• State TI Thinks Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 722 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF: Certificate error MQTT Google IoT Core

6562589
Prodigy 20 points
Part Number: CC3220SF
Other Parts Discussed in Thread: UNIFLASH

Hi all,

I'm trying to connect to the Google iot Core with MQTT but so far it's not working.

I have verified that the needed credentials such as the clientid and password (in this case the JWT token needed for google's iot core) are correct with a local mqtt client. I was able to connect to my registered device and able to publish messages.

However when I try to connect it with the CC3220SF I get the following error message on the serial terminal: 

I checked the certificate and verified that it actually is a GlobalSign certificate so I'm really confused here. This is the most common error I get while occasionally also getting -468, -458, -457 or -2005 depending on the root certificate that I upload. All the root certificates that I have tried I have downloaded directly from google, either from their certificates repository (pki.goog/repository/) or from their MQTT-bridge example page cloud.google.com/iot/docs/how-tos/mqtt-bridge

I upload them as such via Uniflash :

I followed the empty MQTT example from the SDK and was able to connect to the eclipse broker with a secured connection. I expanded the code and added the needed credentials for the google iot core but I must be doing something wrong as I'm not able to connect to their MQTT broker.

Here is part of my code :

 #define ClientId                    "projects/myProjectId/locations/europe-west1/registries/myRegistry/devices/qdevice"
 #define MQTT_CLIENT_PASSWORD        "myJWTtoken"
 #define MQTT_CLIENT_USERNAME        "unused"
 #define MQTT_CLIENT_KEEPALIVE       60
 #define MQTT_CLIENT_CLEAN_CONNECT   true
 #define MQTT_CLIENT_MQTT_V3_1       false
 #define MQTT_CLIENT_BLOCKING_SEND   true
 char *MQTTClient_secureFiles[1] = {"gsr2.pem"};

 #define MQTT_CONNECTION_FLAGS       MQTTCLIENT_NETCONN_URL | MQTTCLIENT_NETCONN_SEC
 #define MQTT_CONNECTION_ADDRESS     "mqtt.googleapis.com"
 #define MQTT_CONNECTION_PORT_NUMBER  8883

 #define SL_TASKSTACKSIZE            2048
 #define SPAWN_TASK_PRIORITY         9

 MQTT_IF_InitParams_t mqttInitParams =
 {
      MQTT_MODULE_TASK_STACK_SIZE,   // stack size for mqtt module
      MQTT_MODULE_TASK_PRIORITY      // thread priority for MQTT
 };

 MQTT_IF_ClientParams_t mqttClientParams =
 {
      ClientId,                  // client ID
      MQTT_CLIENT_USERNAME,      // user name
      MQTT_CLIENT_PASSWORD,      // password
      MQTT_CLIENT_KEEPALIVE,     // keep-alive time
      MQTT_CLIENT_CLEAN_CONNECT, // clean connect flag
      MQTT_CLIENT_MQTT_V3_1,     // true = 3.1, false = 3.1.1
      MQTT_CLIENT_BLOCKING_SEND, // blocking send flag
 };

 MQTTClient_ConnParams mqttConnParams =
 {
     MQTT_CONNECTION_FLAGS,                  // connection flags
     MQTT_CONNECTION_ADDRESS,                // server address
     MQTT_CONNECTION_PORT_NUMBER,            // port number of MQTT server
     SLNETSOCK_SEC_METHOD_TLSV1_2,     // method for secure socket
     SLNETSOCK_SEC_CIPHER_FULL_LIST,         // cipher for secure socket
     1,                                      // number of files for secure connection
     MQTTClient_secureFiles                  // secure files
 };


/* When MQTT_if_handler is called use is expected to provide event callback.
 * This callback will be used by the MQTT client module to notify the main application when certain MQTT events have occured (e.g. connect, disconnect, etc) */
 void MQTT_EventCallback(int32_t event)
 {
     switch(event){
         case MQTT_EVENT_CONNACK:
         {
             LOG_INFO("MQTT_EVENT_CONNACK\r\n");
             break;
         }
         case MQTT_EVENT_CLIENT_DISCONNECT:
         {
             LOG_INFO("MQTT_EVENT_CLIENT_DISCONNECT\r\n");
             break;
         }
         case MQTT_EVENT_SERVER_DISCONNECT:
         {
             LOG_INFO("MQTT_EVENT_SERVER_DISCONNECT\r\n");
             break;
         }
         case MQTT_EVENT_DESTROY:
         {
             LOG_INFO("MQTT_EVENT_DESTROY\r\n");
             break;
         }
         default:
         {
             LOG_INFO("Unknown MQTT event\r\n");
             break;
         }
     }
 }

 /* WiFi initialiser */

 int WifiInit(){
     int32_t ret;
     SlWlanSecParams_t security_params;
     pthread_t spawn_thread = (pthread_t) NULL;
     pthread_attr_t pattrs_spawn;
     struct sched_param pri_param;

     pthread_attr_init(&pattrs_spawn);
     pri_param.sched_priority = SPAWN_TASK_PRIORITY;
     ret = pthread_attr_setschedparam(&pattrs_spawn, &pri_param);
     ret |= pthread_attr_setstacksize(&pattrs_spawn, SL_TASKSTACKSIZE);
     ret |= pthread_attr_setdetachstate(&pattrs_spawn, PTHREAD_CREATE_DETACHED);
     ret = pthread_create(&spawn_thread, &pattrs_spawn, sl_Task, NULL);
     if(ret != 0){
         LOG_ERROR("could not create simplelink task\n\r");
         while(1);
     }

