Amazon FreeRTOS to exosite endpoint mqtt

system · May 20, 2019, 5:27am

NickNgAvnet wrote on May 20, 2019:

Hi,
Is there a way to change the default root_CA and self-signed cert/key pair in order to use the source code for STM32 IoT node over mqtt connecting to Exosite cloud (backgroud also using AWS cloud)?

I have tried to modify the both root ca and cert, but I got error at the opening the ssl socket …

Obj->CmdData
Details:"\r
[TCP SSL] Initialize Identity failed\r
[ TCP SSL] Advanced context, failed to connect\r
ERROR: Unknown Error\r
Usage: P6 <0 = Stop, 1 = Start> \r

Thanks,
Nick

Edited by: NickNgAvnet on May 19, 2019 10:28 PM

Edited by: NickNgAvnet on May 19, 2019 10:29 PM

aggarg · May 20, 2019, 6:05pm

Gaurav-Aggarwal-AWS wrote on May 20, 2019:

Hi Nick,

You can use the pcCertificate parameter of MQTTAgentConnectParams_t to change the Root CA: https://github.com/aws/amazon-freertos/blob/master/lib/include/aws_mqtt_agent.h#L147

Are you trying to use ECDSA key pair? The Inventek WiFi module is know not to work with ECDSA as mentioned in our Errata doc: https://github.com/aws/amazon-freertos/blob/master/tests/AFQ%20Developer%20Guide%20-%20Board%20Qualification%20Errata.pdf

If you want to use ECDSA keys, you can choose to do TLS in software at the cost of performance. Remove the project level define USE_OFFLOAD_SSL to do TLS in software.

Thanks.

system · May 27, 2019, 2:09am

NickNgAvnet wrote on May 27, 2019:

Hi Gaurav,

Thank you for your information.
I am using RSA.
I have tried both with/without OFF_LOAD setting. It still reply me error in open the socket.
To be more specific both USE_OFFLOAD_SSL returns me same error :
if (ret == ES_WIFI_STATUS_OK)
{
sprintf((char*)Obj->CmdData,“P6=1\r”);
ret = AT_ExecuteCommand(Obj, Obj->CmdData, Obj->CmdData);
}
the ret is : ES_WIFI_STATUS_UNEXPECTED_CLOSED_SOCKET

PS: I have tested the root.ca and cleint/key pair with a raspberry Pi successfully.

system · June 20, 2019, 10:33am

boboaws wrote on June 20, 2019:

I have the same issue with a self signed root CA and device certificates, set correctly:
keyCLIENT_CERTIFICATE_PEM
keyCLIENT_PRIVATE_KEY_PEM
keyJITR_DEVICE_CERTIFICATE_AUTHORITY_PEM

I am using the latest version of FreeRTOS and the default mqtt demo with a STM32 L4 B-L475E-IOT01A2 board, (WiFi firmware version is: C3.5.2.5.STM, WiFi firmware is up-to-date.)
I have 2 scenarios:

Just in time provisioning - device certificate and thing don’t exist in AWS IoT Core. Root CA already registered.
Device certificate and thing are active in AWS IoT Core, I used mosquitto_pub to do JITP, as explained in https://github.com/aws-samples/aws-iot-device-management-workshop/blob/master/AWS_IoT_Device_Management_Workshop.md#JITP
The only difference is that mosquitto requires rootca and device pem files bundled together.

For both error is:
Details:"\r
[TCP SSL] Initialize Identity failed\r
[TCP SSL] Advanced context, failed to connect\r
ERROR: Unknown Error\r
Usage: P6 <0 = Stop, 1 = Start> \r

In es_wifi.c, ES_WIFI_StartClientConnection, line 1608.

The demo works with certificates generated directly in AWS IoT Core.
Self signed certificates work with mosquitto_pub and the python sdk publisher subscriber demo.

There is also an error in iot_network_afr.c, pAfrCredentials->pRootCa is NULL, I had to set it manually in SOCKETS_SetSockOpt in _tlsSetup, line 286.

Also documentation is not updated for the latest FreeRTOS, see https://docs.aws.amazon.com/freertos/latest/userguide/getting_started_st.html

Please advice.

Edited by: boboaws on Jun 20, 2019 3:33 AM

aggarg · June 20, 2019, 8:38pm

Gaurav-Aggarwal-AWS wrote on June 20, 2019:

Please see this response: https://github.com/aws/amazon-freertos/issues/687#issuecomment-504173461

Thanks.

system · June 21, 2019, 1:30pm

boboaws wrote on June 21, 2019:

Thank you for your detailed response.
Based on your indications, I managed to make my second scenario work, meaning using a self signed device certificate that was already active in the IoT Core.
The first scenario, JITP with a device certificate connecting for the first time to IoT Core didn’t work resulting in timeout: (MQTT connection 0x20001548, CONNECT operation 0x200016d0) Wait complete with result TIMEOUT.
I’ve even increased MQTT_TIMEOUT_MS to 300000, same result.
I don’t know where to look for logs, if any.
Thanks again for your time.

aggarg · June 21, 2019, 5:15pm

Gaurav-Aggarwal-AWS wrote on June 21, 2019:

Please see this response: https://github.com/aws/amazon-freertos/issues/687#issuecomment-504502014

Thanks.