ESP-AWS-IoT support for fleet provisioning (CA-182)

[helaagardabbou]

Hello please when the ESP-AWS-IoT component will support fleet provisioning ?

[SolidStateLEDLighting]

You can achieve Fleet Provisioning right now. I did it both in the older version and in this new beta version. Everything is just a matter of subscription and publishing. There is quite a bit to set up over at AWS, but the instructions there are correct and complete. Order of operation is important. And you may have one sticking point when you receive the new certs. AWS may possibly send the certs to you with 2 character line feeds. You'll need to strip those out and insert one character line feeds at the correct 64 chars positions. Other than this --- the provisioning does work fairly well.

[SolidStateLEDLighting]

I forgot to say --- this is FP by claim.

[ghost]

Hello @SolidStateLEDLighting , could you explain a little more how to carry out the provisioning of fleets with OTA functionality of the release/beta version?

[SolidStateLEDLighting]

All of the IOT services are not much more than subscriptions, publishing, and the handling of response messages.

If you get your project organized correctly, you can do a client log-in (no Thing identity), a Fleet Provisioning, a Shadow connection (Thing identity), a Job service, and OTA -- with just pub/sub and messages.

The big problem with the supplied OTA project is that it is not made for integration with all the other services. I deconstructed their process and merged it with all my other work.

I'm not using HTTPs for downloading binaries right now -- I do everything with MQTT. MQTT is mandatory for control messages, but you can stream with it for the OTA binary downloads too. So, I find it easier to just MQTT_ProcessLoop() for everything in one location.

The OTA Agent software example provided is written to be POSIX universal for a hand-full of hardware platforms. So, it is very unfriendly to ESP32 directly. And this guy (or girl) abstracts the work with function pointers (which drives me bananas), because you can't follow the code in a progressive and logical way. I like project organization that teaches you what to do (or reminds you what you did).

[ghost]

@SolidStateLEDLighting Thanks for your feedback. I think I now have a clear understanding of the process. Reviewing the AWS documentation suggests the following workflow.

This is a fleet provisioning by claim ( JITP )

I will be working on conditioning the OTA example for fleet provisioning and I would appreciate if you know any (documentation or examples) that can support me.

And another question that does not let me sleep -_- Is it possible to update the code signature with which the firmware file to be updated is signed via OTA, since this signature is in flash and has an expiration date in AWS?

[SolidStateLEDLighting]

I think that Fleet Provision by Claim and JITP are slightly different things.

The OTA example has nothing to do with provisioning. It is one of the reasons that I don't like it. It does not get along with all other services.

I'm not completely up to speed on the code signing for OTA. I make a custom OTA job and supply the cert in the window provided (third selection). That cert is sent by AWS in the Job description. This allows me for now to download a non-encrypted binary (AWS doesn't know that its unsigned). You wouldn't be able to see any of this inside the OTA tool that they provide because all that is hidden behind the scenes. I don't even know if you have the option of using my approach. That OTA example is not documented well enough inside the code to know all that you need. Externally -- no documentation at all. As I mentioned in previous email -- I tore it apart and followed its pattern to achieve the similar results.

I believe that updating the code signature is something that can be achieved inside AWS Certificate Manager -- but I'm not using that service for OTA right now.

---

From: EmbeddedDBL @.> Sent: Wednesday, January 19, 2022 7:19 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

@SolidStateLEDLightinghttps://github.com/SolidStateLEDLighting Thanks for your feedback. I think I now have a clear understanding of the process. Reviewing the AWS documentation suggests the following workflow.

This is a fleet provisioning by claim ( JITP ) [image]https://user-images.githubusercontent.com/94095787/150033039-acdab31c-ff33-4c21-b8ec-75320cc49037.png

I will be working on conditioning the OTA example for fleet provisioning and I would appreciate if you know any (documentation or examples) that can support me.

And another question that does not let me sleep -_- Is it possible to update the code signature with which the firmware file to be updated is signed via OTA, since this signature is in flash and has an expiration date in AWS?

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1015921549, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE2XMTTTJUNHDFXIRYLUWXYR5ANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[ghost]

@SolidStateLEDLighting Hello again. I appreciate your comments.

Ask you if you used these AWS APIs for fleet provisioning by claim ? https://docs.aws.amazon.com/es_es/iot/latest/developerguide/fleet-provision-api.html#create-cert-csr-request-payload

This method called CSR is the same as by claim?

[SolidStateLEDLighting]

Yes, I did fleet provisioning by claim. I believe it is somewhat different than the process which uses the Certificate Signing Request. I did not read up on the CSR method very much.

I did not use APIs. There is no programming interface other than subscribing and publishing to topics which apply to the provisioning process (by claim).

You need to set up the AWS side with a provisioning template -- and all the correct roles and policies. That takes careful attention to detail. The AWS documents that explain all this are correct.

Keith

---

From: EmbeddedDBL @.> Sent: Wednesday, January 26, 2022 8:34 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

@SolidStateLEDLightinghttps://github.com/SolidStateLEDLighting Hello again. I appreciate your comments.

Ask you if you used these AWS APIs for fleet provisioning by claim ? https://docs.aws.amazon.com/es_es/iot/latest/developerguide/fleet-provision-api.html#create-cert-csr-request-payload

This method called CSR is the same as by claim?

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1021739911, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE77Q3UUUXGLEMQBI2LUX46RZANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[ghost]

Thanks for your comment. @SolidStateLEDLighting I now understand better what needs to be done, I think I am following the steps correctly but even so I am not getting a response from AWS.

1 Connect to MQTT with claim certificate 2 I subscribe to the answer topics $aws/certificates/create/payload-format/accepted , ....rejected 3 Post a message to the topic $aws/certificates/create/payload-format This is where the question arises what message I have to publish since it mentions that it is an empty payload-format.

I'm not sure if the problem is the message you sent when making the request. Thank you again for your comments. Now try the CreateCertificateFromCsr method.

[SolidStateLEDLighting]

Notes:

1. I have no idea how the provisioning with CSR works. I didn't do it this way so I can't help you in this method. I did it "by claim"
2. Yes -- read the docs carefully on all the topics needed for your specific action
3. {} <-- (this is the empty payload, but literally nothing may also work) I experimented and read documents to figure this out.

---

From: EmbeddedDBL @.> Sent: Wednesday, February 2, 2022 7:16 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

Thanks for your comment. @SolidStateLEDLightinghttps://github.com/SolidStateLEDLighting I now understand better what needs to be done, I think I am following the steps correctly but even so I am not getting a response from AWS.

1 Connect to MQTT with claim certificate 2 I subscribe to the answer topics $aws/certificates/create/payload-format/accepted , ....rejected 3 Post a message to the topic $aws/certificates/create/payload-format This is where the question arises what message I have to publish since it mentions that it is an empty payload-format.

I'm not sure if the problem is the message you sent when making the request. Thank you again for your comments. Now try the CreateCertificateFromCsr method.

