Telit Cinterion ELS62-W AWS certification | Telit Cinterion IoT Developer Community
July 24, 2023 - 11:57am, 478 views
Hi,
I'm trying to use the ELS62-W to communicate with the AWS IoT core.
I followed the document "TLS Certificate Management EXSx2", and "Data transfer methods - AWS Enrollment" to write the AWS root CA1 and device key pairs to the module.
The exact command I use to upload the cert / keys were:
java -jar cmd_ipcertmgr.jar -mode is_cert -cmd writeCert -certfile AmazonRootCA1.cer -certIndex 1 -sigType NONE -serialPort COM21 -serialSpd 115200
java -jar cmd_ipcertmgr.jar -mode is_cert -cmd writeCert -certfile device_cert.der -keyfile private_key.der -certIndex 0 -sigType NONE -serialPort COM21 -serialSpd 115200
After doing this, one strange observation is the read cert result from
at^sbnr="is_cert"
^SBNR: 0, size: "861", issuer: "/OU=Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US", serial number: "4BE109B827624F0DA2FE9718A08BC107F5827A19", subject: "/CN=AWS IoT Certificate", signature: "sha256RSA", thumbprint algorithm: "sha1", thumbprint: "7FE73092731CA3416317258231E3EC6700F35474", expiry date: "2049,12,31"
^SBNR: 1, size: "861", issuer: "/OU=Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US", serial number: "4BE109B827624F0DA2FE9718A08BC107F5827A19", subject: "/CN=AWS IoT Certificate", signature: "sha256RSA", thumbprint algorithm: "sha1", thumbprint: "7FE73092731CA3416317258231E3EC6700F35474", expiry date: "2049,12,31"
Both locations 0 and 1 are the device cert. Location 1 should be the Amazon Root CA1.
When I try to open the MQTT connection for the very first time, I got an error message:
^SIS: 1,0,24,"Host not found"
(however the module is online, I can ping to a host using ping command, and the MQTT broker is alive too)
Then I closed the connection and reconnect again. I got a different message:
+CIEV: is_cert,1,"/C=US/O=Amazon/CN=Amazon RSA 2048 M01","*************************","/CN=*.iot.ap-northeast-1.amazonaws.com","sha256RSA","sha1","*********************"
+CIEV: is_cert,1,"/C=US/O=Amazon/CN=Amazon Root CA 1","077312380B9D6688A33B1ED9BF9CCDA68E0E0F","/C=US/O=Amazon/CN=Amazon RSA 2048 M01","sha256RSA","sha1","2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C"
+CIEV: is_cert,1,"/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2","067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6","/C=US/O=Amazon/CN=Amazon Root CA 1","sha256RSA","sha1","06B25927C42A721631C1EFD9431E648FA62E1E39"
+CIEV: is_cert,1,"/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority","A70E4A4C3482B77F","/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2","sha256RSA","sha1","9E99A48A9960B14926BB7F3B02E22DA2B0AB7280"
^SIS: 1,0,77,"The certificate does not exist"
I feel like this is a certificate issue, any suggestions on how to do this correctly?
Thanks,
Hello,
"Host not found" does not seem like having something to do with certificates. Do you always get it at first? It could mean the wrong host address or maybe the data connection wasn't ready yet, DNS connection failed for some reason etc.
You get '+CIEV: is_cert,...' URCs because you must have activated them with AT^SIND command. Here you see the certificates that server sends during the TLS handshake. And it looks like none of them matches the server certificate that you have installed. Please see the serial numbers and thumbprints. So, that is why you get '^SIS: 1,0,77,"The certificate does not exist"', I suppose.
Please find and install the last certificate on the list 'Starfield Services Root Certificate Authority - G2'. Or you should also find it on the module in the preinstalled certificates storage ("preconfig_cert"). Then you only need to copy it to 'is_cert' store (AT^SSECUA="CertStore/TLS/PreconfigureCert",,<index>).
Best regards,
Bartłomiej
Hi Bartłomiej,
Thanks for the insight, the "host not found" indeed is a network issue. I tried to upload the Starfield Service Root Certificate Authority - G2 using the tool. But it still complains about the certification.
Thoughts?
