Problems Connecting to AWS IOT using Micropython

There have been a number of threads concerning this topic which I have read through. Unfortunately, none of them deal with the specific issue I am experiencing.

The board I’m using is the Digi XBee Cellular LTE Cat 1 Development Kit and I have created a thing, attached a policy and downloaded / renamed the certificate files as described in the Digi Micropython Programming Guide. The policy attached to the thing grants all the privileges described in the Guide.

I’ve tested the certificates with the Python 3 script (aws_https_pc.py) described in the Guide and get the expected response.

However, after I upload the three files (/flash/cert/aws.key, /flash/cert/aws.crt, /flash/cert/aws.ca) with the File system Manger tool, copy and paste the Micropython version of the “test connection” code with my parameters and run with CTRL+D, I receive an ETIMEDOUT error. This occurs using both destination ports 8443 and 8883.

I notice in previous threads that users have been having problems with ECONNREFUSED errors, indicating that the server is rejecting the connection attempt. In my case, it appears that a connection is not even being attempted.

Several other points:

a. I’ve tried using AWS endpoints both with and without the “-ats” suffix and get the same results.

b. I can connect successfully to the AWS MQTT broker using a Python 3 script running on my PC and also using Node-Red.

c. The Digi board successfully connects to a broker I’ve set up on my company’s server using Mosquitto.

Any help with this issue will be greatly appreciated.

Hi there.

It turns out that in order to use AWS IoT with the XBee Cellular Cat 1 (with the “-ats” endpoint), you must use the Starfield certificate which can be found here: https://ssl-ccp.secureserver.net/repository/sf-class2-root.crt

(Note: This certificate has the same subject key identifier as the actual root certificate presented by AWS. It turns out the “Starfield Root CA” on Amazon’s website is not the root certificate.)

Hope this helps!

Thanks for your response. Should this certificate replace the “aws.ca” file or the “aws.crt” file? I’ve actually tried it both ways and neither seems to work. I should mention that I’m actually seeing “EIO” errors (rather than “ETIMEDOUT”) when I try to connect.

If you use the “-ats” endpoint for AWS IoT, you should use the Amazon Root CA 1 for RSA or Amazon Root CA 3 if your device supports ECC.
https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html

@yosh - It should replace the aws.ca file. The aws.crt file is specific to your “thing” in AWS IoT.

Make sure you are using the endpoint name ending in “-ats” when using this file.

The Amazon Root CA 1 certificate was the one that I was originally using and that didn’t work.

Yeah, I figured that the “aws.ca” file was the one that should be replaced. However, replacing it with the new certificate gave me the same results.
I’m definitely using the endpoint name containing “-ats”.

Can you update the XBee to firmware version 1012 (if this is “XBee Cellular Cat 1”, that should be the newest firmware version available in XCTU) – which includes updating the Telit firmware – and try again?

Can you confirm what ATVR and ATMV return on the XBee currently?

@tckr
Thanks for your help.
First of all, I have to apologize to you because it appears that the modem I’ve been using is an LTE-M module rather than a CAT-1.
Anyway, it looks as though we had a rather old version of firmware installed. ATVR returned “1140B” and ATMV returned “L0.0.00.00.05.06 [Feb 03 2018 13:00:41]” when I first checked them. After a couple of false starts, I did manage to update the firmware to the latest version (11412). However, I see no change when I try to connect to the AWS endpoint (with either the original root certificate or the one you directed me to).

Do you still get an ETIMEDOUT error? If so, that would seem to indicate that the AWS endpoint is in fact unreachable from your XBee, and not something wrong with the certificates, etc.

Can you check that ATLA returns a valid IP address? For example, ATLA ABCDEFG1234567-ats.iot.us-east-1.amazonaws.com.

If you are running the MQTT example code, make sure it is using port 8883. If using the HTTPS example code (accessing the shadow), then 8443.

You might also want to try a plain TCP connection to the endpoint, to see if it is in fact reachable.


import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ENDPOINT, 8883))

Also, are you using the SIM card that came with the Digi development kit, or your own SIM card?

@tckr

Thanks again for your help. Sorry it took awhile to get back to you.

I’m still seeing ETIMEDOUT errors when trying to connect. However, I also see ENXIO errors and the occasional ENFILE error.

The ATLA command does return a valid IP address.

I also tried running the sample code you provided. This returns an ETIMEDOUT error.

I’m currently using a SIM card from Hologram. I’ve also been wondering recently if this might be an issue.

Thanks again.

At this point I would suggest you get in touch with Hologram’s customer/technical support and see if they can shed any light on what is going on.

The fact that you still get ETIMEDOUT doing just a simple TCP connection (not TLS) to AWS IoT tells me that you are unable to make a connection to AWS IoT. Since you say you are able to use the XBee to talk to other servers, it seems unlikely that this is an issue with the XBee itself; if you were also unable to communicate to your own server, that would indicate a different issue.

@tckr

I hope you’re still around – sorry I didn’t get back to you sooner.

I was able to test a SIM card from a different provider. When I try to connect to the AWS IOT MQTT server with this SIM, I get an EIO error rather than an ETIMEDOUT error.

I also tried running the sample code that you provided to create a plain TCP connection. This now appears to work – I no longer see an ETIMEDOUT error.

So it appears that with this second SIM, we’ve traded an ETIMEDOUT error for an EIO error.

Thanks again.

The link you provided in your first comment to the CA works for me with the -ats endpoint as of today on a Cat 1 board. Digi docs also had the correct one to use, but there were a lot of options. I initially had the connection refused issue error, but they seemed to work themselves out with both time and using the example code from the Pycharm plugin. I also received the ENXIO error if I tried to remove the -ats.