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1027381912, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE2Q5E7W65K7UJFI2FDUZBSV5ANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[helaagardabbou]

Hello Try to subscribe to the answer topic $aws/certificates/create/json/accepted and publish an empty msg to $aws/certificates/create/json

[SolidStateLEDLighting]

Why would I want to follow this suggestion? For what purpose?

---

From: helaagardabbou @.> Sent: Wednesday, February 2, 2022 4:51 PM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

Hello Try to subscribe to the answer topics $aws/certificates/create/json/accepted and publish an empty msg to $aws/certificates/create/json

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1027711022, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE45S6KIBTSUJKB3TS3UZDWCNANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[helaagardabbou]

because payload format must be cbor or json $aws/certificates/create/cbor or $aws/certificates/create/json

[SolidStateLEDLighting]

I have had success with Fleet Provisioning by Claim.

Why are you providing me this suggestion?

---

From: helaagardabbou @.> Sent: Wednesday, February 2, 2022 4:55 PM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

because payload format musht be cbor or json

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1027714041, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE6MW5U6VEUHILP6NOLUZDWQTANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[helaagardabbou]

This suggestion is a response for empty payload-format error of EmbeddedDBL

[SolidStateLEDLighting]

Of course.... sorry for the confusion. I'm just looking at this in my email utility.

---

From: helaagardabbou @.> Sent: Wednesday, February 2, 2022 4:58 PM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

This suggestion is a response for empty payload-format error of EmbeddedDBL

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1027716456, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE6PSLPNIQWOZ7RWPKLUZDW3LANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[helaagardabbou]

no problem welcome

[ghost]

@helaagardabbou That's right, first I subscribe to the answer topics $aws/certificates/create/cbor/accepted and rejected

Then I publish the empty message in cbor $aws/certificates/create/cbor format but I do not get a response from the server, however when I send a badly formatted message I do get a response in the rejected response topic and this has me confused.

[helaagardabbou]

@EmbeddedDBL the publish and the subscribe are done with the same client ? that's mean You did subscribe in the device and the publish action with a console client?

[SolidStateLEDLighting]

Please don't use cbor (compact binary object representation) until you need to stream data. cbor can be used, but you have encode it with a cbor encoder. The results you get have to be decoded before inspection.

Use json (javascript object notation) so you can easily read the message in when they come back to you.

[helaagardabbou]

@SolidStateLEDLighting I totally agree with you also u can easily know the error with json format

[ghost]

@helaagardabbou If it is the same client with which I establish an MQTT connection, when I publish the request message in the IoT security/Certificates console I can see that a new certificate is created but I do not receive anything in the /accepted topic.

Ok I appreciate your comments I will change to Json

[helaagardabbou]

@EmbeddedDBL u must publish mqtt message with the device which is subscribed on the /accepted topic

[SolidStateLEDLighting]

Everything is done in the same MQTT connection if that connection is authorized (policy/roles) are defined correctly at AWS. If the cert/key are being created, that you are at the first step. Make double sure you are subscribing correctly to the right topics. Cloud watch can assist you in seeing the actions and there may be some help in seeing errors there (like what topics you have subscribed to, etc).

K.

---

From: EmbeddedDBL @.> Sent: Thursday, February 3, 2022 12:32 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

@helaagardabbouhttps://github.com/helaagardabbou If it is the same client with which I establish an MQTT connection, when I publish the request message in the IoT security/Certificates console I can see that a new certificate is created but I do not receive anything in the /accepted topic.

Ok I appreciate your comments I will change to Json

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1028123426, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE42AGGRG7QDWIYC4DLUZFMBNANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[ghost]

I publish this in the topic $aws/certificates/create/json in JSON format char payloadBuffer2[] = " "; with the intention that it fails to see if I choose an answer in the error topic.

When I post a correct message I get no response in my mqtt callback function char payloadBuffer2[] = "{\"certificateSigningRequest\":\" \" }";

[SolidStateLEDLighting]

Here is what the topics look like for Fleet Provisioning by Claim...

// First Step std::string create_topic = "$aws/certificates/create/json"; // This is a publish topic std::string create_json_accepted_topic = "$aws/certificates/create/json/accepted"; // This is a subscribe topic std::string create_json_rejected_topic = "$aws/certificates/create/json/rejected"; // This is a subscribe topic

// Second Step std::string provision_json_topic = "$aws/provisioning-templates/Provisioning_Template_V2/provision/json"; // This is a publish topic std::string provision_json_accepted_topic = "$aws/provisioning-templates/Provisioning_Template_V2/provision/json/accepted"; // This is a subscribe topic std::string provision_json_rejected_topic = "$aws/provisioning-templates/Provisioning_Template_V2/provision/json/rejected"; // This is a subscribe topic

Notice that I must provide a template which is accessible to my provisioning process.

---

From: EmbeddedDBL @.> Sent: Thursday, February 3, 2022 2:52 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

I publish this in the topic $aws/certificates/create/json in JSON format char payloadBuffer2[] = " "; with the intention that it fails to see if I choose an answer in the error topic.

[image]https://user-images.githubusercontent.com/94095787/152217780-95090b36-8139-4f58-a9cc-70bb5dcf26d7.png

When I post a correct message I get no response in my mqtt callback function char payloadBuffer2[] = "{"certificateSigningRequest":" " }"; [image]https://user-images.githubusercontent.com/94095787/152218487-ee692567-dbda-4907-8568-e94f57a47ced.png

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1028254974, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE7MLN6J6PVG6KJRGX3UZF4QPANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[ghost]

@SolidStateLEDLighting Upon completion of step one before proceeding to step two, the response from the "$aws/certificates/create/json/accepted" topic is received in a callback registered in MQTT_Init( );

Here my problem arises I do not receive any response I do not know if it is my implementation or my AWS configuration

[SolidStateLEDLighting]

You'll need to set up Cloud watch to confirm that the AWS system created a Publish Out message. That message will be your payload response.

Instructions on how to get Cloud watch to show you all the IOT traffic is documented. Just follow the the documents.

Everything has to be perfect for everything to work. Order of operation is critical. Having your topics correct is critical.

---

From: EmbeddedDBL @.> Sent: Thursday, February 3, 2022 8:48 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

@SolidStateLEDLightinghttps://github.com/SolidStateLEDLighting Upon completion of step one before proceeding to step two, the response from the "$aws/certificates/create/json/accepted" topic is received in a callback registered in MQTT_Init( );

Here my problem arises I do not receive any response I do not know if it is my implementation or my AWS configuration

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1028496772, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE6CZZE2TKH5R54KDOTUZHGELANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[SolidStateLEDLighting]

Here is another serious possibility....

The demos are not well written (but they are simple enough). They block in the MQTT_ProcessLoop call for a small period.

The time it takes for you to receive a subscription or publish is small.

The time it takes for you to receive a payload is about 40 times longer in some cases. So, you'll need to extend out your time in MQTT_ProcessLoop long enough to be sure you receive the payload.

