Open kittinook opened 5 years ago
tronar
commented
6 months ago BTW, the script in sim7000-tools opens and closes the COM port with each send and receive op. This wreaks havoc specially when using a soft bridge like was my case (i.e. COM -> ESP-32 -> SIM7000)
Aryan-Morteza
commented
6 months ago BTW, the script in sim7000-tools opens and closes the COM port with each send and receive op. This wreaks havoc specially when using a soft bridge like was my case (i.e. COM -> ESP-32 -> SIM7000)
I agree with you, BTW the cert and key works fine in convert, 1
Scrts
commented
6 months ago If it's Waveshare module, then hook it up to your PC over USB, open terminal like putty and enter the commands manually. One more thing: you need to use VeriSign legacy certificate from AWS. You can find it here: https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html Amazon Root CA certs do not work, afaik.
Aryan-Morteza
commented
6 months ago If it's Waveshare module, then hook it up to your PC over USB, open terminal like putty and enter the commands manually. One more thing: you need to use VeriSign legacy certificate from AWS. You can find it here: https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html Amazon Root CA certs do not work, afaik.
Thanks @Scrts the thing is AmazonRootCA would convert fine. the two others would not.
Scrts
commented
6 months ago Do you want to try my files? I can send them by email.
Aryan-Morteza
commented
6 months ago Do you want to try my files? I can send them by email.
That's kind of you. Aryanbeta2003@gmail.com
Aryan-Morteza
commented
6 months ago @Scrts @tronar The problem was with my certs! I downloaded the new one and they embarked! Tomorrow I will test it to publish data to IoT core! Will let you know!
Thanks for your time and consideration, guys! Many Thanks!
Aryan-Morteza
commented
6 months ago Hia,
I'm trying to open a connection to AWS via MQTT port 8883. I set sslversion to 3 --->QAPI_NET_SSL_PROTOCOL_TLS_1_2. Also on the AWS IoT Core set it to IoTSecurityPolicy_TLS12_1_2_2022_10
But I'm still encountering with error, the AT+SMCONN wont work on my setting
, What should I change on the AT commands?
tronar
commented
6 months ago Your time looks fine but NTP is giving you an error ? It depends on bearer connection, check it. (AT+SAPBR=2,1) I've my own MQTT server, so I can look at the session and see who is aborting it. May be you can do the same, it's not that hard to setup a mosquitto broker. Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server...
Scrts
commented
6 months ago I highly suggest trying the MQTT on your PC using Mosquitto. Do you have the right policy on AWS to publish? Also does the path sdk/test/python exist? If not, I've seen AWS immediately closing the connection. Before you try publishing, try doing SMSUB and see if you can send messages from AWS IoT and see if the module receives? Try subscribing to an existing demo path.
Aryan-Morteza
commented
6 months ago Your time looks fine but NTP is giving you an error ? It depends on bearer connection, check it. (AT+SAPBR=2,1) I've my own MQTT server, so I can look at the session and see who is aborting it. May be you can do the same, it's not that hard to setup a mosquitto broker. Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server...
AT+SAPBR=2,1 ---> ERROR I can get IP and Ping works fine. "Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server..." I don't understand what exactly should I do?
Aryan-Morteza
commented
6 months ago I highly suggest trying the MQTT on your PC using Mosquitto. Do you have the right policy on AWS to publish? Also does the path sdk/test/python exist? If not, I've seen AWS immediately closing the connection. Before you try publishing, try doing SMSUB and see if you can send messages from AWS IoT and see if the module receives? Try subscribing to an existing demo path.
I have tested the cert and others, publishing data to AWS bia Python SDK works fine, I don't require to send msg from AWS to my device only thing in this step is to send from device to AWS IoT Core
Scrts
commented
6 months ago Afaik AWS will immediately close the connection if you try to do something that your policy prohibis. That's why trying to debug based on SMSUB as a first step would help.
tronar
commented
6 months ago Your time looks fine but NTP is giving you an error ? It depends on bearer connection, check it. (AT+SAPBR=2,1) I've my own MQTT server, so I can look at the session and see who is aborting it. May be you can do the same, it's not that hard to setup a mosquitto broker. Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server...
