• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 3223 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF-LAUNCHXL: AWS IoT Error -24

Charles Foxwell
Prodigy 20 points
Part Number: CC3220SF-LAUNCHXL


I know it's been posted before, but I've been having some trouble connecting to my AWS IoT... this is the serial output

CC3220 has connected to AP and acquired an IP address.

IP Address: 192.168.0.18

Current time: Wed Jun 14 19:44:54 2017


Flashing certificate file ...
 successfully wrote file /cert/ca.der to flash

Flashing certificate file ...
 successfully wrote file /cert/cert.der to flash

Flashing certificate file ...
 successfully wrote file /cert/key.der to flash


AWS IoT SDK Version 2.1.1-



Connecting...


ERROR: runAWSClient L#108
Error(-24) connecting to xxxxxx.us-east-2.amazonaws.com:8883


Subscribing...


ERROR: runAWSClient L#126
Error subscribing (-13)


ERROR: runAWSClient L#178
An error occurred in the loop. Error code = -13

As I understand it -24 is related to the root key, but I can't for the life of me figure out why it would be failing. My Dashboard shows successful connection attempts, but beyond that... nothing.

I'm migrating from Atmel's ASF's FreeRTOS implentation and so far find Ti-RTOS friendlier (never mind that I absolutely need to use this board for this project.) So... have some patience with me :)

  • 0
    TI__Expert 3470 points

    Hello Charles,

    Couple of things to check :-

    1.  If you are using the 'certificate-playground' for your certificate store, (which is most common during development phase), you'll need to patch the network_sl.c.

    static int getErrno(int ret)
{
    if (ret == -1) {
        return (errno);
    }
    else {
        return (ret);
    }
}

IoT_Error_t iot_tls_connect(Network *pNetwork, TLSConnectParams *TLSParams)
{
    int retConnect;

...

    retConnect = connect(skt, (struct sockaddr  *)&address, sizeof(address));
    if ((retConnect < 0) && (getErrno(retConnect) != SL_ERROR_BSD_ESECUNKNOWNROOTCA)) {
//    if ((retConnect < 0)) {
        ret = NETWORK_ERR_NET_CONNECT_FAILED;
        goto QUIT;
    }
...
}

    2.  Check your certificates/key don't have any tab characters in them.  The rootCA should be as follows (in certs.c)

    const char root_ca_pem[] = "-----BEGIN CERTIFICATE-----\
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB\
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL\
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln\
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp\
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y\
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1\
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex\
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz\
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG\
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+\
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/\
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E\
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH\
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy\
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv\
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE\
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y\
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK\
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ\
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N\
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq\
-----END CERTIFICATE-----";

    3.  Check your policy configuration on the AWS side.  This policy is a pretty open policy, which is good for initial testing.  You should make it more secure for real products though.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iot:*"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}

    Hope that helps,

    ~roger

  • 0 in reply to RogerMonk
    Prodigy 20 points
    Having had a chance to look around the forum a bit, you are, as always, a lifesaver Roger.

    May I recommend that this patch be incorporated in to a future release of the AWS Plugin? It seems to me that most people getting started with that plugin will be doing this from a fresh out of box install like I was, and will be running in to the same brick wall.
  • 0 in reply to Charles Foxwell
    TI__Expert 3470 points
    Hi Charles,

    No problem. Glad you got this working.

    Yes, I completely agree with you. We are working on a mechanism to add this type of capability in future plugin releases to help users during the development phase. We'll probably have some form of configuration to allow users to specify that they want to avoid the certificate checks, as often required during development.

    Thanks for the feedback and hope your project goes well,
    ~roger