I have written my project here to never leave MQTT_ProcessLoop area unless I have something to send. Not leaving this loop is important because you don't know when the system is sending the MQTT keep alive pings -- and your code must process them behind the scenes for you in this same loop.

K.

---

From: keith ssledlighting.com @.> Sent: Thursday, February 3, 2022 8:54 AM To: espressif/esp-aws-iot @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

You'll need to set up Cloud watch to confirm that the AWS system created a Publish Out message. That message will be your payload response.

Instructions on how to get Cloud watch to show you all the IOT traffic is documented. Just follow the the documents.

Everything has to be perfect for everything to work. Order of operation is critical. Having your topics correct is critical.

---

From: EmbeddedDBL @.> Sent: Thursday, February 3, 2022 8:48 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

@SolidStateLEDLightinghttps://github.com/SolidStateLEDLighting Upon completion of step one before proceeding to step two, the response from the "$aws/certificates/create/json/accepted" topic is received in a callback registered in MQTT_Init( );

Here my problem arises I do not receive any response I do not know if it is my implementation or my AWS configuration

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1028496772, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE6CZZE2TKH5R54KDOTUZHGELANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[ghost]

I already achieved provisioning by claim using CreateCertificateFromCsr it required more work but it works great. I couldn't get a response with CreateKeysAndCertificate so I opted for CreateCertificateFromCsr. Just thank you for your comments @SolidStateLEDLighting and @helaagardabbou 👍

[SolidStateLEDLighting]

Nice job! Congratulations.

---

From: EmbeddedDBL @.> Sent: Friday, February 11, 2022 7:22 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

I already achieved provisioning by claim using CreateCertificateFromCsr it required more work but it works great. I couldn't get a response with CreateKeysAndCertificate so I opted for CreateCertificateFromCsr. Just thank you for your comments @SolidStateLEDLightinghttps://github.com/SolidStateLEDLighting and @helaagardabbouhttps://github.com/helaagardabbou 👍

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1035635034, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE4GTCJNEIGEJGP6LXTU2RCFFANCNFSM5LVUHX5A. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you were mentioned.Message ID: @.***>

[helaagardabbou]

Great! Congratulations !!! @EmbeddedDBL

[bakermat]

It would be great if examples for fleet provisioning could be added. For those that have made it work, would it be possible to share some code?

[SolidStateLEDLighting]

I made everything work, but my project would be considered somewhat complex for "sample standards".

The key is to subscribe to the topics -- ask for the messages that you need -- publish at the correct times -- wrap all of it into one task that loops back around to MQTT_ProcessLoop(pMqttContext, 100) on a continuous basis.

The other side of the challenge is to get AWS set up correctly with roles and policies. You must follow the AWS instructions to perfection in exactly the right order to get everything to work.

---

From: Patrick Peeters @.> Sent: Wednesday, May 25, 2022 5:02 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

It would be great if examples for fleet provisioning could be added. For those that have made it work, would it be possible to share some code?

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1136428874, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE7CEYRAXEVEAWN7LB3VLU7WRANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[twlawrenceko]

I have tried to do fleet provisioning but seems like I am not receiving the certificate message by subscribing $aws/certificates/create/json/accepted topic. When I tried to do publish $aws/certificates/create/json in MQTT Test Client I am able to see the subscribed message showing up correctly in MQTT Test Client. However, when I tried to do it on ESP32 it does not show up in MQTT Test Client, however, the certificate is being generated as I can see it under AWS IoT Certificates webpage.

Here is my piece of code:

int32_t FleetProvisioning( void )
{
    /* Define Fleet Provisioning Subscribe topics */
    const char * sTopicFilter = "$aws/certificates/create/json/accepted";
    uint16_t sTopicFilterLength = 39;

    /* Define Fleet Provisioning Publish topics */
    const char * pTopicFilter = "$aws/certificates/create/json";
    int32_t pTopicFilterLength = 30;
    const char * pPayload = "{}";
    size_t payloadLength = 0;

    int returnStatus = EXIT_SUCCESS;
    MQTTStatus_t mqttStatus;
    MQTTContext_t * pMqttContext = &mqttContext;
    uint8_t publishIndex = MAX_OUTGOING_PUBLISHES;
    MQTTSubscribeInfo_t pSubscriptionList[ 1 ];

    assert( pMqttContext != NULL );
    assert( pTopicFilter != NULL );
    assert( pTopicFilterLength > 0 );
    assert( sTopicFilter != NULL );
    assert( sTopicFilterLength > 0 );

    /* Start with everything at 0. */
    ( void ) memset( ( void * ) pSubscriptionList, 0x00, sizeof( pSubscriptionList ) );

    /* This example subscribes to only one topic and uses QOS1. */
    pSubscriptionList[ 0 ].qos = MQTTQoS1;
    pSubscriptionList[ 0 ].pTopicFilter = sTopicFilter;
    pSubscriptionList[ 0 ].topicFilterLength = sTopicFilterLength;

    /* Generate packet identifier for the SUBSCRIBE packet. */
    globalSubscribePacketIdentifier = MQTT_GetPacketId( pMqttContext );

    /* Send SUBSCRIBE packet. */
    mqttStatus = MQTT_Subscribe( pMqttContext,
                                 pSubscriptionList,
                                 sizeof( pSubscriptionList ) / sizeof( MQTTSubscribeInfo_t ),
                                 globalSubscribePacketIdentifier );

    if( mqttStatus != MQTTSuccess )
    {
        LogError( ( "Failed to send SUBSCRIBE packet to broker with error = %u.",
                    mqttStatus ) );
        returnStatus = EXIT_FAILURE;
    }
    else
    {
        LogInfo( ( "SUBSCRIBE topic %.*s to broker.",
                   sTopicFilterLength,
                   sTopicFilter ) );
    }

    /* Get the next free index for the outgoing publish. All QoS1 outgoing
     * publishes are stored until a PUBACK is received. These messages are
     * stored for supporting a resend if a network connection is broken before
     * receiving a PUBACK. */
    returnStatus = getNextFreeIndexForOutgoingPublishes( &publishIndex );

    if( returnStatus == EXIT_FAILURE )
    {
        LogError( ( "Unable to find a free spot for outgoing PUBLISH message." ) );
    }
    else
    {
        LogInfo( ( "Published payload: %s", pPayload ) );
        /* This example publishes to only one topic and uses QOS1. */
        outgoingPublishPackets[ publishIndex ].pubInfo.qos = MQTTQoS1;
        outgoingPublishPackets[ publishIndex ].pubInfo.pTopicName = pTopicFilter;
        outgoingPublishPackets[ publishIndex ].pubInfo.topicNameLength = pTopicFilterLength;
        outgoingPublishPackets[ publishIndex ].pubInfo.pPayload = pPayload;
        outgoingPublishPackets[ publishIndex ].pubInfo.payloadLength = payloadLength;

        /* Get a new packet id. */
        outgoingPublishPackets[ publishIndex ].packetId = MQTT_GetPacketId( pMqttContext );

