Do you have Amazon AWS Tutorial..?

[kittinook]

Hi, I've interested this board. Do you have the example for communication between the board and AWS IoT cloud?

[mrbacani]

• Yes, network is online, I know this cause I'm able to connect to other MQTT brokers that don't require SSL.
• I did check and set the time manually, I'm not sure if I did it correctly though. I just used the AT+CCLK command and set it to local time.
• I did upload the certificates and I know the module could find them since the result says DOWNLOAD and when I use the command AT+CFSGFIS to get the file sizes it returns correct values.

The AT command sequence I use to connect is this: AT+CSQ AT+CFUN=0 AT+CGDCONT=1,"IP","hologram" AT+CFUN=1 AT+CNCFG=0,1,"hologram" AT+CNACT=0,1 AT+CFSINIT AT+CFSWFILE=3,"veriSign.crt.pem",0,1758,5000 AT+CFSWFILE=3,"certific.pem.crt",0,1220,5000 Certificate obtained from AWS AT+CFSWFILE=3,"private.pem.key",0,1675,5000 Private key from AWS AT+CFSTERM AT+CSSLCFG="CONVERT",2,"veriSign.crt.pem" AT+CSSLCFG="CONVERT",1,"certific.pem.crt","private.pem.key" AT+SMSSL=2,"veriSign.crt.pem","certific.pem.crt" AT+CSSLCFG="SSLVERSION",0,3 AT+SMCONF="URL",xxxx.iot.ca-central-1.amazonaws.com I did remove -ats from the URL AT+SMCONF="CLIENTID","test" AT+SMCONN

Thanks for any help!

[Scrts]

My flow here is different than yours a little bit. For example AT+CSSLCFG command. I also did not do AT+CFSTERM. Doesn't it close access to the file system, so certs cannot be pulled in?

[mrbacani]

So I just tried following your flow exactly but still no connection. I also tried using your method of setting the time but when I do so, AT+CCLK doesn't return the correct time so I just set it manually.

Would it be because of the region I'm using? I'm using CA-Central and it's not listed on Supported Legacy Endpoints but when I try connecting to AWS with the Legacy certificate using Mosquitto it does work.

[Scrts]

Regardless of Mosquitto operation, I'd really try switching regions just to be sure.

For the time: why don't use use NTP? Just let the module pull the time on its own using AT+CNTP. Just be sure to select the right parameters, so they match your time zone.

Also, how does your device policy look like in AWS? I'd recommend using a very loose policy to begin with. Something like: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*" } ] }

[mrbacani]

So it was the region that was the issue. I switched it over to one of the ones listed here under Supported Legacy Endpoints. Thanks for the help!

[AlexSecondSun]

How did you sign your client certificates @mrbacani ? How do you obtain the certificate and private key from aws, don you have to use the verisign certificate to sign the client certificates?

[explosion33]

Having, similar problems. I am using the verisgn g5 Root CA, and AWS generated cert / key files. I followed @mrbacani 's flow, double checked the time, etc. But still get an error. I also get an error when using a python pahomqtt script with the same certs. My current thought is a mismatch between root ca and generated cert / key. Any ideas?

[tronar]

After a couple of days banging my head to the docs... it worked. AT based MQTT over SSL that is, with client cert id. There are many little things that can go wrong, and all that you get is an "ERROR". One that was problematic (in my case) is that I had a proxy ESP32, so certs loading was error prone. But the last one was hard. The key has to be in "traditional" format ("RSA PRIVATE KEY"). If you create the client cert with openssl 3, the new format does not work and "convert",1 fails. You need that for the AT+SMSSL command... I was not able to do SSL w/o specifying a client cert, Hope this helps someone...

[Aryan-Morteza]

I have encountered with this issue. The problem seems related to the SSL version3. My private.pem.key is like this: -----BEGIN RSA PRIVATE KEY----- something -----END RSA PRIVATE KEY-----

and certificate.pem.crt:

-----BEGIN CERTIFICATE----- somrthing -----END CERTIFICATE-----

Does anybody know how I can do pre-convert on the "certificate.pem.crt" and "private.pem.key" in terminal, then upload it to SIM7000e?

I tried this command but doesn't work again:

• "openssl rsa -in private.key -out private-rsa.key -traditional
• "openssl rsa -in private.key -traditional -out private-rsa.key

The existed mosquitto.key and mosquitto.crt works fine in AT+CSSLCFG="CONVERT",1,"mosquitto.crt","mosquitto.key".

