Problems Connecting to AWS IOT using Micropython

Question

There have been a number of threads concerning this topic which I have read through. Unfortunately, none of them deal with the specific issue I am experiencing.

The board I'm using is the Digi XBee Cellular LTE Cat 1 Development Kit and I have created a thing, attached a policy and downloaded / renamed the certificate files as described in the Digi Micropython Programming Guide. The policy attached to the thing grants all the privileges described in the Guide.

I've tested the certificates with the Python 3 script (aws_https_pc.py) described in the Guide and get the expected response.

However, after I upload the three files (/flash/cert/aws.key, /flash/cert/aws.crt, /flash/cert/aws.ca) with the File system Manger tool, copy and paste the Micropython version of the "test connection" code with my parameters and run with CTRL+D, I receive an ETIMEDOUT error. This occurs using both destination ports 8443 and 8883.

I notice in previous threads that users have been having problems with ECONNREFUSED errors, indicating that the server is rejecting the connection attempt. In my case, it appears that a connection is not even being attempted.

Several other points:

a. I've tried using AWS endpoints both with and without the "-ats" suffix and get the same results.

b. I can connect successfully to the AWS MQTT broker using a Python 3 script running on my PC and also using Node-Red.

c. The Digi board successfully connects to a broker I've set up on my company's server using Mosquitto.

Any help with this issue will be greatly appreciated.

Answer 1

Hi there.

It turns out that in order to use AWS IoT with the XBee Cellular Cat 1 (with the "-ats" endpoint), you must use the Starfield certificate which can be found here: https://ssl-ccp.secureserver.net/repository/sf-class2-root.crt

(Note: This certificate has the same subject key identifier as the actual _root_ certificate presented by AWS. It turns out the "Starfield Root CA" on Amazon's website is not _the_ root certificate.)

Hope this helps!

Comments

Do you still get an ETIMEDOUT error? If so, that would seem to indicate that the AWS endpoint is in fact unreachable from your XBee, and not something wrong with the certificates, etc.

Can you check that ATLA<endpoint> returns a valid IP address? For example, ATLA ABCDEFG1234567-ats.iot.us-east-1.amazonaws.com.

If you are running the MQTT example code, make sure it is using port 8883. If using the HTTPS example code (accessing the shadow), then 8443.

You might also want to try a plain TCP connection to the endpoint, to see if it is in fact reachable.

[code]
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ENDPOINT, 8883))
[/code]

Also, are you using the SIM card that came with the Digi development kit, or your own SIM card?

---

@tckr

Thanks again for your help. Sorry it took awhile to get back to you.

I'm still seeing ETIMEDOUT errors when trying to connect. However, I also see ENXIO errors and the occasional ENFILE error.

The ATLA command does return a valid IP address.

I also tried running the sample code you provided. This returns an ETIMEDOUT error.

I'm currently using a SIM card from Hologram. I've also been wondering recently if this might be an issue.

Thanks again.

---

At this point I would suggest you get in touch with Hologram's customer/technical support and see if they can shed any light on what is going on.

The fact that you still get ETIMEDOUT doing just a simple TCP connection (not TLS) to AWS IoT tells me that you are unable to make a connection to AWS IoT. Since you say you are able to use the XBee to talk to other servers, it seems unlikely that this is an issue with the XBee itself; if you were also unable to communicate to your own server, that would indicate a different issue.

---

@tckr

I hope you're still around -- sorry I didn't get back to you sooner.

I was able to test a SIM card from a different provider. When I try to connect to the AWS IOT MQTT server with this SIM, I get an EIO error rather than an ETIMEDOUT error.

I also tried running the sample code that you provided to create a plain TCP connection. This now appears to work -- I no longer see an ETIMEDOUT error.

So it appears that with this second SIM, we've traded an ETIMEDOUT error for an EIO error.

Thanks again.

---

The link you provided in your first comment to the CA works for me with the -ats endpoint as of today on a Cat 1 board. Digi docs also had the correct one to use, but there were a lot of options. I initially had the connection refused issue error, but they seemed to work themselves out with both time and using the example code from the Pycharm plugin. I also received the ENXIO error if I tried to remove the -ats.