Copyright © https://mongoose-os.com

Mongoose OS Forum

frame

AWS Shadow Connect

I'm having some trouble with aws shadow implementation.
I do have my application built. I already have my certificates configured (root-ca.pem, cert.pem and key.pem).
I've tested these certificates using mosquitto_pub to send data to my AWS IoT console... And I can see the data.

However, my application is not connecting to the AWS Shadow. It has an "SSL" related failure. Could this be a config issue? See console output below:

mgos_mqtt_ev         MQTT Connect (0)
mgos_mqtt_ev         MQTT Disconnect
mqtt_global_reconnec MQTT connecting after 64940 ms
mqtt_global_connect  MQTT connecting to a1vjs5vsziz8ws.iot.us-east-1.amazonaws.com:8883
find_mount_by_path   aws-iot-1xxxxxxxx2.crt.pem -> /aws-iot-1xxxxxxxx2.crt.pem pl 1 -> 1 0x3ffefda4
mgos_vfs_open        aws-iot-1xxxxxxxx2.crt.pem 0x0 0x1b6 => 0x3ffefda4 aws-iot-1xxxxxxxx2.crt.pem 1 => 257 (refs 1)
mgos_vfs_fstat       257 => 0x3ffefda4:1 => 0 (size 1074)
mgos_vfs_fstat       257 => 0x3ffefda4:1 => 0 (size 1074)
mgos_vfs_lseek       257 0 1 => 0x3ffefda4:1 => 0
mgos_vfs_lseek       257 1024 0 => 0x3ffefda4:1 => 1024
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 50
mgos_vfs_lseek       257 0 0 => 0x3ffefda4:1 => 0
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 1024
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 50
mgos_vfs_close       257 => 0x3ffefda4:1 => 0 (refs 0)
find_mount_by_path   ecckey.key.pem -> /ecckey.key.pem pl 1 -> 1 0x3ffefda4
mgos_vfs_open        ecckey.key.pem 0x0 0x1b6 => 0x3ffefda4 ecckey.key.pem 1 => 257 (refs 1)
mgos_vfs_fstat       257 => 0x3ffefda4:1 => 0 (size 302)
mgos_vfs_fstat       257 => 0x3ffefda4:1 => 0 (size 302)
mgos_vfs_lseek       257 0 1 => 0x3ffefda4:1 => 0
mgos_vfs_lseek       257 0 0 => 0x3ffefda4:1 => 0
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 302
mgos_vfs_close       257 => 0x3ffefda4:1 => 0 (refs 0)
find_mount_by_path   aws-root-ca.pem -> /aws-root-ca.pem pl 1 -> 1 0x3ffefda4
mgos_vfs_open        aws-root-ca.pem 0x0 0x1b6 => 0x3ffefda4 aws-root-ca.pem 1 => 257 (refs 1)
mgos_vfs_close       257 => 0x3ffefda4:1 => 0 (refs 0)
ssl_socket_send      0x3fff1b2c 169 -> 169
ssl_socket_recv      0x3fff1b2c <- 5
ssl_socket_recv      0x3fff1b2c <- 1455
ssl_socket_recv      0x3fff1b2c <- 1133
find_mount_by_path   aws-root-ca.pem -> /aws-root-ca.pem pl 1 -> 1 0x3ffefda4
mgos_vfs_open        aws-root-ca.pem 0x0 0x1b6 => 0x3ffefda4 aws-root-ca.pem 1 => 257 (refs 1)
mgos_vfs_fstat       257 => 0x3ffefda4:1 => 0 (size 1758)
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 1024
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 734
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 0
mgos_vfs_close       257 => 0x3ffefda4:1 => 0 (refs 0)
SW ECDSA verify curve 3 hash_len 32 sig_len 70
find_mount_by_path   aws-root-ca.pem -> /aws-root-ca.pem pl 1 -> 1 0x3ffefda4
mgos_vfs_open        aws-root-ca.pem 0x0 0x1b6 => 0x3ffefda4 aws-root-ca.pem 1 => 257 (refs 1)
mgos_vfs_fstat       257 => 0x3ffefda4:1 => 0 (size 1758)
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 1024
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 734
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 0
mgos_vfs_close       257 => 0x3ffefda4:1 => 0 (refs 0)
find_mount_by_path   aws-root-ca.pem -> /aws-root-ca.pem pl 1 -> 1 0x3ffefda4
mgos_vfs_open        aws-root-ca.pem 0x0 0x1b6 => 0x3ffefda4 aws-root-ca.pem 1 => 257 (refs 1)
mgos_vfs_fstat       257 => 0x3ffefda4:1 => 0 (size 1758)
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 1024
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 734
mgos_vfs_read        257 1024 => 0x3ffefda4:1 => 0
mgos_vfs_close       257 => 0x3ffefda4:1 => 0 (refs 0)
mg_ssl_if_mbed_err   0x3fff1b2c SSL error: -9984
mgos_mqtt_ev         MQTT Connect (0)
mgos_mqtt_ev         MQTT Disconnect
mqtt_global_reconnec MQTT connecting after 57545 ms
«1

Comments

  • rojerrojer Dublin, Ireland

    -9984 is -0x2700 which is MBEDTLS_ERR_X509_CERT_VERIFY_FAILED. paste your aws-root-ca.pem here, please

  • only1chionly1chi Boston

    So here are the contents of the "aws-root-ca.pem" file...