I also tried to copy and paste my own cert and key in the existed file, but it ain't work.

any advice?

[reddy9698]

I have encountered with this issue. The problem seems related to the SSL version3. My private.pem.key is like this: -----BEGIN RSA PRIVATE KEY----- something -----END RSA PRIVATE KEY-----

and certificate.pem.crt:

-----BEGIN CERTIFICATE----- somrthing -----END CERTIFICATE-----

Does anybody know how I can do pre-convert on the "certificate.pem.crt" and "private.pem.key" in terminal, then upload it to SIM7000e?

I tried this command but doesn't work again:

• "openssl rsa -in private.key -out private-rsa.key -traditional
• "openssl rsa -in private.key -traditional -out private-rsa.key

The existed mosquitto.key and mosquitto.crt works fine in AT+CSSLCFG="CONVERT",1,"mosquitto.crt","mosquitto.key".

I also tried to copy and paste my own cert and key in the existed file, but it ain't work.

any advice?

I don't think you need to convert the certificates to use them. The .crt and .key are already in the .pem format. You can just use them directly, one good tip would be rename them to something much more simpler like prvt.key and certificate.crt.

[Aryan-Morteza]

Hi Reddy, I used this at command too: AT+CSSLCFG="CONVERT",1,"mycert.crt","private.key", but it doesnt work. Im using B01 version should I upgrade the Sim7000e S/W? I'm using sim7000e rpi hat, with thingsmobile sim card.

[tronar]

Aryan, if your pem key file has the "RSA" in the header, then it is in traditional format and that part is ok. I would go step by step verifying what's ok and what's not. Does the "convert" command (AT+CSSLCFG) work with your cert ? (you said no) Does it work with another cert ? (you said yes) Then your cert has some issue. Verify extensions ? "openssl -noout -text -in yourcert.pem" and compare to "openssl -noout -text -in goodcert.pem" HTH

[Aryan-Morteza]

Hi Tronar, I have three certs once I create the thing in AWS IoT core:

• AmazonRootCA1.pem -----BEGIN CERTIFICATE----- something -----END CERTIFICATE-----

• 1294cbc163a64792fca0a883ccaabebe5aa7c4ccd509224d127971***-certificate.pem.crt

• 1294cbc163a64792fca0a883ccaabebe5aa7c4ccd509224d127971***-private.pem.key

For the first one: AT+CSSLCFG="CONVERT",2,"AmazonRootCA1.pem" ----> OK: this one works fine. While this one: AT+CSSLCFG="CONVERT",1,".....certificate.pem.crt",".....private.pem.key" ----> ERROR: Not working and this one: AT+CSSLCFG="CONVERT",1,".....certificate.pem",".....private.pem" ----> ERROR: Not working

Should I enable the something before use this? (I don't think so). Should I upgrade the S/W to B09?

FYI: the certs works fine with the python library!

import AWSIoTPythonSDK.MQTTLib as AWSIoTPyMQTT myAWSIoTMQTTClient = AWSIoTPyMQTT.AWSIoTMQTTClient(CLIENT_ID) myAWSIoTMQTTClient.configureEndpoint(ENDPOINT, 8883) myAWSIoTMQTTClient.configureCredentials(PATH_TO_AMAZON_ROOT_CA_1, PATH_TO_PRIVATE_KEY, PATH_TO_CERTIFICATE)

[tronar]

Aryan, those are not 3 certs. The AmazonRootCA1.pem is a cert, a CA cert, used to validate the server cert when connecting using TLS. The 1294..-certificate.pem.crt is your device cert, and the 1294...private.pem.key is your device key. (private key) The cert holds a public key, and the corresponding private is in the key file. PEM is a data format. What is the first line of the key file ? What is the output of "openssl x509 -noout -text -in 1294...certificate.pem.crt" ?

