My apologies - enableTls returns an int but connect returns a bool. So you seeing a 0 means that it is in fact unable to connect at the connection call. If enableTls is returning 0 before this (aka succeeding), it means that you likely have a permissions problem.
You can get the error code for the connection attempt by enabling debug output in MQTT-TLS.h:
make sure debug_tls is defined as below (just copy paste this below the section where it currently is defined.
This will give debug output from the ssl handshake result and a few other things. I donāt want to take over this thread so feel free to PM me the result and we can follow up on this thread once weāve figured it all out.
Iāve been banging my head trying to get something working with this for a while.
Iāve temporarily set up a policy that has IoT Full access, attached it to the certificate, and then configured the sample code to connect and publish to an AWS MQTT channel - but it just plain doesnāt work for me. Iāve recreated certs, Iāve even swapped out every possible variation of the AWS root cert CA, still nothing happening.
I tried adding the debug_tls stuff to the MQTT-TLS.h file, but it didnāt seem to add any debug information.
The client.enableTls succeeds (but I think this just means that it checks my certs are formatted properly) but the connection itself always fails.
The device connects to the spark cloud just fine before itās even trying to enable tls, so I know the wifi is working.
Any ideas? I assume that other people have this working? (Iām on version=0.2.20 of the mqtt-tls library, if it makes a difference)
The debug you are looking for would specifically be the results of each step of the handshake. There is always an error code somewhere, and that is usually returned by the ssl handshake.
If you arenāt seeing debug Serial print lines, you havenāt configured the debug printing properly. To make sure itās configured, just stick this at the top of MQTT-TLS.cpp:
Or just do a find and replace for debug_tls for Serial.printf.
The code that says "handshake done, ret = " will be the code that contains the error in most cases. The step it fails on and the way it fails should tell you what is going wrong.
Most of the time the error is on the configuration and permissions side. Usually worth making sure you have an AWS Thing set up with a name equal to the client id you are using to connect. While not strictly necessary, this may help rule out some possible causes. Also make sure that the certificate itself is in the āActiveā state, and attached to that Thing.
I always use Amazon Root CA 1 (RSA 2048 bit key) and it works fine for me. Double check that your endpoint domain and port (8883) are correctly configured.
Are you going through a firewall? Port 8883 may not be opened in the firewall security policy as it isnāt commonly used for normal web traffic.
You can use mqtt.fx (https://mqttfx.jensd.de) running on your mac/pc to check your device credentials - just to make sure you didnt make copy/paste errors.
Additionally, the TLS library is very RAM hungry when it starts up; running on a P1 with 10K fails to make the connection to AWS but having > 14K RAM free works fine (with my config, may be different for you). That isnāt to say that the TLS lib needs 10K+ permanently; it needs this mostly during startup. So make sure that connecting to AWS-iot is one of the first things you do during startup and your own app RAM requirements are delayed till that connection is made successfully. Secondly, that if the AWS-iot connection breaks for some reason later on, make enough RAM available before reconnecting. In some cases it is easier to reset your device then to build all this dynamic alloc/dealloc behavior.
Thanks for all the suggestions, in the end I got the Argon to work with its additional memory. I found also that you have to use the legacy CA from AWS, as the other CA certs wonāt working for me.
I follow the example above then compile and flash to Argon 1.3.0-rc.1 without error but when I publish message āREDā with āinTopic/messageā in AWS, it does not work (LED color not change).
Does anyone know how to verify it? Thanks!
The certificate I use:
AMAZON_IOT_ROOT_CA_PEM = root-CA.crt
CELINT_KEY_CRT_PEM = AWS_Argon.cert.pem
CELINT_KEY_PEM = AWS_Argon.private.key
Iām using MQTT-TLS successfully on Boron LTE. The certificates can be tricky to get set up. Mainly the Root CA, since Amazon publishes multiple certificates, but only one typically works.
mbedTLS in MQTT support RSA 2048/4096, ECC 256/384(but enable ECC options in config.h).
If some trouble with AWS Root CA, I think itās better that trying to check the AWS IoT gateway with other MQTT commands(like a mosquitto_pub/sub) for RootCA compatibility.
Once I used the rootCA issued to me by AWS for use in my region, the sample code for the project worked perfectly. Perhaps remove the root CA from the sample as for some of us it prevents the example from working.
Also, worth pointing out that you should check the certificate policy if you are having issues with connecting, or publishing and subscribing to topics. The client ID you specify needs to be allowed by policy to do the things you are trying to do.
This is likely the source of your problem. You appear to have downloaded the public key from AWS instead of the certificate. If you don't have a copy, create a new certificate and download again, this time using the certificate as per this picture:
Also consider fixing the typo of "CELINT_KEY..." instead of "CLIENT_KEY...". It's not the source of the problem but will prevent future confusion (I know it's in the sample code).
Yup, that was it! Its funny, that was just leftover from another test/example I was doing. I actually was using my cert there - just didnāt change the header!
You are going to need to post some code or provide more detail - my crystal ball is cloudy today..... Serial output is not on by default - so we need to know what has enabled it and then can perhaps get to the bottom of the issue?