From your pasted debug output, it appears that the TCP socket connection is succeeding, but the subsequent MQTT broker connection attempt fails. If you step through the code, is that what you see? If so, then an additional detail to determine is whether the TLS connection is succeeding before the MQTT connect fails. If so, that indicates that your client certificate is trusted by the AWS service frontend, but not by the MQTT broker backend (i.e., the certificate is not associated with a valid Thing and/or policy).
Next, assuming you’re in a lab setting, try configuring a fully permissive policy for your Thing certificate. That approach is only appropriate to help you isolate potential causes. Once you’ve narrowed down the problem, iteratively reduce the scope of the Thing certificate policy until it’s as restrictive as possible.
Next, if you don’t mind trying the AWS command-line interface, check out the debugging instructions in https://github.com/aws/amazon-freertos/blob/master/demos/common/greengrass_connectivity/README.md. Ignore the first few commands that are Greengrass-specific; start with the aws iot describe-certificate… command that’s about 3/4 of the way down the page. That, and the two commands after it, will help you double-check your Amazon FreeRTOS client certificate and policy configuration.
If you’re still stuck after the above, please post whatever additional details you discover.
About the certificates:
I see this in the console:
The interface that will be opened is set by “configNETWORK_INTERFACE_TO_USE”, which
should be defined in FreeRTOSConfig.h
Attempting to open interface number 2.
2 126 [IP-task] Starting key provisioning…
3 126 [IP-task] Write root certificate…
4 126 [IP-task] Write device private key…
5 138 [IP-task] Write device certificate…
6 148 [IP-task] Key provisioning done…
7 148 [IP-task] Creating MQTT Echo Task…
8 148 [IP-task]
Does that mean TLS is working fine?
I created a certificate, policy and attached it to a thing I created. I am testing it using the ‘test’ tab in IoT console by adding the topic to subscribe to.
I used the same certificate in the Simulator code. (used the generator).As a AWS IoT noob, I am not sure if I did this right. Can you please confirm?
About the policy:
I used the fully permissive policy first before I used the one I mentioned in my original message. That did not work either.
CLI:
I am unfamiliar with AWS command-line interface yet. I will check that and get back to you again.
Also, just to clarify, I am in the corporate network.Can that be a reason why it is going wrong?
So looks like your network stack is working. Although I don’t think corporate network could be the issue, a quick way to verify that would be trying your mobile phone hotspot.
And maybe you’ve already verified it, could you confirm your clientcredentialMQTT_BROKER_ENDPOINT and clientcredentialIOT_THING_NAME are both correct? They’re in demos/common/include/aws_clientcredential.h. Also, make sure the certificate is attached to the thing, and policy is attached to the certificate.
I cannot connect directly via Hotspot because the laptop is secure too and cannot connect to other networks without a VPN.
I confirmed that clientcredentialMQTT_BROKER_ENDPOINT and clientcredentialIOT_THING_NAME are both correct. Also, AWS side certificate and policy configuration is proper and exactly as you have mentioned.
However, I have tried to put the break-point for TLS_Connect. But the code is not executed till that point. As I have mentioned in the previous message, console says “About to close the socket” and " Socket closed". It gracefully closes the socket before it even reaches there.
Try using mosquitto [https://mosquitto.org/download/] to publish something. mosquitto_pub -d --cafile [root certficate] --cert [your device certificate] --key [private key] -h [AWS IoT endpoint] -p 8883 -m “a test message” -t “test/topic” -q 1. This would at least tell you if you could reach AWS IoT at all. If this doesn’t work, then it could be your corporate network firewall.