[Aryan-Morteza]

The first line of the key file:: -----BEGIN RSA PRIVATE KEY-----

the first line of 1294..-certificate.pem.crt: -----BEGIN CERTIFICATE-----

regarding this: Verify extensions ? "openssl -noout -text -in yourcert.pem" and compare to "openssl -noout -text -in goodcert.pem"

"What is the output of "openssl x509 -noout -text -in 1294...certificate.pem.crt" ?"

mycert (1294..-certificate.pem.crt): Certificate: Data: Version: 3 (0x2) Serial Number: f2:e7:58:b4:c5:2c:61:06:6c:e2:7e:9c:80:46:d4:56:4d:9f:2f:96 Signature Algorithm: sha256WithRSAEncryption Issuer: OU = Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US Validity Not Before: Nov 1 10:13:51 2023 GMT Not After : Dec 31 23:59:59 2049 GMT Subject: CN = AWS IoT Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ae:fd:f6:8a:60:5e:23:ef:81:1b:02:37:1c:70: 0f:5b:7c:6f:cb:68:82:43:c9:51:6d:65:df:9d:82: e6:64:87:14:60:f8:bd:4e:c3:c6:71:2f:c0:07:d4: ee:53:4d:54:cf:56:86:da:30:3c:db:20:fa:52:65: 9c:33:fd:eb:94:07:d5:8f:77:53:ce:8e:a0:f1:db: e3:33:a5:09:f4:be:58:c3:06:31:14:e8:12:cc:78: ef:c1:7a:c3:2a:49:39:18:78:06:4d:b1:a8:a3:dc: 61:f3:62:3e:20:6d:13:57:d8:71:cd:11:61:aa:35: 40:86:ca:e9:55:6d:b8:46:3e:2a:ef:18:cf:d4:48: a0:9b:c9:c0:35:e0:d5:47:64:83:bc:cd:d4:ae:03: 98:68:19:f6:5b:48:e5:ed:0b:ad:49:a3:ed:f8:91: 5f:27:d0:bb:1f:31:ec:90:e5:9b:4e:a1:b2:e2:5b: c3:ba:24:c2:99:0d:4e:00:a2:03:5a:e1:c2:40:16: 04:72:e0:6c:23:75:eb:69:b6:e2:ea:32:71:9c:d0: 3a:41:50:d6:d7:69:3a:52:26:73:ad:ad:da:e5:fe: 6c:8e:b5:6e:73:2e:f5:40:f4:61:03:93:09:cc:05: 49:a5:52:58:5e:8f:10:67:16:5d:90:5a:b9:65:63: fb:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: A0:82:E7:18:27:11:92:AC:E9:28:45:09:6D:D7:37:EA:4A:14:A1:4B X509v3 Subject Key Identifier: FD:91:4B:59:0D:D5:F6:73:73:6C:82:7F:D1:D2:D2:0F:7B:0C:FC:DF X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature Signature Algorithm: sha256WithRSAEncryption Signature Value: 56:f2:9e:e7:e9:ba:61:3b:b7:a2:70:1f:f5:de:fb:9a:d7:e3: d0:4d:d4:06:e2:66:91:06:d2:48:1e:b3:77:28:99:d4:45:10: 7b:bb:c3:bd:b1:7a:0d:f0:22:83:be:ca:2d:f5:c5:f8:9d:3f: a0:d4:ff:59:86:bc:36:7a:ec:af:2a:7a:d1:de:df:65:10:64: 58:a5:62:3c:1a:3c:d5:e1:d0:22:1e:6a:36:8b:23:8e:36:79: 66:da:83:19:83:ef:b5:ef:88:b6:a2:12:f6:7c:60:dc:bf:27: 00:dd:0d:6e:90:26:41:af:b8:60:2a:ea:2d:11:8f:c2:d9:21: 76:4a:f7:87:0d:bf:86:8e:37:03:25:8b:74:98:3a:dc:37:24: 7e:25:49:3c:f8:26:72:48:e1:e4:c0:9c:21:7c:91:0d:3b:5e: 02:61:e0:4c:04:44:3f:d6:d9:59:84:eb:8c:36:98:12:2b:8a: 87:b1:15:35:fb:08:91:7f:ab:03:c2:1b:f5:66:c1:3b:6f:d8: 10:dc:b5:21:a2:54:26:38:d2:92:6d:1f:20:18:ef:b3:f7:f3: 54:84:98:6c:d3:7c:39:da:32:59:c9:49:fb:64:d4:40:51:a2: de:51:8e:0b:92:6c:a5:76:3a:31:55:83:fe:ad:5a:51:79:00: a3:ae:6f:69