        /* Send PUBLISH packet. */
        mqttStatus = MQTT_Publish( pMqttContext,
                                   &outgoingPublishPackets[ publishIndex ].pubInfo,
                                   outgoingPublishPackets[ publishIndex ].packetId );

        if( mqttStatus != MQTTSuccess )
        {
            LogError( ( "Failed to send PUBLISH packet to broker with error = %u.",
                        mqttStatus ) );
            cleanupOutgoingPublishAt( publishIndex );
            returnStatus = EXIT_FAILURE;
        }
        else
        {
            LogInfo( ( "PUBLISH sent for topic %.*s to broker with packet ID %u.",
                       pTopicFilterLength,
                       pTopicFilter,
                       outgoingPublishPackets[ publishIndex ].packetId ) );
        }
    }

    /* Calling MQTT_ProcessLoop to process incoming publish echo, since
        * application subscribed to the same topic the broker will send
        * publish message back to the application. This function also
        * sends ping request to broker if MQTT_KEEP_ALIVE_INTERVAL_SECONDS
        * has expired since the last MQTT packet sent and receive
        * ping responses. */
    while (true)
    {
        mqttStatus = MQTT_ProcessLoop( &mqttContext, MQTT_PROCESS_LOOP_TIMEOUT_MS );

        if( mqttStatus != MQTTSuccess )
        {
            LogWarn( ( "MQTT_ProcessLoop returned with status = %u.",
                    mqttStatus ) );
        }
        else
        {
            LogInfo( ( "MQTT_ProcessLoop success with returned status = %u.",
                    mqttStatus ) );
        }
    }

    return returnStatus;
}

And the log:

I (5608) coreMQTT: Establishing a TLS session to a3s5xxxxkgux4b-ats.iot.us-east-1.amazonaws.com:8883.
I (7638) coreMQTT: Packet received. ReceivedBytes=2.
I (7638) coreMQTT: CONNACK session present bit set.
I (7638) coreMQTT: Connection accepted.
I (7648) coreMQTT: Received MQTT CONNACK successfully from broker.
I (7658) coreMQTT: MQTT connection established with the broker.
I (7658) coreMQTT: MQTT connection successfully established with broker.
I (7668) coreMQTT: An MQTT session with broker is re-established. Resending unacked publishes.
I (7678) coreMQTT: SUBSCRIBE topic $aws/certificates/create/json/accepted to broker.
I (7688) coreMQTT: Published payload: {}
I (7688) coreMQTT: PUBLISH sent for topic $aws/certificates/create/json to broker with packet ID 2.
E (8288) esp-tls-mbedtls: read error :-0x004C:
E (8298) esp-tls-mbedtls: read error :-0x004C:

Any help would be appreciated.

[SolidStateLEDLighting]

The full process requires that any time you do anything -- you enter the MQTT_ProcessLoop().

Your MQTT_Subscribe() return result confirms that you have sent the request, but only a return value in MQTT_ProcessLoop() will confirm that you have actually been subscribed.

So, a good sample that works it a bit more complicated than what you have written below.

Use cloud watch also to see what the system is sending you.

All your AWS roles, policies, and provision template must be meticulously accurate.

---

From: twlawrenceko @.> Sent: Friday, June 3, 2022 1:04 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

I have tried to do fleet provisioning but seems like I am not receiving the certificate message by subscribing $aws/certificates/create/json/accepted topic. When I tried to do publish $aws/certificates/create/json in MQTT Test Client I am able to see the subscribed message showing up correctly in MQTT Test Client. However, when I tried to do it on ESP32 it does not show up in MQTT Test Client, however, the certificate is being generated as I can see it under AWS IoT Certificates webpage.

Here is my piece of code:

int32_t FleetProvisioning( void ) { / Define Fleet Provisioning Subscribe topics / const char * sTopicFilter = "$aws/certificates/create/json/accepted"; uint16_t sTopicFilterLength = 39;

/* Define Fleet Provisioning Publish topics */
const char * pTopicFilter = "$aws/certificates/create/json";
int32_t pTopicFilterLength = 30;
const char * pPayload = "{}";
size_t payloadLength = 0;

int returnStatus = EXIT_SUCCESS;
MQTTStatus_t mqttStatus;
MQTTContext_t * pMqttContext = &mqttContext;
uint8_t publishIndex = MAX_OUTGOING_PUBLISHES;
MQTTSubscribeInfo_t pSubscriptionList[ 1 ];

assert( pMqttContext != NULL );
assert( pTopicFilter != NULL );
assert( pTopicFilterLength > 0 );
assert( sTopicFilter != NULL );
assert( sTopicFilterLength > 0 );

/* Start with everything at 0. */
( void ) memset( ( void * ) pSubscriptionList, 0x00, sizeof( pSubscriptionList ) );

/* This example subscribes to only one topic and uses QOS1. */
pSubscriptionList[ 0 ].qos = MQTTQoS1;
pSubscriptionList[ 0 ].pTopicFilter = sTopicFilter;
pSubscriptionList[ 0 ].topicFilterLength = sTopicFilterLength;

/* Generate packet identifier for the SUBSCRIBE packet. */
globalSubscribePacketIdentifier = MQTT_GetPacketId( pMqttContext );

/* Send SUBSCRIBE packet. */
mqttStatus = MQTT_Subscribe( pMqttContext,
                             pSubscriptionList,
                             sizeof( pSubscriptionList ) / sizeof( MQTTSubscribeInfo_t ),
                             globalSubscribePacketIdentifier );

if( mqttStatus != MQTTSuccess )
{
    LogError( ( "Failed to send SUBSCRIBE packet to broker with error = %u.",
                mqttStatus ) );
    returnStatus = EXIT_FAILURE;
}
else
{
    LogInfo( ( "SUBSCRIBE topic %.*s to broker.",
               sTopicFilterLength,
               sTopicFilter ) );
}

/* Get the next free index for the outgoing publish. All QoS1 outgoing
 * publishes are stored until a PUBACK is received. These messages are
 * stored for supporting a resend if a network connection is broken before
 * receiving a PUBACK. */
returnStatus = getNextFreeIndexForOutgoingPublishes( &publishIndex );

if( returnStatus == EXIT_FAILURE )
{
    LogError( ( "Unable to find a free spot for outgoing PUBLISH message." ) );
}
else
{
    LogInfo( ( "Published payload: %s", pPayload ) );
    /* This example publishes to only one topic and uses QOS1. */
    outgoingPublishPackets[ publishIndex ].pubInfo.qos = MQTTQoS1;
    outgoingPublishPackets[ publishIndex ].pubInfo.pTopicName = pTopicFilter;
    outgoingPublishPackets[ publishIndex ].pubInfo.topicNameLength = pTopicFilterLength;
    outgoingPublishPackets[ publishIndex ].pubInfo.pPayload = pPayload;
    outgoingPublishPackets[ publishIndex ].pubInfo.payloadLength = payloadLength;