AT+SAPBR=2,1 ---> ERROR
Mine works ... (schrug) I'm not completelly sure about the SIM7000 proc and services, but there are some dependencies. Read the command manual. NTP, AFAIK, depends on bearer session being up, and AT+SAPBR is used to close(0), open(1) or query (2) the bearer session. (cid, 1 in my example) Ping works even w/o a bearer up.
I can get IP and Ping works fine. "Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server..." I don't understand what exactly should I do?
Mosquitto is an Apache project that has a broker and client tools (mosquitto_pub and mosquitto_sub). You can use the client to test whatever you want to do manually so you get an idea of who the culprit is. Divide and conquer ?
Aryan-Morteza
commented
6 months ago Here are the specific details of my configuration and the issue at hand:
Device: SIM7000X module Connectivity: I am using SIM7000X to connect to AWS IoT Core for MQTT communication. Configuration: I have configured the SIM7000X module with the necessary parameters including the AWS IoT Core endpoint URL, port number (8883 for MQTT over TLS), client ID, and security settings. Testing: The module is able to establish a connection successfully when using a test MQTT broker (e.g., test.mosquitto.org). However, when attempting to connect to AWS IoT Core using the provided endpoint URL (XXXXXXXXXXXX.iot.us-east-1.amazonaws.com), the connection is not successful. URL Used: a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com
Additionally, I want to emphasize that I have successfully established connections to AWS IoT Core using the same certificates and credentials when utilizing the Python SDK. Hence, it appears that the issue lies specifically with the SIM7000X module's connection to AWS IoT Core.
I have performed several troubleshooting steps including:
Verifying the correctness of the AWS IoT Core endpoint URL, port number, and client ID. Ensuring that the SIM7000X module has access to the internet and that there are no firewall or network configuration issues blocking the connection. Configuring TLS/SSL with appropriate certificates, including the AmazonRootCA12.pem and device-specific certificate files. Despite these efforts, the connection to AWS IoT Core is not established successfully. When attempting to publish a message, the module returns an error.
Here is an excerpt of the commands and responses [test.mosquitto.org]:
[at+cnact?, +CNACT: 1,"10.193.154.101", OK] [AT+SNPING4="XXXXXXXXXXXXX.iot.us-east-1.amazonaws.com",3,20,100, +SNPING4: 1,52.71.21.145,60000, +SNPING4: 2,52.71.21.145,60000, +SNPING4: 3,52.71.21.145,60000, OK] [AT+SAPBR=2,1, +SAPBR: 1,3,"0.0.0.0", OK] [AT+SMCONF="URL","test.mosquitto.org","1883", OK] [+O"EM", OK, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR] [AT+SMCONF="CLIENTID","iotconsole-84806066-427c-4179-a875-92148ce075c6", OK] [AT+SMCONF="CLEANSS",1, OK] [AT+SMCONF="QOS",1, OK] [AT+SMCONF="TOPIC","sdk/test/python", OK] [AT+SMCONF?, +SMCONF , CLIENTID: "iotconsole-84806066-427c-4179-a875-92148ce075c6", URL: "test.mosquitto.org:1883", KEEPTIME: 60, USERNAME: "", PASSWORD: "", CLEANSS: 1, QOS: 1, TOPIC: "sdk/test/python", MESSAGE: "", RETAIN: 0, OK] [AT+SMSSL=1,"AmazonRootCA12.pem","certificate.crt", OK] [AT+CSSLCFG="convert",2,"AmazonRootCA12.pem", OK] [AT+CSSLCFG="convert",1,"certificate.crt","private.key", OK] [AT+CSSLCFG="protocol",0,1, OK] [AT+CSSLCFG="ignorertctime",0,1, OK] [AT+CSSLCFG?, OK] [T+CSSLCFG="sslversion",0,3, OK] [T+NIG4"1kj-.mnw.o,,010] [AT+SMCONN, OK] [] [AT+SMPUB="sdk/test/python","5",1,1, ERROR] [] [AT+SMDISC, OK] serial closed!
I have also attached a log file containing detailed commands and responses for your reference [AWS end point].