mosquitto.crt (one that works fine): Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = United Kingdom, L = Derby, O = Mosquitto, OU = CA, CN = mosquitto.org, emailAddress = roger@atchoo.org Validity Not Before: Feb 5 13:06:10 2019 GMT Not After : May 6 13:06:10 2019 GMT Subject: C = AU, ST = QLD, L = LABRADOR, O = SmartWorldBox, CN = Tom Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d7:fe:a3:0c:ed:15:1f:c0:4d:90:7b:e5:34:af: 69:c3:d9:6f:da:b7:8e:47:45:1f:bd:43:a0:81:6d: aa:5c:db:80:05:3d:d2:f2:1a:9c:c6:ae:05:39:4c: c3:f7:90:93:a6:e6:29:72:02:c6:78:99:19:3d:03: 57:6b:3d:8e:61:4c:28:b9:97:e2:63:04:03:40:a9: 5d:65:84:5c:54:3c:c3:86:3b:28:ed:8c:51:39:16: ab:3c:1c:32:82:ce:5a:67:2b:b0:ea:01:67:56:42: c9:ee:27:32:f5:4e:07:36:08:b8:31:61:f7:96:70: 10:cd:12:c6:55:2e:37:52:af:f6:83:2b:73:89:85: b3:aa:f6:af:a1:e2:f5:88:f8:6a:0c:20:e8:75:78: de:bb:e9:05:87:eb:14:9c:a4:d9:34:e6:25:94:2d: 5f:de:73:9d:f4:56:7c:4b:90:7f:71:59:8d:c4:7a: 0e:68:c6:0c:ab:c5:ff:8f:f4:40:e8:d7:37:12:78: a4:b0:a1:8a:3c:cf:3b:f4:cf:e1:79:68:ff:88:f0: 76:9c:c3:14:c1:5b:3b:41:44:0f:08:a1:88:17:19: 96:57:f2:29:63:21:aa:67:4e:3e:f6:7d:aa:d1:6c: 33:09:71:c8:5e:90:39:bc:1f:df:ae:eb:fe:d5:f5: 50:7f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha256WithRSAEncryption Signature Value: 4c:73:15:6d:cf:ad:97:14:cd:fb:ff:d5:fe:21:f7:c9:26:f6: ef:52:c6:9a:c0:68:b0:b3:ab:b8:78:53:d0:b2:77:90:2c:5f: 64:63:0f:a2:4e:71:6d:3f:1e:49:93:16:a0:59:bf:c7:e3:6f: a7:31:6f:92:0d:40:cd:1d:aa:69:aa:c4:9d:7c:7f:f3:ae:77: 17:09:57:c0:a7:88:c6:5f:63:c8:87:94:6c:42:9f:b8:99:01: 32:e9:cf:b0:cd:e0:56:75:c2:59:9e:fa:b8:fb:dc:3c:4d:e4: d0:b6:65:93:a1:89:f1:92:91:a7:a2:20:1b:57:d8:20:d9:20: 7b:47

[tronar]

Cert looks fine to me, I guess it's just that the file name is too long. Rename both cert and key to something like client.pem and client.key and try again...

[Aryan-Morteza]

I did that for 1000 times, gonna to try it again...

GPT tell me this:

Here are the main differences between the two certificates:

Issuer: The first certificate is issued by Amazon Web Services, while the second one is issued by Mosquitto.org.

Validity: The first certificate is valid from Nov 1, 2023, to Dec 31, 2049, whereas the second one is valid from Feb 5, 2019, to May 6, 2019.

Subject: The subjects of the certificates are different. The first one is issued to "AWS IoT Certificate", and the second one is issued to "Tom" by SmartWorldBox.

Public Key Algorithm: Both certificates use the RSA encryption algorithm for their public keys.

Public Key Modulus: The modulus values, which represent the public key, are different in both certificates.

X509v3 extensions: The first certificate includes extensions such as Basic Constraints and Key Usage, whereas the second certificate doesn't include these extensions.

Signature Algorithm: Both certificates use the sha256WithRSAEncryption signature algorithm.

Serial Number: The first certificate has a serial number specified, while the second certificate has a serial number of 0 (0x0).

X509v3 Key Usage: The first certificate has a critical Key Usage extension, while the second certificate does not specify a Key Usage extension.

Subject Key Identifier: The first certificate has a Subject Key Identifier extension, while the second certificate doesn't include this extension.