Thanks!
(I removed the remaining)
Hmm, that is strange. Please do a test - set "secopt" to 0 for your connection with AT^SISS command. That would disable the server certificate check on the module. That should confirm if we have the problem with the server certificate or not. If this is related the the server cert check, the connection should succseed with this setting.
Hi Bartłomiej,
The error message I got was.
Does this mean the cert in the NVRAM is broken somehow?
Thanks,
Ye-Sheng
Hi,
If you set AT^SISS=<srvProfileId>,secopt,0 the module does not check the received certificates against the local certificate store. So, whatever you have there should not be used for server cert check. Did you get this error after setting 'secopt' to 0? Unfortunately ,"Unknown internal TLS error" is a general error, and it's not obvious what it means in this particular case.
BR,
Bartłomiej
Yes, I indeed set the "secOpt" to 0. Is there any way to reset the module back to the default state (including all the NVRAM settings)?
Thanks,
The exact steps I did was:
OK
AT^SIND="is_cert",1^SIND: is_cert,1,0,"","","","","",""
OK
AT^SCFG="Tcp/WithURCs","on"^SCFG: "Tcp/WithURCs","on"
OK
AT^SISS=1,srvType,"mqtt"OK
AT^SISS=1,conId,1OK
AT^SISS=1,address,"mqtts://my_aws_mqtt_endpoint.iot.ap-northeast-1.amazonaws.com"OK
AT^SISS=1,"cmd","publish"OK
AT^SISS=1,"topic","topic1"OK
AT^SISS=1,"hcContent","*****"OK
AT^SISS=1,"hcContLen",5OK
AT^SISS=1,"secOpt",0OK
AT^SISS=1,"clientid","Cinterion-Module"OK
AT^SICA=1,1OK
AT^SISO=1,2OK
+CIEV: is_cert,1,"/C=US/O=Amazon/CN=Amazon RSA 2048 M01","0C9A2DBDA1473F7E27342C60996846E4","/CN=*.iot.ap-northeast-1.amazonaws.com","sha256RSA","sha1","642125203B29CA6E4F02F486CE564C0DD2AB80D6"
+CIEV: is_cert,1,"/C=US/O=Amazon/CN=Amazon Root CA 1","077312380B9D6688A33B1ED9BF9CCDA68E0E0F","/C=US/O=Amazon/CN=Amazon RSA 2048 M01","sha256RSA","sha1","2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C"
+CIEV: is_cert,1,"/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2","067F944A2A27CDF3FAC2AE2B01F908EEB9C4C6","/C=US/O=Amazon/CN=Amazon Root CA 1","sha256RSA","sha1","06B25927C42A721631C1EFD9431E648FA62E1E39"
+CIEV: is_cert,1,"/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority","A70E4A4C3482B77F","/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2","sha256RSA","sha1","9E99A48A9960B14926BB7F3B02E22DA2B0AB7280"
^SIS: 1,0,62,"Unknown internal TLS error"
There is no general reset command or HW switch.
In general there should be no problem with connecting this module to AWS. There should be no problem with reading the server certificates and they are not compared to stored ones with this setting.
Still, the module gets the server request to send the client certificate and tries to do that. Error could mean some kind of the problem with reading the client certificate which could mean that some problem with it's format is possible. But on the other hand listing displays the cert data.
Can you check the firmware version with ATI1 and ATI8 commands?
Should I update the FW?
Thanks!
^SYSSTART
ATI1Cinterion
ELS62-W
REVISION 01.200
A-REVISION 01.000.04
OK
ATI8C-REVISION 00000.00
Hello,
The firmware version is new - no need to update.
It might be that the server terminates the connection for some reason. Maybe something is configured incorrectly like the address or port etc.
It's not easy to debug as you can't see the client-server communication on TCP layer.
Were the certificates you added in a binary format? You could also delete all certs and do a test, then add client cert only and test again...
BR,
Bartłomiej
Hi Bartłomiej,
I got it to work!
I replaced the 'Starfield Services Root Certificate Authority - G2' with 'Amazon Root CA 1' certificate, and set the "secOpt" to 0. Then I can connect to AWS MQTT and publish content properly.
Thanks!
Pages