    -----BEGIN CERTIFICATE-----
    MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
    yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
    ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
    U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
    ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
    aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
    MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
    ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
    biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
    U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
    aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
    nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
    t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
    SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
    BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
    rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
    NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
    BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
    BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
    aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
    MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
    p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
    5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
    WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
    4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
    hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
    -----END CERTIFICATE-----
    
  • only1chionly1chi Boston

    I generated new certificates and that seemed to solve my problem. I am now connecting to aws IoT. I just need to configure my thing and json messages properly.

  • This was working for me at some point but it stopped. I tried generating new certs but to no avail. I get the following:

    SW ECDSA verify curve 3 hash_len 32 sig_len 70
    mg_ssl_if_mbed_err   0x3ffb3e48 SSL error: -9984
    

    Any ideas?

  • SergeySergey Dublin, Ireland

    @crashgoboom that error means certificate problem, try to re-provision

  • rojerrojer Dublin, Ireland

    if it persists, post CA and cert here

  • CA:

    -----BEGIN CERTIFICATE-----
    MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
    yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
    ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
    U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
    ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
    aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
    MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
    ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
    biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
    U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
    aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
    nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
    t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
    SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
    BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
    rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
    NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
    BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
    BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
    aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
    MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
    p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
    5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
    WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
    4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
    hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
    -----END CERTIFICATE-----
    

    cert:

    -----BEGIN CERTIFICATE-----
    MIID2jCCAsKgAwIBAgIUSj8A8am4nuBJbAWSqdEKMbTA/egwDQYJKoZIhvcNAQEL
    BQAwTTFLMEkGA1UECwxCQW1hem9uIFdlYiBTZXJ2aWNlcyBPPUFtYXpvbi5jb20g
    SW5jLiBMPVNlYXR0bGUgU1Q9V2FzaGluZ3RvbiBDPVVTMB4XDTE3MDYxNjIxNDc0
    M1oXDTQ5MTIzMTIzNTk1OVowgZ4xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xv
    cmFkbzEYMBYGA1UEBxMPQ29sb3JhZG9TcHJpbmdzMRQwEgYDVQQKEwtRdWVsbGVt
    LmNvbTELMAkGA1UECxMCSVQxHTAbBgNVBAMTFDEwMDAyMDYtMzBBRUE0MDBDNEE4
    MSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBxdWVsbGVtLmNvbTCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBAMt6CUYmjZcj3YQGgJ4Kl1+d6afCjWcvi0Wef/ww
    gRB5NnHS1Wm51jXlK7Ov5XEU1+WgU+RiU8OmS10QQSPJzJWXwJbLWTSQU8IGs8pI
    ugS0GYwkX1rveECJAhJGX4gI6iPBrQi8gdVzmSTJnHquN4upUMfakJc/i3uHlr3f
    H8IyMoze/TP90+74YXXlD9Nv8+W8GiTwDTic3PeooLmNXxgcwAG9z2uVhMG3Xhzl
    UhK4mNvYbL5n32OsUDcfvdSGPexbNY0kiMnibefH5e9zgnZgPGOOmcA/mKXSZcH+
    gzt75DdapRbhv2aZyKY0E/zAG/ZOp50qEu+QGFzKVLuRzTUCAwEAAaNgMF4wHwYD
    VR0jBBgwFoAUcFWXghoFqzYHip8IZcU2Z1oe6vEwHQYDVR0OBBYEFLxPs+b/bWCE
    cby5O81qSTCp80VZMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMA0GCSqG
    SIb3DQEBCwUAA4IBAQALVG+LaJU0lzIigqieiyfewYdWQHlKDMYDYtRLBGinswI7
    7mjMXu0dgqMaGE9g8eWfMbzQELeQ3Ig+zX0NIE3yDvQLLSf3AgOy1wm/gVexdK+g
    3Rdkz3FIA/z2Vyi1o+8d3g0S9WNHGm9fPF6Tr3YaF9UsSnL3YZKPm8qDv1l4S2ME
    pjRw1JxTB4bpR45/S11Ne7gzr1GK+Z9XhGdzZCGuC4jTlFYh8JJVVBUnZRMOQ9zF
    osBetB6ADlim9v/pEfrIAt6VjzEZgaVw06sptDqKxGUYiuc0/eJtDoqFRwjd/4M6
    FjjDxnEuRmUa2JOcxZLZQ1ZX6ADSDSZAqVxV7jnp
    -----END CERTIFICATE-----
    
  • rojerrojer Dublin, Ireland

    AWS actually has two server certs - RSA and ECDSA, signed with different roots.
    the problem is you're using RSA certificate, but server picks ECDSA one to present, and that is signed by a different root, so verification fails.
    you can find both roots here. for maximum compatibility, put them both into the same file, mOS will pick the right one to use depending on which cert AWS presents.

    btw, you are obviously not using mos aws-iot-setup (since it know about this and picks the right root to use). why not?

