Home/Support/Support Forum/Problems Connecting to AWS IOT using Micropython

Problems Connecting to AWS IOT using Micropython

0 votes
There have been a number of threads concerning this topic which I have read through. Unfortunately, none of them deal with the specific issue I am experiencing.

The board I'm using is the Digi XBee Cellular LTE Cat 1 Development Kit and I have created a thing, attached a policy and downloaded / renamed the certificate files as described in the Digi Micropython Programming Guide. The policy attached to the thing grants all the privileges described in the Guide.

I've tested the certificates with the Python 3 script (aws_https_pc.py) described in the Guide and get the expected response.

However, after I upload the three files (/flash/cert/aws.key, /flash/cert/aws.crt, /flash/cert/aws.ca) with the File system Manger tool, copy and paste the Micropython version of the "test connection" code with my parameters and run with CTRL+D, I receive an ETIMEDOUT error. This occurs using both destination ports 8443 and 8883.

I notice in previous threads that users have been having problems with ECONNREFUSED errors, indicating that the server is rejecting the connection attempt. In my case, it appears that a connection is not even being attempted.

Several other points:

a. I've tried using AWS endpoints both with and without the "-ats" suffix and get the same results.

b. I can connect successfully to the AWS MQTT broker using a Python 3 script running on my PC and also using Node-Red.

c. The Digi board successfully connects to a broker I've set up on my company's server using Mosquitto.

Any help with this issue will be greatly appreciated.
asked Jul 19 in MicroPython by yosh New to the Community (0 points)

Please log in or register to answer this question.

1 Answer

0 votes
Hi there.

It turns out that in order to use AWS IoT with the XBee Cellular Cat 1 (with the "-ats" endpoint), you must use the Starfield certificate which can be found here: https://ssl-ccp.secureserver.net/repository/sf-class2-root.crt

(Note: This certificate has the same subject key identifier as the actual _root_ certificate presented by AWS. It turns out the "Starfield Root CA" on Amazon's website is not _the_ root certificate.)

Hope this helps!
answered Jul 26 by tckr Seasoned Professional (230 points)
@tckr
Thanks for your help.
First of all, I have to apologize to you because it appears that the modem I've been using is an LTE-M module rather than a CAT-1.
Anyway, it looks as though we had a rather old version of firmware installed. ATVR returned "1140B" and ATMV returned "L0.0.00.00.05.06 [Feb 03 2018 13:00:41]" when I first checked them. After a couple of false starts, I did manage to update the firmware to the latest version (11412). However, I see no change when I try to connect to the AWS endpoint (with either the original root certificate or the one you directed me to).
Do you still get an ETIMEDOUT error? If so, that would seem to indicate that the AWS endpoint is in fact unreachable from your XBee, and not something wrong with the certificates, etc.

Can you check that ATLA<endpoint> returns a valid IP address? For example, ATLA ABCDEFG1234567-ats.iot.us-east-1.amazonaws.com.

If you are running the MQTT example code, make sure it is using port 8883. If using the HTTPS example code (accessing the shadow), then 8443.

You might also want to try a plain TCP connection to the endpoint, to see if it is in fact reachable.

[code]
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ENDPOINT, 8883))
[/code]

Also, are you using the SIM card that came with the Digi development kit, or your own SIM card?
@tckr

Thanks again for your help. Sorry it took awhile to get back to you.

I'm still seeing ETIMEDOUT errors when trying to connect. However, I also see ENXIO errors and the occasional ENFILE error.

The ATLA command does return a valid IP address.

I also tried running the sample code you provided. This returns an ETIMEDOUT error.

I'm currently using a SIM card from Hologram. I've also been wondering recently if this might be an issue.

Thanks again.
At this point I would suggest you get in touch with Hologram's customer/technical support and see if they can shed any light on what is going on.

The fact that you still get ETIMEDOUT doing just a simple TCP connection (not TLS) to AWS IoT tells me that you are unable to make a connection to AWS IoT. Since you say you are able to use the XBee to talk to other servers, it seems unlikely that this is an issue with the XBee itself; if you were also unable to communicate to your own server, that would indicate a different issue.
@tckr

I hope you're still around -- sorry I didn't get back to you sooner.

I was able to test a SIM card from a different provider. When I try to connect to the AWS IOT MQTT server with this SIM, I get an EIO error rather than an ETIMEDOUT error.

I also tried running the sample code that you provided to create a plain TCP connection. This now appears to work -- I no longer see an ETIMEDOUT error.

So it appears that with this second SIM, we've traded an ETIMEDOUT error for an EIO error.

Thanks again.
...