    /* Get a new packet id. */
    outgoingPublishPackets[ publishIndex ].packetId = MQTT_GetPacketId( pMqttContext );

    /* Send PUBLISH packet. */
    mqttStatus = MQTT_Publish( pMqttContext,
                               &outgoingPublishPackets[ publishIndex ].pubInfo,
                               outgoingPublishPackets[ publishIndex ].packetId );

    if( mqttStatus != MQTTSuccess )
    {
        LogError( ( "Failed to send PUBLISH packet to broker with error = %u.",
                    mqttStatus ) );
        cleanupOutgoingPublishAt( publishIndex );
        returnStatus = EXIT_FAILURE;
    }
    else
    {
        LogInfo( ( "PUBLISH sent for topic %.*s to broker with packet ID %u.",
                   pTopicFilterLength,
                   pTopicFilter,
                   outgoingPublishPackets[ publishIndex ].packetId ) );
    }
}

/* Calling MQTT_ProcessLoop to process incoming publish echo, since
    * application subscribed to the same topic the broker will send
    * publish message back to the application. This function also
    * sends ping request to broker if MQTT_KEEP_ALIVE_INTERVAL_SECONDS
    * has expired since the last MQTT packet sent and receive
    * ping responses. */
while (true)
{
    mqttStatus = MQTT_ProcessLoop( &mqttContext, MQTT_PROCESS_LOOP_TIMEOUT_MS );

    if( mqttStatus != MQTTSuccess )
    {
        LogWarn( ( "MQTT_ProcessLoop returned with status = %u.",
                mqttStatus ) );
    }
    else
    {
        LogInfo( ( "MQTT_ProcessLoop success with returned status = %u.",
                mqttStatus ) );
    }
}

return returnStatus;

}

And the log:

I (5608) coreMQTT: Establishing a TLS session to a3s5xxxxkgux4b-ats.iot.us-east-1.amazonaws.com:8883. I (7638) coreMQTT: Packet received. ReceivedBytes=2. I (7638) coreMQTT: CONNACK session present bit set. I (7638) coreMQTT: Connection accepted. I (7648) coreMQTT: Received MQTT CONNACK successfully from broker. I (7658) coreMQTT: MQTT connection established with the broker. I (7658) coreMQTT: MQTT connection successfully established with broker. I (7668) coreMQTT: An MQTT session with broker is re-established. Resending unacked publishes. I (7678) coreMQTT: SUBSCRIBE topic $aws/certificates/create/json/accepted to broker. I (7688) coreMQTT: Published payload: {} I (7688) coreMQTT: PUBLISH sent for topic $aws/certificates/create/json to broker with packet ID 2. E (8288) esp-tls-mbedtls: read error :-0x004C: E (8298) esp-tls-mbedtls: read error :-0x004C:

Any help would be appreciated.

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1145098893, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE76ZDNZIANIMXJJSMDVNDSTVANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[twlawrenceko]

@SolidStateLEDLighting Thanks for the information.

I have tested with fleetprovisioning.py script to make sure fleet provisioning can be done. Now trying to convert onto ESP32.

I am following this example provided by AWS embedded C SDK but found that their are loading credentials into PKCS11 module

I am not quite familiar with PKCS, but is this a required procedure to do on ESP32 for fleet provisioning?

Thanks!

[bakermat]

I had some time to look at this today. The part that got me is that I needed to increase the network buffers (used 5000), as I just was not receiving any responses to my subscribe to $aws/certificates/create/json/accepted" while I had it configured and saw CloudWatch publishing the data.

I'm now seeing the JSON response, the original question still stands though: while it's just some API calls that are made, it would be handy to have fleet provisioning baked in in the next version. Even now that I've got the certificate info, I still need to store it securely and add custom code to handle that part and avoid re-registering. Not the end of the world but there are clearly more people looking at this...

[SolidStateLEDLighting]

Yes, the buffer by default is way too small for the certificate info.... I published this comment before but forgot to mention it in the last email.

I store the certs in NVS and look for them when I start up. If I have them, I register as the MQTT client (with thing name). If I don't have them, then I drop into provisioning mode (without thing name).

You'll notice that your certificate attachments are growing under your thing at AWS. The docs recommend using a job to clear out old certs (security cert rotation).

But, that is a long way off because next you'll be wanting to integrate OTA (with jobs).

---

From: Patrick Peeters @.> Sent: Sunday, June 5, 2022 5:51 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

I had some time to look at this today. The part that got me is that I needed to increase the network buffers (used 5000), as I just was not receiving any responses to my subscribe to $aws/certificates/create/json/accepted" while I had it configured and saw CloudWatch publishing the data.

I'm now seeing the JSON response, the original question still stands though: while it's just some API calls that are made, it would be handy to have fleet provisioning baked in in the next version. Even now that I've got the certificate info, I still need to store it securely and add custom code to handle that part and avoid re-registering. Not the end of the world but there are clearly more people looking at this...

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1146690798, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE4GKEOCZ264E44FMRDVNPFV5ANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[SolidStateLEDLighting]

I think the PKCS11 (public key cryptography standards) stuff is important .... I just follow, when possible, their examples.

Their OTA sample is completely different from all the other examples and doesn't follow the normal pattern, but you can make it follow the pattern if you break it down. It will integrate nicely when all the correct subscribes and publishes.

---

From: twlawrenceko @.> Sent: Sunday, June 5, 2022 3:16 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

@SolidStateLEDLightinghttps://github.com/SolidStateLEDLighting Thanks for the information.

I have tested with fleetprovisioning.py script to make sure fleet provisioning can be done. Now trying to convert onto ESP32.

I am following this examplehttps://github.com/aws/aws-iot-device-sdk-embedded-C/blob/main/demos/fleet_provisioning/fleet_provisioning_with_csr/fleet_provisioning_with_csr_demo.c provided by AWS embedded C SDK but found that their are loading credentials into PKCS11 modulehttps://github.com/aws/aws-iot-device-sdk-embedded-C/blob/5da3a389cda566469ee5d79142961d30461ea570/demos/fleet_provisioning/fleet_provisioning_with_csr/fleet_provisioning_with_csr_demo.c#L508

I am not quite familiar with PKCS, but is this a required procedure to do on ESP32 for fleet provisioning?

Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1146671691, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE4XGO64INMEUCUL2S3VNOTRXANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[twlawrenceko]

I tried to follow the example AWS provided in their embedded C SDK, but having some library linkage issue.

../main/mqtt_operations.c:51:10: fatal error: mbedtls_pkcs11_posix.h: No such file or directory
 #include "mbedtls_pkcs11_posix.h"

Here is my CMakeLists.txt file, mostly followed what they have in their example.