I think the issue is related to the firmware of SIM7000E pi hat, mine is 01 but there 09 has been released.

[tronar]

Oh, wait, I did not pay attention to the time, mosquitto is valid in 2019, what time does you module have ? Have you disabled time verification ? (AT+CSSLCFG="ignorertctime",0,1)

[Aryan-Morteza]

The funny thing is the AT+CSSLCFG="CONVERT",1,"mosquitto.crt","mosquitto.key" works fine w/o AT+CSSLCFG="ignorertctime",0,1.

[tronar]

That might be because the module default time lies in the 2019 timeframe ? Look and see (AT+CCLK?)

[Aryan-Morteza]

Negative again! with or without AT+CSSLCFG="ignorertctime",0,1. the AT+CSSLCFG="CONVERT",1,"mosquitto.crt","mosquitto.key works fine and the AT+CSSLCFG="CONVERT",1,"shorten.crt","shorten.key" doesn't work.

[tronar]

I don't know then. Sorry,

[Aryan-Morteza]

I appreciate your consideration. I'm going to update the firmware with 09 and try again.

[Scrts]

Are you sure your certs are uploaded correctly? Did you use Qualcomm tool to upload the certs to the file system or you are trying to do this through the terminal?

[Aryan-Morteza]

Hia, I used QPST EFS Explorer to upload the certs. I tried via terminal things work fine on uploading certs.

[Scrts]

So the error is that the conversion command doesn't work or you cannot connect to AWS?

[Aryan-Morteza]

The issue is I can't embark "device cert" and "device private key" while I can do the cert (AmazonRootCA1), hence I can't construct the MQTTS to connect (AT+SMCONN). also the outcome of AT+SMSSL=1, "AmazonRootCA1","certificate.crt" is OK. but AT+CSSLCFG="CONVERT",1,"certificate.crt","client.key" doesn't work. (ERROR)

[Scrts]

Something doesn't add up here. certificate.crt that you're trying to use does not exist in the file system screenshot you've provided. Can you copy the exact sequence in the terminal?

Typically, you should do like this:

AT+CSSLCFG="convert",2,"LegacyRoot.pem"<CR><LF>
AT+CSSLCFG="convert",1,"certificate.crt","private.key"<CR><LF>
AT+CSSLCFG="sslversion",0,3<CR><LF>
AT+SMSSL=1,"LegacyRoot.pem","certificate.crt"<CR><LF>

And then try the connection if your module time is current.

[Aryan-Morteza]

the screen shot was not updated. its a updated one + log

[Scrts]

A couple of notes:

1. Your file permissions seem to be not the same for the last 2 files?
2. You have to strip off -ats when connecting to AWS. Also check if your region supports legacy certificate connections.

[tronar]

I can feel your pain cause I've been more or less in the same place a couple of days ago. I can try loading your cert if you paste the cert and private, but pasting the private is not something you should do.

[Aryan-Morteza]

A couple of notes:

1. Your file permissions seem to be not the same for the last 2 files?
2. You have to strip off -ats when connecting to AWS. Also check if your region supports legacy certificate connections.

number 2 amended, working on latter one, but i dont think it gonna solve the problem.

[Aryan-Morteza]

I can feel your pain cause I've been more or less in the same place a couple of days ago. I can try loading your cert if you paste the cert and private, but pasting the private is not something you should do.

Im looking for solve the problem:

private.pem.key -----BEGIN RSA PRIVATE KEY----- MIIEoAIBAAKCAQEArv32imBeI++BGwI3HHAPW3xvy2iCQ8lRbWXfnYLmZIcUYPi9 TsPGcS/AB9TuU01Uz1aG2jA82yD6UmWcM/3rlAfVj3dTzo6g8dvjM6UJ9L5YwwYx FOgSzHjvwXrDKkk5GHgGTbGoo9xh82I+IG0TV9hxzRFhqjVAhsrpVW24Rj4q7xjP 1Eigm8nANeDVR2SDvM3UrgOYaBn2W0jl7QutSaPt+JFfJ9C7HzHskOWbTqGy4lvD uiTCmQ1OAKIDWuHCQBYEcuBsI3Xrabbi6jJxnNA6QVDW12k6UiZzra3a5f5sjrVu cy71QPRhA5MJzAVJpVJYXo8QZxZdkFq5ZWP7IQIDAQABAoIBAGLZyZQ/fc509Axq wvEIiFRYxdo0rilWpu3Sd3BFypoNCEEDIgVFaGr121dRPFPIQllheon0Z9wtE9rJ 1WQ1UwdrKYOCl8/+GAKoAP9igm5DvGZmsAEsW7ovstgr3eWcOWmOG5l1+1qdGqPe 4lN06lFcTmTWJcJ9lHbQVuDQOyFJ+9woSZOf1moth/0KRhm9qlABWXK77x0hIxJs 8/m+YLIlgGCxBrvHd2LEuE4AqtJvTQ+30enLMFGKh696OHaUDQf768QiuHXx+wAm fmDf+RcWyXIJ6vPWm67IjnwfahDnag2VTU08v4cnleKwrMmuafqwJipjhUERtyny UZMnIkUCgYEA1F7rfaZi1jvB5uzE+H7DcF4NEB6KRV2oau0EJuGUOtQ0tGj7+e3u r0ps5pz3J6zO90YnLfeEuaEoNCBleWWqN6bULRYd6Kv+T9r6RM1R5wt87927aRUU lNEoNU6wGkDnSPiAfViRkf98CMZQPA59vNcueUmqqU8VYq5XqX1ZtoMCgYEA0vE1 DAGsYcklVw73O5TNjXMgfStiNyxFG4WAtBKijx4lJ5uz6IlJV1yrVWMnBH5egJAa 4KqIV+66CG3pWhf7Y/wu9Uh7UAkGWOq3dJQsEvHcCa4AF7Qk5RWkoyU+q09XVMl1 UjpuKrZm4Iu28AzShI/Vy5PeE/UnCBfECszE9osCgYB2J3FBcQbgRlL1FZno3y4B IHKIG1W2jgsbok6DC1IbAOFp1lcKkFQRdojsLTxc+IoVjRRTQLi5Rm5Fwhhy2BtB 5zF4/CsbvkU5TI2dJdaBgyS5l1WjezT+Lvf94I+dq6qCMK/cDSDAZ7Isd5lAMJfI LrgOhuvKUtOFGZZwF+uH3QKBgEyrNuiiQxFXlqbJ3bpeH0fmLEzSU+RRxtx17Y2F qGf0QPTgdsdx/qIuIGfsneXYOGjp95ro4J11O1CNAl+oj8qLglXMfmVcol33Ea7h nBNWrO8nuwjihPZuo2RYySpisA81GdtFOX10xnee0GL3hhyAWuifWfxPAlzCppJ2 UrB5An9qV/dMbaUWHVWSvjsFoc4+ce1/lvhTN7r9JhpfYz4c+h/MZvRcoAOvokER v/utt6IiPb/CvMYBUlkf4mVOpoCLb5oi2nf5rO6awCu24iyEXTBbhniKVfP2Mc4g r8RtmE2Hr6pzDyLIN5vyAtTo6GeDzubYjl+OkbD22MGnnDxl -----END RSA PRIVATE KEY-----

certificate.pem.crt: -----BEGIN CERTIFICATE----- MIIDWjCCAkKgAwIBAgIVAPLnWLTFLGEGbOJ+nIBG1FZNny+WMA0GCSqGSIb3DQEB CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMzExMDExMDEz NTFaFw00OTEyMzEyMzU5NTlaMB4xHDAaBgNVBAMME0FXUyBJb1QgQ2VydGlmaWNh dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCu/faKYF4j74EbAjcc cA9bfG/LaIJDyVFtZd+dguZkhxRg+L1Ow8ZxL8AH1O5TTVTPVobaMDzbIPpSZZwz /euUB9WPd1POjqDx2+MzpQn0vljDBjEU6BLMeO/BesMqSTkYeAZNsaij3GHzYj4g bRNX2HHNEWGqNUCGyulVbbhGPirvGM/USKCbycA14NVHZIO8zdSuA5hoGfZbSOXt C61Jo+34kV8n0LsfMeyQ5ZtOobLiW8O6JMKZDU4AogNa4cJAFgRy4GwjdetptuLq MnGc0DpBUNbXaTpSJnOtrdrl/myOtW5zLvVA9GEDkwnMBUmlUlhejxBnFl2QWrll Y/shAgMBAAGjYDBeMB8GA1UdIwQYMBaAFKCC5xgnEZKs6ShFCW3XN+pKFKFLMB0G A1UdDgQWBBT9kUtZDdX2c3Nsgn/R0tIPewz83zAMBgNVHRMBAf8EAjAAMA4GA1Ud DwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAVvKe5+m6YTu3onAf9d77mtfj 0E3UBuJmkQbSSB6zdyiZ1EUQe7vDvbF6DfAig77KLfXF+J0/oNT/WYa8Nnrsryp6 0d7fZRBkWKViPBo81eHQIh5qNosjjjZ5ZtqDGYPvte+ItqIS9nxg3L8nAN0NbpAm Qa+4YCrqLRGPwtkhdkr3hw2/ho43AyWLdJg63DckfiVJPPgmckjh5MCcIXyRDTte AmHgTAREP9bZWYTrjDaYEiuKh7EVNfsIkX+rA8Ib9WbBO2/YENy1IaJUJjjSkm0f IBjvs/fzVISYbNN8OdoyWclJ+2TUQFGi3lGOC5JspXY6MVWD/q1aUXkAo65vaQ== -----END CERTIFICATE-----

