconnected you, so maybe something is missing in your access permissions on the cloud.

Have you attached a policy that enables you to access the IOT core?

Br,

Kobi

Kobi Leibovitch  Thank you for the help. We finally got it working. 

One question though: 

Our product receives 3 certificates in .pem format.

1. rootCA.pem

2. privateKey.pem

3. deivceCert + Client Cert = Combined.pem

When we try these files in .pem format things do not work. It throws error -456. (BAD CA)

So, I converted rootCA.pem to rootCA.der. Now I got error -458. (BAD Provate key).

So, I converted privateKey.pem to privateKey.der and things start to work. 

So finally certificates were in following format. 
1. rootCA.der
2. privateKey.der 
3. combined.pem 

And things started to work for as expected. 

Can you please help us understand why it fails when all 3 certificates are in .pem file.? 

According CC3200, SimpleLink Wi-Fi Certificates Handling document (https://www.ti.com/lit/ug/swpu332a/swpu332a.pdf?ts=1610648673499

CC3200 supports both .der format and .pem format. Looking forward to your response. Thank you again!

Thank you Kobi Leibovitch.

Need further clarification.

One of the files we use is actually in .pem format, which is a named as combined.pem (posted in previous comments) .It is obtained by concatenation of Client certificate and rootCA registered by us. We actually have CC3200 working with this file.

Please clarify if we can use this file (combined.pem) in .pem format or .der format. Thank you.

I believe the client certificate (chain) needs to use PEM, because the combined pem is the only way to set the entire chain. 

Thank you for confirming Kobi Leibovitch. 

We ran into another issue this time. So far for testing we were using service pack version 1.0.1.14-2.12.2.8 and found no issues. Everything was working okay.

Now we rolled back to previous version servicepack 1.0.0.10.0 (since we are using this in production), and we get the following error -457, which indicates bad certificate file.

Please let us know how to address this issue. Thank you for your help.

Hi Kobi,

Due to memory size restriction on the serial flash, we won't be able to update the service pack.

Is there any work around get it working with 1.0.0.10.0 service pack?

Thanks,

Jay

The workaround is in the newer service pack.

You can replace the service pack first and the app later if it helps. 

Thank you for the help Kobi Leibovitch . Marking this ticket as resolved.

We will reach out if we need help further support with AWS IoT Core connection issues.