AT&T Cellular IoT Starter Kit (1st Generation) trouble connecting to AWS

Solved
Anubus's picture
Anubus
Junior(1)

I've got an extra 1st gen starter kit and would like to connect it to AWS.  I've successfully completed the "AT&T IoT Starter Kit Quick Start" tutorial and have the S3 demo site updating LED color with every button press. Next I flashed the FRDM-K64F board with the compiled Anthony Phillips' ATT_AWS_IoT_demo, created my AWS account and created an SD card with the certs and mqtt_config.txt files.  I changed to "DEGUG_LEVEL 4" in "aws_iot_log.h".   All seems good until it tries to connect to my shadow thing.  The program terminates with:

ERROR: waitfor() timer expired
ERROR: waitfor() MQTT_NETWORK_DISCONNECTED_ERROR
ERROR: ...waitfor FAIL
ERROR: Shadow Connection Error -3

I hope you can help with a couple suggestions.  I can't seem to figure what the issue is.  Below is the full console session in case that helps (I've mangled the certs to avoid comprimising them):

----------------------- AT&T Cellular IoT Starter Kit (1st Generation) trouble connecting to AWS ------------------------
Hello World from AT&T IoT Start Kit demo!
AWS IoT SDK Version(dev) 1.1.2-
Using SD card files for AWS config.
- mqtt config path: /sd/certs/mqtt_config.txt
- rootCA path: /sd/certs/rootCA-certificate.crt
- clientCRT path: /sd/certs/certificate.pem.crt
- clientKey path: /sd/certs/private.pem.key
Init sensors...
Init interrupts...
Net Boot...
Booting WNC modem...
...Using Avnet Shield and AT&T wireless LTE

Toggling Wakeup...
Toggling complete.
WNC Module IS initialized (07).
...IP Address: 10.192.185.187 
...ICCID: 89011704252322299956
...Reading MQTT data from SD
...Number of data read: 161, text from file: AWS_IOT_MQTT_HOST=a1883me0jwbffo.iot.us-east-1.amazonaws.com
AWS_IOT_MQTT_PORT=8883 
AWS_IOT_MQTT_CLIENT_ID=ATT_IoT_Kit 
AWS_IOT_MY_THING_NAME=ATT_IoT_Kit

...Host=a1883me0jwbffo.iot.us-east-1.amazonaws.com
...Port=8883
...pMqttClientId=ATT_IoT_Kit 
...pMyThingName=ATT_IoT_Kit
Initialize the MQTT client...
Shadow Init...
Shadow Connect...
...Thing Name ATT_IoT_Kit
...MQTT Client ID ATT_IoT_Kit 
...subscribe
...MQTTVersion
...MQTTConnect
...connect_timer
...TLS Connect
...mbedtls_net_init()
...Seeding the random number generator
 ok

...Loading the CA root certificate
...Reading CERT data from SD
...Number of data read: 1758, text from file: -----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpUManyRandomSeemingCharactersThatEqualACtCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----
...CRT Parse
 ok (0 skipped)
...Loading the client cert
...Reading CERT data from SD
...Number of data read: 1224, text from file: -----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIVALNHJZ7AIwtX66E1kOZfoQzM93nTMA0GCSqGSIb3DQEB
CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t
IExZWZXJpUManyRandomSeemingCharactersThatEqualACtCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9g-------------------------------------------------------------------lACtCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
xZWZXJpUManyRandomSeemingCharactersThatEqualACtCGkgDdk+bW48DW7Yv
IVz4WOk7AV/xpb+NbPNmi31gBGuTF0lQ/uLxiKQPB6HQV5KIejYWYCsQGqIUHA9W
REQPpeb9CLdRE+0a/NoqaoC1SNgNgj79vFVDDSKiQAE2tUgaU5wFrN2U6XRCMw==
-----END CERTIFICATE-----

...CRT Parse
 ok
...Loading the client key
...Reading KEY data from SD
...Number of data read: 1679, text from file: -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA4OZxRXxLu9h9AgfOW/t6KSudh86f7rQebNGNQWxa6dV2y6VP
QJIx---------------------------------------------------------------------------------kOVf31k5pjDeK8
B6KKRocCgYA1ZUhneMXEDlUTQaQVYcl2dIadtrEIoj0EyM4PK1rn1ZwkRH0ottKi
iCZ4tMqyvocgNQv545Kb9vW/DrxWI++/uTkQFI/aL6D3ifgBVLv49u7ZH8RGS3M0
rQZBUcz6rn/RzGPoxU//ShxmVfOsDlESPoEwtsMUC+AhqMK2D1hgeQ==
-----END RSA PRIVATE KEY-----