[Aryan-Morteza]

Do you think the issue is related to the firmware or the hardware being used?NB-IoT

[Scrts]

If your module SW doesn't have the permission or "see" the files in the filesystem - it will throw an error.

What do these return?

AT+CFSINIT
AT+CFSGFIS=3,"certificate.pem.crt"
AT+CFSGFIS=3,"private.pem.key"

P.S. You might still want to update your firmware to the latest. I See some are here: https://github.com/botletics/SIM7000-LTE-Shield/tree/master/SIM7000%20Documentation/Firmware

Edited: Thanks @tronar

[tronar]

I loaded your certs in my 7000G and worked, so it's not cert related: AT+CSSLCFG="convert",1,"aws.pem","aws.key" OK I have b08, so it may be firm related, or time related, or...

[Aryan-Morteza]

I loaded your certs in my 7000G and worked, so it's not cert related: AT+CSSLCFG="convert",1,"aws.pem","aws.key" OK I have b08, so it may be firm related, or time related, or...

Thanks for feedback, I beleive its related to firmware: mine is b01.

[tronar]

@scrts, certs go in custommer, so should be AT+CFSGFIS=3, not 0, right ?

[Scrts]

@Scrts, certs go in custommer, so should be AT+CFSGFIS=3, not 0, right ?

You are correct. I've fixed my post. Thank you.

[Aryan-Morteza]

I did update the firmware to b08, but the error still stands. I think it might related to something else.

@tronar Did you just copy my certificate and key into a notepad and rename it before uploading? Did you use an Arduino or a Raspberry Pi?

[tronar]

Yes, I made a couple of files named aws.pem and aws.key, uploaded them using a modified python script and tested by hand. I'm using a Lilygo ESP-32+SIM7000D.

[tronar]

Check that the line ends are LF and no CR+LF ?

[Aryan-Morteza]

They all end by Unix (LF).

[tronar]

Well, the other thing is the time. I would check if changing the current time renders your mosquitto cert invalid. If yes, then verify correct time. You have a simmilar (working) one, try to create another cert that works (learn the details of openssl :) and work from there. Start by creating a cert for the same keys ?

[Aryan-Morteza]

I'm going to play with time and read about OpenSSL :)

[Scrts]

Just try the same certificate files on your PC connecting to AWS using Mosquitto. If that works, then your certificate files are OK. Did you resolve the permissions? Did you try to check if the file system see them and correct size? See my post above.

[Aryan-Morteza]

Just try the same certificate files on your PC connecting to AWS using Mosquitto. If that works, then your certificate files are OK. Did you resolve the permissions? Did you try to check if the file system see them and correct size? See my post above.

my files works with python library AWSIoTPyMQTT, they aint embark with SIM7000E rpi hat, I check the permission and size too. also the one in https://github.com/tmcadam/sim7000-tools works fine via AT+CSSLCFG="convert",1,"mosquitto.crt","mosquitto.key"

I tried to copy my cert and key to those file and tested, but same issue again.

[Scrts]

By the way, where are you located? In the USA?

[Aryan-Morteza]

By the way, where are you located? In the USA?

If it helps to solve the problem :) United Kingdom

[Scrts]

Just wanted to be sure, since SIM7000E version is for European frequencies :-)