# The following five lines of boilerplate have to be in your project's
# CMakeLists in this exact order for cmake to work correctly
cmake_minimum_required(VERSION 3.5)

set( DEMO_NAME "fleet_provisioning_by_claim" )

set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common
                         "${CMAKE_CURRENT_LIST_DIR}/../../libraries/ota-for-aws-iot-embedded-sdk"
                         "${CMAKE_CURRENT_LIST_DIR}/../../libraries/coreMQTT"
                         "${CMAKE_CURRENT_LIST_DIR}/../../libraries/corePKCS11"
                         "${CMAKE_CURRENT_LIST_DIR}/../../libraries/backoffAlgorithm"
                         "${CMAKE_CURRENT_LIST_DIR}/../../libraries/common/posix_compat"
   )

# Include MQTT library's source and header path variables.
include( ${CMAKE_CURRENT_LIST_DIR}/../../libraries/coreMQTT/coreMQTT/mqttFilePaths.cmake )

# Include backoffAlgorithm library file path configuration.
include( ${CMAKE_CURRENT_LIST_DIR}/../../libraries/backoffAlgorithm/backoffAlgorithm/backoffAlgorithmFilePaths.cmake )

# Include Fleet Provisioning library's source and header path variables.
include(
    ${CMAKE_CURRENT_LIST_DIR}/../../libraries/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/fleetprovisioningFilePaths.cmake )

# Set path to corePKCS11 and it's third party libraries.
set(COREPKCS11_LOCATION "${CMAKE_CURRENT_LIST_DIR}/../../libraries/corePKCS11")
set(CORE_PKCS11_3RDPARTY_LOCATION "${COREPKCS11_LOCATION}/source/dependency/3rdparty")

# Include PKCS #11 library's source and header path variables.
include( ${COREPKCS11_LOCATION}/corePKCS11/pkcsFilePaths.cmake )

list(APPEND PKCS_SOURCES
    "${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_utils.c"
)

include($ENV{IDF_PATH}/tools/cmake/project.cmake)
project(ota_mqtt)

target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/root_cert_auth.pem" TEXT)
target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.crt" TEXT)
target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.key" TEXT)

What's interesting is in the previous branch of esp-aws-iot they are using this aws-iot-device-sdk-embedded-C repo as a base, but now they are completely using individual ones.

How did you manage to include all the necessary libraries for PKCS11?

[SolidStateLEDLighting]

I just followed their examples -- much like what you have shown here in email.

This is part of my cmakelist.txt in the root directory:

Set path to corePKCS11 and it's third party libraries.

set(COREPKCS11_LOCATION "${PROJECT_DIR}/aws-iot-device-sdk-embedded-C/libraries/standard/corePKCS11") set(3RDPARTY_LOCATION "${PROJECT_DIR}/aws-iot-device-sdk-embedded-C/libraries/source/dependency/3rdparty") set(CORE_PKCS11_3RDPARTY_LOCATION "${COREPKCS11_LOCATION}/source/dependency/3rdparty")

Include PKCS #11 library's source and header path variables.

include( ${COREPKCS11_LOCATION}/pkcsFilePaths.cmake )

Notice where the corePKCS11 is based on the include references.

set(COMPONENT_SRCS contains.... "${PKCS_SOURCES}"

set(COMPONENT_ADD_INCLUDEDIRS contains.... "${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_utils.c" "${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_error.c"

---

From: twlawrenceko @.> Sent: Sunday, June 5, 2022 7:14 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

I tried to follow the example AWS provided in their embedded C SDK, but having some library linkage issue.

../main/mqtt_operations.c:51:10: fatal error: mbedtls_pkcs11_posix.h: No such file or directory

include "mbedtls_pkcs11_posix.h"

Here is my CMakeLists.txt file, mostly followed what they have in their example.

The following five lines of boilerplate have to be in your project's

CMakeLists in this exact order for cmake to work correctly

cmake_minimum_required(VERSION 3.5)

set( DEMO_NAME "fleet_provisioning_by_claim" )

set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common "${CMAKE_CURRENT_LIST_DIR}/../../libraries/ota-for-aws-iot-embedded-sdk" "${CMAKE_CURRENT_LIST_DIR}/../../libraries/coreMQTT" "${CMAKE_CURRENT_LIST_DIR}/../../libraries/corePKCS11" "${CMAKE_CURRENT_LIST_DIR}/../../libraries/backoffAlgorithm" "${CMAKE_CURRENT_LIST_DIR}/../../libraries/common/posix_compat" )

Include MQTT library's source and header path variables.

include( ${CMAKE_CURRENT_LIST_DIR}/../../libraries/coreMQTT/coreMQTT/mqttFilePaths.cmake )

Include backoffAlgorithm library file path configuration.

include( ${CMAKE_CURRENT_LIST_DIR}/../../libraries/backoffAlgorithm/backoffAlgorithm/backoffAlgorithmFilePaths.cmake )

Include Fleet Provisioning library's source and header path variables.

include( ${CMAKE_CURRENT_LIST_DIR}/../../libraries/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/fleetprovisioningFilePaths.cmake )

Set path to corePKCS11 and it's third party libraries.

set(COREPKCS11_LOCATION "${CMAKE_CURRENT_LIST_DIR}/../../libraries/corePKCS11") set(CORE_PKCS11_3RDPARTY_LOCATION "${COREPKCS11_LOCATION}/source/dependency/3rdparty")

Include PKCS #11 library's source and header path variables.

include( ${COREPKCS11_LOCATION}/corePKCS11/pkcsFilePaths.cmake )

list(APPEND PKCS_SOURCES "${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_utils.c" )

include($ENV{IDF_PATH}/tools/cmake/project.cmake) project(ota_mqtt)

target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/root_cert_auth.pem" TEXT) target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.crt" TEXT) target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.key" TEXT)

What's interesting is in the previous branch of esp-aws-iot they are using this aws-iot-device-sdk-embedded-Chttps://github.com/aws/aws-iot-device-sdk-embedded-C repo as a base, but now they are completely using individual ones.

How did you manage to include all the necessary libraries for PKCS11?

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1146700388, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKEZTXUQ4UHEJF2RVW5DVNPPO7ANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[SolidStateLEDLighting]

Last posting was my cmake file inside the source file directory.

I have another cmake file in the root project directory which holds my project definition and my target_add_binary_data declarations.

You seem to have wrapped it up all in one file.

---

From: keith ssledlighting.com @.> Sent: Sunday, June 5, 2022 7:31 AM To: espressif/esp-aws-iot @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

I just followed their examples -- much like what you have shown here in email.

This is part of my cmakelist.txt in the root directory:

Set path to corePKCS11 and it's third party libraries.

set(COREPKCS11_LOCATION "${PROJECT_DIR}/aws-iot-device-sdk-embedded-C/libraries/standard/corePKCS11") set(3RDPARTY_LOCATION "${PROJECT_DIR}/aws-iot-device-sdk-embedded-C/libraries/source/dependency/3rdparty") set(CORE_PKCS11_3RDPARTY_LOCATION "${COREPKCS11_LOCATION}/source/dependency/3rdparty")

Include PKCS #11 library's source and header path variables.

include( ${COREPKCS11_LOCATION}/pkcsFilePaths.cmake )

Notice where the corePKCS11 is based on the include references.

set(COMPONENT_SRCS contains.... "${PKCS_SOURCES}"

set(COMPONENT_ADD_INCLUDEDIRS contains.... "${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_utils.c" "${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_error.c"

---

From: twlawrenceko @.> Sent: Sunday, June 5, 2022 7:14 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

I tried to follow the example AWS provided in their embedded C SDK, but having some library linkage issue.