  • Just tried using aws-iot-setup on a device with fw that I was able to get the wifi setup on and it get:

    Wrote private key to aws-iot-c56f20043b.key.pem
    Wrote certificate to aws-iot-c56f20043b.crt.pem
    Attaching policy "test-thing-pol" to the certificate...
    Attaching the certificate to "esp32_00C4A8"...
    Uploading certificate...
    Uploading key...
    Error: failed to upload aws-iot-c56f20043b.key.pem: (400) failed to open file "aws-iot-c56f20043b.key.pem"
    

    Any ideas?

  • SergeySergey Dublin, Ireland

    I've seen such things when many file ops are done with the device, seems like a garbage collection problem with SPIFFS.
    try to reflash the device (in order to reformat the file system) and re-provision again.

  • edited July 13

    Hi, I am facing the same issue.My application is not connecting to the AWS Shadow.
    Below is the console output.

  • rojerrojer Dublin, Ireland

    -26752 is #define MBEDTLS_ERR_SSL_WANT_WRITE -0x6880 /**< Connection requires a write call. */
    for some reason, we are not able to send the data. how much are you trying to send?

  • edited July 13

    I am trying to send data from three sensors.
    Probably 1000 bytes of data

  • rojerrojer Dublin, Ireland

    hm. what i see is 754 bytes sent and then 1053 bytes not being able to send. why so much, i wonder.
    can you set debug.mg_mgr_hexdump_file=-- please? this should dump all the data being sent and received to the terminal.

  • edited July 13

    I set "debug.mg_mgr_hexdump_file=--" and it is the same error. Below is the console output.

  • rojerrojer Dublin, Ireland

    ok, i see it now. it gets into the logging loop, where it logs log output produced while logging output. is your debug.level at 3? lower it to 2 or disable mqtt logging by setting debug.stderr_topic to empty string.

  • edited July 13

    If I set the debug.level to 2, I am not able to read the value from temperature and update the sensor value to the cloud. It gets updated only once.
    And when I try the either way by disabling the mqtt logging, I am able to read correct data from the sensors, but the sensor value doesn't get updated.

  • rojerrojer Dublin, Ireland

    something else must be logging to mqtt, maybe via stdout. set debug.stdout_topic= as well.

    however, it's surprising to me that you can't read sensor without debug on. suggests some sort of a timing issue. which sensor are you using? can you show the relevant part of code where you're reading it?

  • I still can't update the value in the cloud.
    I am using Si7006 A20 I2C temperature and humidity sensor. here is the code.

  • rojerrojer Dublin, Ireland

    i... sorry, i have no idea. your code seems totally fine to me, but so does our I2C implementation - it works with other devices with no problems.
    if you could capture bad exchange on logic analyzer, that would probably tell us what's wrong.

  • rojerrojer Dublin, Ireland

    btw, which pins do you use for i2c?

  • ["i2c.sda_gpio", 4]
    ["i2c.scl_gpio", 5]
    These are the two pins I am using for I2C

  • rojerrojer Dublin, Ireland

    do you use external pull-up resistors?

  • No, we don't have any. We have an internal pull-up resistor of 4.7ohm.

  • rojerrojer Dublin, Ireland

    well, as long as you have pull-ups, it's fine.
    anyway, GPIO 4 and 5 are the only two that do not have on-chip pull-ups. our I2C code enables pull-ups when they are available, but on gpio 4 and 5 there are no pull-ups. so we usually use GPIO 12 and 14 instead.
    can you try GPIO 12 and 14?

    Thanked by 1jenny
  • I can try by changing the pins.

    When I set the logs to empty string, I am able to read the sensor data and send it to AWS IoT, but it's not getting updated. What might be the reason for this?

  • rojerrojer Dublin, Ireland
    edited July 14

    ok, what do you mean by "not getting updated"?

  • When I report the sensor data to AWS IoT, I can see the sensor values in shadow document.
    But after that when I try to verify the light sensor reading by increasing the light on the sensor( using some flash light), then that value doesn't get reported to the cloud. I mean the sensor value is reporting only once in the cloud.

  • rojerrojer Dublin, Ireland

    ok, at this point it's impossible to tell what's wrong without seeing full code of the app.

    Thanked by 1jenny
  • In regard to GPIO 4 and 5 not having the pull up resistors, I found this article.
    https://blog.falafel.com/programming-gpio-on-the-esp8266-with-nodemcu/

Sign In or Register to comment.