...Key Parse
...No PWD
 ok
...Connecting to a1883me0jwbffo.iot.us-east-1.amazonaws.com/8883
...mbedtls_net_connect
Connecting with a1883me0jwbffo.iot.us-east-1.amazonaws.com

...mbedtls_net_set_block
 ok
...Setting up the SSL/TLS structure
...Set Socket I/O Functions
 ok
...Performing the SSL/TLS handshake
...mbedtls_net_send
...mbedtls_net_recv_timeout len: 5, timeout: 10000
...mbedtls_net_recv_timeout len: 2619, timeout: 10000

Verify requested for (Depth 2):

cert. version     : 3
serial number     : 18:DA:D1:9E:26:7D:E8:BB:4A:21:58:CD:CC:6B:3B:4A
issuer name       : C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
subject name      : C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
issued  on        : 2006-11-08 00:00:00
expires on        : 2036-07-16 23:59:59
signed using      : RSA with SHA1
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign

  This certificate has no flags

Verify requested for (Depth 1):

cert. version     : 3
serial number     : 3F:92:87:BE:9D:1D:A4:A3:7A:9D:F6:28:2E:77:5A:C4
issuer name       : C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
subject name      : C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit SSL CA - G2
issued  on        : 2015-05-12 00:00:00
expires on        : 2025-05-11 23:59:59
signed using      : RSA with SHA-256
EC key size       : 256 bits
basic constraints : CA=true, max_pathlen=0
subject alt name  : 
key usage         : Key Cert Sign, CRL Sign

  This certificate has no flags

Verify requested for (Depth 0):

cert. version     : 3
serial number     : 0A:84:9B:FA:E6:BB:18:70:3F:F7:76:20:47:7C:7D:90
issuer name       : C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit SSL CA - G2
subject name      : C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.iot.us-east-1.amazonaws.com
issued  on        : 2017-11-22 00:00:00
expires on        : 2018-11-23 23:59:59
signed using      : ECDSA with SHA256
EC key size       : 256 bits
basic constraints : CA=false
subject alt name  : iot.us-east-1.amazonaws.com, *.iot.us-east-1.amazonaws.com
key usage         : Digital Signature
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

  This certificate has no flags

...mbedtls_net_send
...mbedtls_net_send
...mbedtls_net_send
...mbedtls_net_send
...mbedtls_net_send
...mbedtls_net_recv_timeout len: 5, timeout: 10000
...mbedtls_net_recv_timeout len: 1, timeout: 10000
...mbedtls_net_recv_timeout len: 5, timeout: 10000
...mbedtls_net_recv_timeout len: 40, timeout: 10000
 ok
    [ Protocol is TLSv1.2 ]
    [ Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ]

    [ Record expansion is 29 ]

...Verifying peer X.509 certificate
 ok

...SSL get peer cert
...Peer certificate information
...Server certificate:
      cert. version     : 3
      serial number     : 0A:84:9B:FA:E6:BB:18:70:3F:F7:76:20:47:7C:7D:90
      issuer name       : C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit SSL CA - G2
      subject name      : C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.iot.us-east-1.amazonaws.com
      issued  on        : 2017-11-22 00:00:00
      expires on        : 2018-11-23 23:59:59
      signed using      : ECDSA with SHA256
      EC key size       : 256 bits
      basic constraints : CA=false
      subject alt name  : iot.us-east-1.amazonaws.com, *.iot.us-east-1.amazonaws.com
      key usage         : Digital Signature
      ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

...mbedtls_net_send
...mbedtls_net_recv_timeout len: 5, timeout: 10
...mbedtls_net_recv_timeout len: 26, timeout: 10
...mbedtls_net_recv_timeout len: 5, timeout: 10
...mbedtls_net_recv_timeout len: 5, timeout: 10
ERROR: waitfor() timer expired
ERROR: waitfor() MQTT_NETWORK_DISCONNECTED_ERROR
ERROR: ...waitfor FAIL
ERROR: Shadow Connection Error -3

---------------------------- End Console Log -----------------------

Anubus's picture
Anubus
Junior(1)

I figured it out!  I needed to create a Policy associated with my AWS thing certificate.  This must be a recent AWS feature as I didn't see it when I went through the IoT Starter Kit AWS tutorial.

jflynn129's picture
jflynn129
Moderator(4)

Thanks for updating this, it will help others who it the same issue.

molodoy's picture
molodoy
Junior(0)

Prije toga, kao i ti, nisam znao gdje se okrenuti i što učiniti s činjenicom da je moj seksualni organ prestao ustajati? ali sada sam pronašao izvrstan alat na web stranici https://ed-hrvatski.com/genericka-cialis/ zahvaljujući njemu, ponovno mogu uživati u punom životu.