../main/mqtt_operations.c:51:10: fatal error: mbedtls_pkcs11_posix.h: No such file or directory

include "mbedtls_pkcs11_posix.h"

Here is my CMakeLists.txt file, mostly followed what they have in their example.

The following five lines of boilerplate have to be in your project's

CMakeLists in this exact order for cmake to work correctly

cmake_minimum_required(VERSION 3.5)

set( DEMO_NAME "fleet_provisioning_by_claim" )

set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common "${CMAKE_CURRENT_LIST_DIR}/../../libraries/ota-for-aws-iot-embedded-sdk" "${CMAKE_CURRENT_LIST_DIR}/../../libraries/coreMQTT" "${CMAKE_CURRENT_LIST_DIR}/../../libraries/corePKCS11" "${CMAKE_CURRENT_LIST_DIR}/../../libraries/backoffAlgorithm" "${CMAKE_CURRENT_LIST_DIR}/../../libraries/common/posix_compat" )

Include MQTT library's source and header path variables.

include( ${CMAKE_CURRENT_LIST_DIR}/../../libraries/coreMQTT/coreMQTT/mqttFilePaths.cmake )

Include backoffAlgorithm library file path configuration.

include( ${CMAKE_CURRENT_LIST_DIR}/../../libraries/backoffAlgorithm/backoffAlgorithm/backoffAlgorithmFilePaths.cmake )

Include Fleet Provisioning library's source and header path variables.

include( ${CMAKE_CURRENT_LIST_DIR}/../../libraries/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/fleetprovisioningFilePaths.cmake )

Set path to corePKCS11 and it's third party libraries.

set(COREPKCS11_LOCATION "${CMAKE_CURRENT_LIST_DIR}/../../libraries/corePKCS11") set(CORE_PKCS11_3RDPARTY_LOCATION "${COREPKCS11_LOCATION}/source/dependency/3rdparty")

Include PKCS #11 library's source and header path variables.

include( ${COREPKCS11_LOCATION}/corePKCS11/pkcsFilePaths.cmake )

list(APPEND PKCS_SOURCES "${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_utils.c" )

include($ENV{IDF_PATH}/tools/cmake/project.cmake) project(ota_mqtt)

target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/root_cert_auth.pem" TEXT) target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.crt" TEXT) target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.key" TEXT)

What's interesting is in the previous branch of esp-aws-iot they are using this aws-iot-device-sdk-embedded-Chttps://github.com/aws/aws-iot-device-sdk-embedded-C repo as a base, but now they are completely using individual ones.

How did you manage to include all the necessary libraries for PKCS11?

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1146700388, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKEZTXUQ4UHEJF2RVW5DVNPPO7ANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[twlawrenceko]

Can you provide your CMakeLists.txt in the root directory and also for the project directory? I seem to have issue migrating into the root directory.

Thanks!

[SolidStateLEDLighting]

My project contains client, MQTT, provisioning, shadow, OTA, and jobs. I did the work that Espressif should have done but didn't. They pulled demos from AWS and their OTA sample is a completely different animal and is not cohesive to the basic demos. I managed to merge it all together. It took months of work to get everything to go right for me.

I just don't give that stuff away.... sorry.

I built my files one step at a time pulling from the demos and samples. You just shouldn't short cut that investigation because you will need some understanding of what is going there.

You'll get it.

---

From: twlawrenceko @.> Sent: Sunday, June 5, 2022 10:24 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

Can you provide your CMakeLists.txt in the root directory and also for the project directory? I seem to have issue migrating into the root directory.

Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1146726201, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE5OA577FCDMD2D7AXTVNQFUTANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[bakermat]

Fair enough. Are you using the latest esp-iot-aws release by the way? I can see similar code to yours in the previous branch as @twlawrenceko observed, not in the current main branch.

The current ota_mqtt example doesn't even compile in my case so basing it off that seems less than efficient.

[SolidStateLEDLighting]

I pulled my code from what was considered the beta about Nov/Dec of last year. That beta was supposed to be released (according to an Espressif press release), but that was just a big fat lie.

I do not know what they have released from that point. I stopped working on the project late last year.

If you can get subscriptions and publishing to work, you have all you need to get everything going. Everything is really based on just those simple elements, once you have all the policies, roles, templates, etc set up correctly over at AWS.

Just incrementally add all that you need step by step and work your way through it.

Job is a bit more involved, but again it boils down to subscriptions/unsubscriptions and publishing.

---

From: Patrick Peeters @.> Sent: Sunday, June 5, 2022 4:17 PM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

Fair enough. Are you using the latest esp-iot-aws release by the way? I can see similar code to yours in the previous branch as @twlawrencekohttps://github.com/twlawrenceko, not in the current one.

The current ota_mqtt example doesn't even compile in my case so basing it off that seems less than efficient.

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1146762800, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE5GJ6NGDMIY6XMLEWLVNRPDHANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[twlawrenceko]

@bakermat , I am using the ota_mqtt example as a base as that includes the most library dependencies that are required for fleet provisioning.

@SolidStateLEDLighting , can you provide some information on if you have used the posix (not posix_compat) library for your fleet provisioning?

mbedtls_pkcs11_posix.c seems to be a self written package from AWS. Did you use this library?

I am using the fleet_provisioning_with_csr example from AWS embedded C repo but cannot resolve figuring out linking the correct library for mbedtls_pkcs11_posix.h

../main/mqtt_operations.c:51:10: fatal error: mbedtls_pkcs11_posix.h: No such file or directory
 #include "mbedtls_pkcs11_posix.h"
          ^~~~~~~~~~~~~~~~~~~~~~~~

[SolidStateLEDLighting]

I have not embraced posix. I don't pay any attention to this kind of compatibility. I believe the IDF provides some (or much) of those routines in a simpler form. I didn't care for -- what looked like more complex methods within posix libraries.

mbedtls_pkcs11_posix is not within my project.

Notice: I do all the normal MQTT security things -- but when using OTA, I do not use encryption. I download the binary in an unencrypted form (I tricked AWS). I don't go through the last 5 to 7 unencryption steps when unpacking that binary. I just installed it as download --- so, I'm not sure just how much I rely on the pksc11 libraries.

---

From: twlawrenceko @.> Sent: Monday, June 6, 2022 8:25 AM To: espressif/esp-aws-iot @.> Cc: keith ssledlighting.com @.>; Mention @.> Subject: Re: [espressif/esp-aws-iot] ESP-AWS-IoT support for fleet provisioning (CA-182) (Issue #87)

@bakermathttps://github.com/bakermat , I am using the ota_mqtt example as a base as that includes the most library dependencies that are required for fleet provisioning.