[AT+SNPING4="XXXXXXXXXXXXXXXXX.iot.us-east-1.amazonaws.com",3,20,100, +SNPING4: 1,54.208.232.218,60000, +SNPING4: 2,54.208.232.218,60000, +SNPING4: 3,54.208.232.218,60000, OK] [AT+SAPBR=2,1, +SAPBR: 1,3,"0.0.0.0", OK] [AT+SMCONF="URL","XXXXXXXXXXXXXXXXX.iot.us-east-1.amazonaws.com","8883", OK] [AT+SMCONF="KEEPTIME",60, OK] [AT+SMCONF="CLIENTID","iotconsole-84806066-427c-4179-a875-92148ce075c6", OK] [AT+SMCONF="CLEANSS",1, OK] [A+SMCONF="QOS",1, OK] [A+MOF"TPC,dtpyhn, O] [AT+SMCONF?, +SMCONF , CLIENTID: "iotconsole-84806066-427c-4179-a875-92148ce075c6", URL: "XXXXXXXXXXX.iot.us-east-1.amazonaws.com:8883", KEEPTIME: 60, USERNAME: "", PASSWORD: "", CLEANSS: 1, QOS: 1, TOPIC: "sdk/test/python", MESSAGE: "", RETAIN: 0, OK] [A+SMSSL=1,"AmazonRootCA12.pem","certificate.crt", OK] [A+CSSLCFG="convert",2,"AmazonRootCA12.pem", OK] [ACSSLCFG="convert",1,"certificate.crt","private.key", OK] [AT+CSSLCFG="protocol",0,1, OK] [AT+CSSLCFG="ignorertctime",0,1, OK] [AT+CSSLCFG?, OK] [AT+CSSLCFG="sslversion",0,3, OK] [AT+SNPING4="XXXXXXXXXXXX.iot.us-east-1.amazonaws.com",3,20,100, +SNPING4: 1,52.20.89.239,60000, +SNPING4: 2,52.20.89.239,60000, +SNPING4: 3,52.20.89.239,60000, OK] [AT+SMCONN, ERROR] [] [AT+SMPUB="sdk/test/python","5",1,1, ERROR] [] [A+SMDISC, ERROR] serial closed!
Could you please assist me in diagnosing and resolving this issue? Any guidance, suggestions, or insights you can provide would be greatly appreciated.
I tried many others configs to establish the connection between SIM7000X and AWS IoT Core, I used a software (Windows-based) and could to successfully establish the connection w/o certs too.
tronar
commented
6 months ago Aryan, have you tried mosquitto_sub with your "certs" ? Does it work ? I know you said "it works with python" but there are so many things to pay attention to that having a reference implementation helps. Something along this line: $ mosquitto_sub --cafile symantec-G4.pem --cert aws.pem --key aws.key -h a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com -p 8883 -t test/#
Also $ openssl s_client -connect a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com:8883 -showcerts -tls1_2 should help you validate that the CA cert you are using is the one that you should...
Aryan-Morteza
commented
6 months ago Hi there,
I'm doing it right now. I think I need a legacy CA root to establish a connection with AWS IoT core. Have u ever succeeded in establishing a connection with cert and CA to AWS IoT core? do u have any website that I can use to download the particular CA and add that to the AWS IoT certificate manager? I tried this one: https://www.digicert.com/kb/digicert-root-certificates.htm but it seems I can establish the connection even with Python SDK.
Regards, Aryan
On Mon, Feb 19, 2024 at 4:22 PM Carlos G Mendioroz @.***> wrote:
Aryan, have you tried mosquitto_sub with your "certs" ? Does it work ? I know you said "it works with python" but there are so many things to pay attention to that having a reference implementation helps. Something along this line: $ mosquitto_sub --cafile symantec-G4.pem --cert aws.pem --key aws.key -h a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com -p 8883 -t test/#
Also $ openssl s_client -connect a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com:8883 -showcerts -tls1_2 should help you validate that the CA cert you are using is the one that you should...
— Reply to this email directly, view it on GitHub https://github.com/botletics/SIM7000-LTE-Shield/issues/58#issuecomment-1952811053, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGZDFP775HATO7A6XGW62HLYUN35ZAVCNFSM4GKHR2S2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJVGI4DCMJQGUZQ . You are receiving this because you commented.Message ID: @.***>
tronar
commented
6 months ago Aryan, you don't have to "try" CA certs, you have to use the one that is needed :) And for that, openssl s_client should help. RTFM ? I'm not using AWS broker now.