     Network_IF_ResetMCUStateMachine();

     Network_IF_DeInitDriver();

     ret = Network_IF_InitDriver(ROLE_STA);
     if(ret < 0){
         LOG_ERROR("Failed to start SimpleLink Device\n\r");
         while(1);
     }

    // SetClientIdNamefromMacAddress();

     security_params.Key = (signed char*)SECURITY_KEY;
     security_params.KeyLen = strlen(SECURITY_KEY);
     security_params.Type = SECURITY_TYPE;

     ret = Network_IF_ConnectAP(SSID_NAME, security_params);
     if(ret < 0){
         LOG_ERROR("Connection to an AP failed\n\r");
     }
     else{
         ret = sl_WlanProfileAdd((signed char*)SSID_NAME, strlen(SSID_NAME), 0, &security_params, NULL, 7, 0);
         if(ret < 0){
             LOG_ERROR("failed to add profile %s\r\n", SSID_NAME);
         }
         else{
             LOG_INFO("profile added %s\r\n", SSID_NAME);
         }
     }

     return ret;
 }

 void MQTTDemo(char* topic, char* payload, uint8_t qos)
 {
     LOG_INFO("TOPIC: %s PAYLOAD: %s QOS: %d\r\n", topic, payload, qos);
}

/*
 *  ======== mainThread ========
 */
void *mainThread(void *arg0)
{
    /* 1 second delay */
    uint32_t time = 1;

    /* MQTT variables */
    int32_t ret;
    UART_Handle uartHandle;
    MQTTClient_Handle mqttClientHandle;

    GPIO_init();
    SPI_init();

    /* Open UART instance to enable application printing */
    uartHandle = InitTerm();
    UART_control(uartHandle, UART_CMD_RXDISABLE, NULL);

    /* Initialize the IP network services layer for the MQTT client module */
    ret = ti_net_SlNet_initConfig();
    if(0 != ret)
    {
        LOG_ERROR("Failed to initialize SlNetSock\n\r");
    }

    /* Call WifiInit() to start the network processor and connect to an Access Point */
    ret = WifiInit();
    if(ret < 0){
        while(1);
    }

    setTime();

    /* Initialize MQTT client module */
    ret = MQTT_IF_Init(mqttInitParams);
    if(ret < 0){
        while(1);
    }

    ret = MQTT_IF_Subscribe(mqttClientHandle, "/devices/mydevice/events", MQTT_QOS_1, MQTTDemo); //Google doesnt support QOS 2
    if(ret < 0){
        while(1);
    }
    else{
        LOG_INFO("Subscribed to all topics successfully\r\n");
    }

    /* Connect MQTT broker and register event call back */
    mqttClientHandle = MQTT_IF_Connect(mqttClientParams, mqttConnParams, MQTT_EventCallback);
    if(mqttClientHandle < 0){
        while(1);
    }

    while (1) {
        sleep(time);
        MQTT_IF_Publish(mqttClientHandle,
                        "/devices/qdevice/events",
                        "hello\r\n",
                        strlen("hello\r\n"),
                        MQTT_QOS_0);
    }
}

  • 0
    TI__Mastermind 38980 points

    Hello,

    Error -468 is SL_ERROR_BSD_ESECUNKNOWNROOTCA, which may mean this was the correct certificate, but the CC3220SF was unable to verify it in the trusted root certificate catalog.

    You can find all the error codes in source/ti/drivers/net/wifi/errors.h.

    Can you check what servicepack and certificate catalog you have flashed to the device? You can find the latest version of the servicepack and the certificate catalog in the SDK's tools/cc32xx_tools folder.

    Best regards,

    Sarah

  • 0 in reply to Sarah P
    Prodigy 10 points

    Hi!

    I'm currently using the latest SDK version simplelink_cc32xx_sdk_4_40_00_07.

    From the SDK I flashed the following servicepack :

    And the following certificate catalogs  :

    with certcatalog20200715.lst.signed_3220.bin as the signature source file.

    I'm still experiencing the same issues.

  • 0 in reply to Yining Ren
    TI__Mastermind 38980 points

    Hi Yining,

    You need to find the root CA certificate that is signed by a trusted certificate authority (listed in the certcatalog readme). This root CA cannot be self-signed by Google. Since the connection response from Google is asking for a GlobalSign certificate, I suggest trying those first.

    This thread relates to finding the correct certificate for connecting to AWS, but the debug steps and explanations may help you: https://e2e.ti.com/support/wireless-connectivity/wifi/f/968/t/789112

    Best regards,

    Sarah

  • 0 in reply to Sarah P
    Prodigy 10 points

    Hi Sarah!

    I have solved the problem and was able to connect to Google's IoT Core.

    I was using the complete Google root CA certification package which is downloaded as a single file : roots.pem. The CC3220SF seemed to be unable to process this large file and pass the correct certificate when connecting to google. The solution I found was to remove all unnecessary roots CA certificates in the roots.pem file and leave only the certificate which was used by google.

    There were other forum posts mentioning that the CC3220SF was unable to accept files in .pem format and instead they had to convert their files to a .der format. Before coming to my solution I also tried this out with the complete package file however this did not seem to work for me either. After removing all the unnecessary root CA certificates from my roots.pem file I was able to upload it in the .pem format and use it to connect to Google's IoT Core succesfully.