@SolidStateLEDLightinghttps://github.com/SolidStateLEDLighting , can you provide some information on if you have used the posix (not posix_compat) library for your fleet provisioning?

mbedtls_pkcs11_posix.c seems to be a self written package from AWS. Did you use this library?

I am using the fleet_provisioning_with_csr example from AWS embedded C repo but cannot resolve figuring out linking the correct library for mbedtls_pkcs11_posix.h

../main/mqtt_operations.c:51:10: fatal error: mbedtls_pkcs11_posix.h: No such file or directory

include "mbedtls_pkcs11_posix.h"

      ^~~~~~~~~~~~~~~~~~~~~~~~

— Reply to this email directly, view it on GitHubhttps://github.com/espressif/esp-aws-iot/issues/87#issuecomment-1146917474, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGOKE6WAYTME6HFP26GB73VNVAOZANCNFSM5LVUHX5A. You are receiving this because you were mentioned.Message ID: @.***>

[law-ko]

I have attempted to follow the example as @twlawrenceko has mentioned, where when processing MQTT_ProcessLoop() will cause LoadProhibited error to show up. The exact line

I have read some issues mentioning the buffer size, currently is set to 2048 and still crashing. However, when commented out the publishing topic, the crash occurs less often but still happens overtime.

Below is the log:

Info: Establishing MQTT session with claim certificate...
I (5603) coreMQTT: Establishing a TLS session to a3s528xxxxxx4b-ats.iot.us-east-1.amazonaws.com:8883.
I (7763) coreMQTT: Packet received. ReceivedBytes=2.
I (7763) coreMQTT: CONNACK session present bit set.
I (7763) coreMQTT: Connection accepted.
I (7763) coreMQTT: Received MQTT CONNACK successfully from broker.
I (7773) coreMQTT: MQTT connection established with the broker.
I (7783) coreMQTT: MQTT connection successfully established with broker.
I (7793) coreMQTT: An MQTT session with broker is re-established. Resending unacked publishes.
Info: Established connection with claim credentials.
I (7803) coreMQTT: SUBSCRIBE topic $aws/certificates/create/json/accepted to broker.
I (7963) coreMQTT: Packet received. ReceivedBytes=3.
Warn: Unexpected publish message received. Topic: .
I (10963) coreMQTT: SUBSCRIBE topic $aws/certificates/create/json/rejected to broker.
I (11143) coreMQTT: Packet received. ReceivedBytes=3.
Warn: Unexpected publish message received. Topic: .
I (13403) coreMQTT: SUBSCRIBE topic $aws/provisioning-templates/IVO1-FleetProvisioning/provision/json/accepted to broker.
I (13533) coreMQTT: Packet received. ReceivedBytes=3.
Warn: Unexpected publish message received. Topic: .
I (16533) coreMQTT: SUBSCRIBE topic $aws/provisioning-templates/IVO1-FleetProvisioning/provision/json/rejected to broker.
I (16673) coreMQTT: Packet received. ReceivedBytes=3.
Warn: Unexpected publish message received. Topic: .
I (19673) coreMQTT: Published payload: 
I (19673) coreMQTT: PUBLISH sent for topic $aws/certificates/create/json to broker with packet ID 5.
I (19843) coreMQTT: Packet received. ReceivedBytes=2.
I (19843) coreMQTT: Ack packet deserialized with result: MQTTSuccess.
I (19853) coreMQTT: State record updated. New state=MQTTPublishDone.
Guru Meditation Error: Core  0 panic'ed (LoadProhibited). Exception was unhandled.

Core  0 register dump:
PC      : 0x4000c619  PS      : 0x00060f30  A0      : 0x800da214  A1      : 0x3ffbb350  
A2      : 0x00000000  A3      : 0x3f4065e8  A4      : 0x00000022  A5      : 0x0000ff00  
A6      : 0x0000000f  A7      : 0xff000000  A8      : 0x00000002  A9      : 0x3ffbb000  
A10     : 0x3ffbb020  A11     : 0x3f405952  A12     : 0x3ffbb284  A13     : 0x3ffaf02c  
A14     : 0x00000000  A15     : 0x00000000  SAR     : 0x00000004  EXCCAUSE: 0x0000001c  
EXCVADDR: 0x00000002  LBEG    : 0x400014fd  LEND    : 0x4000150d  LCOUNT  : 0xfffffffb  

Backtrace:0x4000c616:0x3ffbb3500x400da211:0x3ffbb370 0x400da330:0x3ffbb390 0x400da434:0x3ffbb3c0 0x400d70b6:0x3ffbb3e0 0x400d8b41:0x3ffbb410 0x400d8bd6:0x3ffbb450 0x400d8cd7:0x3ffbb480 0x400d8d15:0x3ffbb4b0 0x400d775d:0x3ffbb4d0 0x400d7202:0x3ffbb4f0 0x400d72a4:0x3ffbb510 0x400d70a5:0x3ffbb530 0x40156b1d:0x3ffbb550 0x4008b525:0x3ffbb570 
0x400da211: consumeIfMatch at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/libraries/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/source/fleet_provisioning.c:587

0x400da330: parseCreateCertificateFromCsrTopic at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/libraries/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/source/fleet_provisioning.c:458

0x400da434: FleetProvisioning_MatchTopic at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/libraries/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/Fleet-Provisioning-for-AWS-IoT-embedded-sdk/source/fleet_provisioning.c:744

0x400d70b6: provisioningPublishCallback at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/examples/fleet_prov_simple/build/../main/shadow_demo_main.c:870

0x400d8b41: handlePublishAcks at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/libraries/coreMQTT/coreMQTT/source/core_mqtt.c:1195

0x400d8bd6: handleIncomingAck at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/libraries/coreMQTT/coreMQTT/source/core_mqtt.c:1241

0x400d8cd7: receiveSingleIteration at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/libraries/coreMQTT/coreMQTT/source/core_mqtt.c:1342

0x400d8d15: MQTT_ProcessLoop at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/libraries/coreMQTT/coreMQTT/source/core_mqtt.c:2185

0x400d775d: ProcessLoop at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/examples/fleet_prov_simple/build/../main/shadow_demo_helpers.c:941

0x400d7202: waitForResponse at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/examples/fleet_prov_simple/build/../main/shadow_demo_main.c:776

0x400d72a4: aws_iot_demo_main at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/examples/fleet_prov_simple/build/../main/shadow_demo_main.c:1019

0x400d70a5: app_main at /home/espuser/esp-public-git/esp-aws-iot-for-fleet-provisioning/examples/fleet_prov_simple/build/../main/app_main.c:58 (discriminator 2)

0x40156b1d: main_task at /home/espuser/esp/esp-idf/components/freertos/port/port_common.c:129 (discriminator 2)

0x4008b525: vPortTaskWrapper at /home/espuser/esp/esp-idf/components/freertos/port/xtensa/port.c:131