Aryan-Morteza
commented
6 months ago I got confused! I'm not big on SSL stuff, Im looking for a solution to unravel the issue,
tronar
commented
6 months ago Well, confusion is a required prereq for learning... Do you understand what are you trying to do with certs ? (hint: cross authentication) Do you understand how PKI works ? (hint: you need one or two common trusted points of reference, a.k.a. CA) Do you have a basic idea of pub/priv keys ? openssl s_client is telling you the cert chain that the server is using. Your "ca" cert has to be in that chain for the client to recognize the server as trusted/known. So either "Amazon Root CA 1" or "Starfield Services Root Certificate Authority - G2" should work.
Scrts
commented
6 months ago Are you using legacy certificates as I've told before? Does your AWS endpoint (I assume US east) support legacy certificate? Did you update your system clock?
AFAIK the SIM7xxx modules do not support non-legacy certificates. At least they did not work for me at all. Maybe new firmware changed that, but I'd try the proven method.
tronar
commented
6 months ago Hmm, and may be you need to specify SNI (+CSSLCFG: "sni",(0-5),
Aryan-Morteza
commented
6 months ago Are you using legacy certificates as I've told before? Does your AWS endpoint (I assume US east) support legacy certificate? Did you update your system clock?
AFAIK the SIM7xxx modules do not support non-legacy certificates. At least they did not work for me at all. Maybe new firmware changed that, but I'd try the proven method.
I tried some certificate in this website: VeriSign Class 3 Public Primary G5 root CA certificate
Not work with Python SDK nor SIM7000 AT command. The Clock is updated since RPi in connected to internet. Today I'm going to try CA root from this website: https://www.amazontrust.com/repository/ and Cross-signed Amazon Root CA 1
Also, the firmware is updated.
Scrts
commented
6 months ago What does AT+CCLK? return? Should be current time.
I've used this legacy root CA certificate, which worked well. I've also sent you the same over email before: https://cacerts.digicert.com/pca3-g5.crt.pem
tronar
commented
6 months ago @Scrts He is using ignorertctime, time should not be an issue.
Scrts
commented
6 months ago @tronar, I was not aware that this is an option from AWS side... I've never tried, so cannot comment. Using NTP to sync time for the module is very easy - just need to know which time zone to select.
Aryan-Morteza
commented
6 months ago What does AT+CCLK? return? Should be current time.
I've used this legacy root CA certificate, which worked well. I've also sent you the same over email before: https://cacerts.digicert.com/pca3-g5.crt.pem
I tried to use it, but first, I have to embark on AWS IoT core certificates section.
tronar
commented
6 months ago @scrts It's not from AWS side, is for client side to decide if presented cert is valid "now". If you set "ignorertctime", then server cert time validity will not be checked. Also, TZ does not matter, it's only important if you want to display local time but irrelevant for cert validity checks.
tronar
commented
6 months ago @Aryan, what do you mean by "embark" ? Enroll ? In the page you are showing, pay attention: it's asking for a CSR, not for a certificate. You need to understand PKI first...
Aryan-Morteza
commented
6 months ago @aryan, what do you mean by "embark" ? Enroll ? In the page you are showing, pay attention: it's asking for a CSR, not for a certificate. You need to understand PKI first...
It means loading, Troner I know you have very good knowledge of SSH and SSL stuff. I'm not big on that, I have a little knowledge about the working flow of private key and public key.
I know there are three files from AWS IoT core, and for establishing a connection between RPI hat sim7000 and AWS IoT core I have to use them. I loaded them on my module, but I can't establish a connection. AT+SMCONN returns nothing or sometimes an error.
about the picture U right, my bad check this out: I admire your research attitude BTW I think the problem would be solved W/O gaining knowledge about the abbreviations you've told me.
Cheers
Aryan-Morteza
commented
6 months ago What does AT+CCLK? return? Should be current time.
I've used this legacy root CA certificate, which worked well. I've also sent you the same over email before: https://cacerts.digicert.com/pca3-g5.crt.pem
Yes! Thank you Mate, The thing is I have loaded it in my AWS IoT console and tried via Python SDK, but it seems it aint work. self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992) I tried with SIM7000 to AT+SMCONN returns nothing, unfortunately.
Scrts
commented
6 months ago I've used mosquitto to debug and it worked before.
