Copyright © https://mongoose-os.com

Mongoose OS Forum

frame

Nodemcu not getting connected to AWS - IOT MQTT

@Sergey Lyubka - I am following the sample code from https://github.com/cesanta/mongoose-os/tree/master/fw/examples/c_mqtt.

I am using NodeMCU and have connected it to ATCRYPTOAUTH-XPRO. I have followed https://mongoose-iot.com/blog/mongoose-esp8266-atecc508-aws/ for the wiring instruction for ATCRYPTOAUTH-XPRO

I have connected the device to aws-iot. When is start the console, I cannot see any sub message entry. The device is connecting to MQTT and disconnecting immediately. Here is the console output. Could you please help me in resolving this problem.

mgos_wifi_on_change_cb WiFi: ready, IP xxx.xxx.0.xxx
mqtt_global_connect  MQTT connecting to xxxxxxxxxxx.iot.eu-west-1.amazonaws.com:8883
mgos_mdns_hal_join_group Joining multicast group 224.0.0.251
mongoose_poll        New heap free LWM: 31216
SW ECDSA verify curve 3 hash_len 32 sig_len 72
SW ECDSA verify curve 3 hash_len 32 sig_len 70
ATCA is not available (-20096), using sw ECDH
mongoose_poll        New heap free LWM: 18344
pm open,type:2 0
ev_handler           MQTT Connect (1)
ev_handler           MQTT Disconnect

Comments

  • rojerrojer Dublin, Ireland

    do you have a valid policy attached to your cert?
    this is the most common cause of this.

  • rojerrojer Dublin, Ireland

    also, according to the log you posted, crypto chip is not used (ATCA is not available). you need to enable it. add --use-atca to you aws-iot-setup command.

  • @rojer said:
    also, according to the log you posted, crypto chip is not used (ATCA is not available). you need to enable it. add --use-atca to you aws-iot-setup command.

    Thank you @rojer. Is there a documentation which list all the possible flags for mos tool? I will enable atca flag and share the outcome.

  • @rojer : The tool is able to recognise the crypto device. However it is not able to generate the private key on the device. I am getting following output from "mos aws-iot-setup --port com3 --aws-iot-policy=arc-home-auto --use-atca" command

    mos aws-iot-setup --port com3 --aws-iot-policy=arc-home-auto --use-atca --verbose
    `

    • `AWS region: eu-west-1
    • Connecting to the device...
    • Current MQTT config: {
    • "clean_session": true,
    • "keep_alive": 60,
    • "pub": "bb",
    • "reconnect_timeout_max": 60,
    • "reconnect_timeout_min": 10,
    • "server": "xxxxxxxxxxxx.iot.xx-xxx-1.amazonaws.com:8883",
    • "ssl_ca_cert": "ca-verisign-ecc-g2.crt.pem",
    • "ssl_cert": "aws-iot-xxzzxxxz.crt.pem",
    • "ssl_key": "aws-iot-xxzzxxxz.key.pem",
    • "sub": "aa",
    • "will_message": "",
    • "will_topic": ""
    • }
    • Generating certificate request, CN: mos-dddsddssdd
    • AECC508A rev dsdsdsds S/N ccsdswrdsds, config is unlocked, data is unlocked
    • Generating new private key in slot 0
    • Error: failed to generate certificate: failed to generate private key in slot 0: (500) Failed generate key on slot 0: 0xf4
    • ``
  • @Sergey Lyubka : Hi please help me in resolving this issue..

    AECC508A rev dsdsdsds S/N ccsdswrdsds, config is unlocked, data is unlocked
    Generating new private key in slot 0
    Error: failed to generate certificate: failed to generate private key in slot 0: (500) Failed generate key on slot 0: 0xf4
  • rojerrojer Dublin, Ireland

    config is unlocked, data is unlocked

    @rushiamit chip's configuration needs to be set first and both config and data zones locked.

    here's an example config you can use for tests: atca-test-config.yaml

    to set it, use extended mos commands:

    mos -X atca-set-config --port=/dev/ttyUSB0 atca-aws-test.yaml --dry-run=false
    mos -X atca-lock-zone --port=/dev/ttyUSB0 config --dry-run=false
    mos -X atca-lock-zone --port=/dev/ttyUSB0 data --dry-run=false
    

    note: these changes are irreversible: once locked, zones cannot be unlocked anymore.
    note2: this config is very permissive and only suitable for testing, NOT for production deployments. you will need to consult Microchip's manual and other documentation to come up with more secure configuration (we may be able to assist with that too).

    after that, aws-iot-setup should start working.

  • @rojer : You are awesome :) I am able to connect to aws and can see sub topics. I must say that mos tool has a lot of hidden tricks.

  • dlobatodlobato Portugal

    Hi,

    I just came here with the same problem, and before I lock my device (ATCRYPTOAUTH-XPRO) I was wondering if you could give a very brief explanation on what's going on with the test config and why you you say it is not production ready (I don't have access to the chip docs).

    Thanks in advance!

    David.
    PS: Thank you very much for mongoose-os, great software!!

  • rojerrojer Dublin, Ireland

    pretty much what it says in the comment: the symmetric key that allows rewriting of the ECC keys can itself be reset at will, thus offering no protection.
    it is required because chip won't accept unencrypted writes to key slots once data zone is locked, but it is made resettable so that if it's lost, you don't lose ability to write arbitrary keys. this is useful for testing.
    this is the result of having writeconfig: 0 on slot 4, which means any writes are allowed. full explanation of various config fields is available in full datasheet, which you can get from microchip (under NDA).

  • dlobatodlobato Portugal

    @rojer thank you very much!

    I've just requested the datasheet, but so far that config works for me.

  • rojerrojer Dublin, Ireland

    i believe microchip also has a pointy-and-clicky GUI tool for this, though i've never used it.

Sign In or Register to comment.