"C:\Program Files\mosquitto\mosquitto_sub.exe" --cert certificate.crt --key private.key --cafile LegacyRoot.pem -h a1mfxzzzxxxyyy.iot.us-west-2.amazonaws.com -p 8883 -t "test"
AT+SMCONN returns nothing at all? Maybe it is trying a connection and it times out?
For the "certificate embark on AWS IoT" - I am not sure what are you doing and where are you doing this? Those CA certificates are already available for AWS - you do not have to do anything additional. If you go to AWS IoT -> Security -> Certificates, these are the ones that you create and upload to your device.
Also what policy did you assign to your own certificate? I suggest you make a really loose one for the beginning. I've used this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "*"
}
]
}I've used mosquitto to debug and it worked before.
"C:\Program Files\mosquitto\mosquitto_sub.exe" --cert certificate.crt --key private.key --cafile LegacyRoot.pem -h a1mfxzzzxxxyyy.iot.us-west-2.amazonaws.com -p 8883 -t "test"AT+SMCONN returns nothing at all? Maybe it is trying a connection and it times out?
For the "certificate embark on AWS IoT" - I am not sure what are you doing and where are you doing this? Those CA certificates are already available for AWS - you do not have to do anything additional. If you go to AWS IoT -> Security -> Certificates, these are the ones that you create and upload to your device.
Also what policy did you assign to your own certificate? I suggest you make a really loose one for the beginning. I've used this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*" } ] }
Hello,
I tried "C:\Program Files\mosquitto\mosquitto_sub.exe" --cert certificate.crt --key private.key --cafile LegacyRoot.pem -h a1mfxzzzxxxyyy.iot.us-west-2.amazonaws.com -p 8883 -t "test" with my certs and everything works.
When I'm using the legacy certificate using AT+command once I use SMSLL at command, module kinda reset and disconnect from port and then reconnect again: At+cnact? +CNACT: 1,"10.193.64.56"
OK AT+SMSSL=1,"AmazonRootCA1234.pem","certificate.crt" SMS Ready
DST: 0
*PSUTTZ: 24/02/27,10:31:35","+00",0 at+cnact? +CNACT: 0,"0.0.0.0"
OK
Also, I explored that Im using the client id from MQTT test client/Connection details/Client ID which is not correct and I must use the manage/things/name. I did amend and I'm still encountered with the issue above.
Additionally, I used the new certs they work with SMSSL but SMCONN outcome is error: AT+CNACT? +CNACT: 1,"10.193.128.11"
OK AT+CSSLCFG="ignorertctime",0,1 OK AT+CSSLCFG="convert",2,"AmazonRootCA1.pem" OK AT+CSSLCFG="convert",1,"certificate.crt","private.key" OK AT+CSSLCFG? OK AT+CSSLCFG="sslversion",0,3 OK AT+SMCONF=URL,*****.iot.us-east-1.amazonaws.com,8883 OK AT+SMCONF="CLIENTID","end1" OK AT+SMCONF="CLEANSS",0 OK AT+SMCONF="QOS",0 OK AT+SMCONF="TOPIC","sdk/test/python" OK AT+SMCONF="RETAIN",0 OK AT+SMCONF="KEEPTIME",60 OK AT+SMCONF? +SMCONF CLIENTID: "end1" URL: ****.iot.us-east-1.amazonaws.com:8883" KEEPTIME: 60 USERNAME: "" PASSWORD: "" CLEANSS: 0 QOS: 0 TOPIC: "sdk/test/python" MESSAGE: "" RETAIN: 0
OK AT+SMSSL=1,"AmazonRootCA1.pem","certificate.crt" OK AT+SMCONN ERROR
the policy also was and is the same like your suggestion.
based on this image it seems module partially connect with mqtt but something wrong with the module or aws. Also it seems with sim7600 you can connect to the AWS IoT Core without suffering.
NavyaDevB
commented
1 month ago Hi,
I am trying to connect my TTGO SIM7000G ESP32 Wrover-E to AWS IoT core using MQTT, in which I want to connect to internet through GSM, GPRS.
Can you share any documentation to upload the AWS generated certificates into the device and connect to AWS IoT core.
Thanks.
Hi, I've interested this board. Do you have the example for communication between the board and AWS IoT cloud?