Friday, April 7, 2017
Setting up AWS CLI for IoT
I've been wanting to get my ESP8266 to talk MQTT to AWS.
steverino on twitter provided this link:
http://blogs.paasmer.co/series-blogs-connect-esp-8266-nodemcu-aws-iot/
But first the AWS Command Line Interface needs to be installed (no sense in making things EASY, eh, takes away all the fun).
So first Amazon has some online instructions:
http://docs.aws.amazon.com/cli/latest/userguide/installing.html
simply, really: in a git bash shell:
pip install --upgrade --user awscli
then add the path:
http://docs.aws.amazon.com/cli/latest/userguide/awscli-install-windows.html#awscli-install-windows-path
which in my case was this: %USERPROFILE%\AppData\Roaming\Python\Scripts
next, after restarting the git bash shell to have the new path available, a simple command:
aws configure
There was some confusion as to what, exactly to enter for the prompt: AWS Access Key ID [None]:
As this page (from [your name] - Security Credentials):
https://console.aws.amazon.com/iam/home?/security_credential
will indicate that you should ensure to have deleted all the (root) Access Keys.
There's also an option to "Get Started with IAM Users"... that's what we want:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
...and use the Access key and Secret access key for the first two aws config prompts.
next is to figure out the region (a name without spaces!). In my case, that's us-west-2.
Moving on to the security configuration, I spent hours fussing with the "aws iot create-certificate-from-csr" before before submitting an AWS CLI issue here:
https://github.com/aws/aws-cli/issues/2535
The problem there - was apparently when copy/pasting the aws command, one or more of the dashes were converted to evil dashes (some sort of character that looks and acts like a dash, but is not!)
the corrected command is:
aws iot create-certificate-from-csr --certificate-signing-request file://eccCsr.csr --certificate-pem-outfile eccCert.crt --set-as-active
The MQTT is available for Windows and Linux. The Windows version gives this additional install message:
But I chose the Raspberry Pi version since it is in the main repository (and I was getting an error in Windows):
Install on RPi with this command:
sudo apt-get install mosquitto
but alas, that's not enough ... and there's nothing on the Mosquitto web site to indicate that. But I found this helpful site:
http://jpmens.net/2013/09/01/installing-mosquitto-on-a-raspberry-pi/
that shows the install command with a few options:
sudo apt-get install mosquitto mosquitto-clients python-mosquitto
OpenSSL also needs to be installed:
sudo apt-get install openssl
and so I'm trying the sample test at:
https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/
Specifically this command:
mosquitto_pub --cafile AWSIoTCACert.crt --cert eccCert.crt --key ecckey.key -h a2s48sx7uszy0k.iot.us-west-2.amazonaws.com -d -p 8883 -q 1 -t foo/bar -i test --tls-version tlsv1.2 -m "HelloWorld" --ciphers ECDHE-ECDSA-AES128-GCM-SHA256
but alas I don't have a "AWSIoTCACert.crt " file,
So I found this link:
http://iot-hackseries.s3-website-us-west-2.amazonaws.com/aws-iot.html
That said to "click here" to download this CA:
https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
I saved mine as AWS-root-ca-pem.crt and tried this command:
mosquitto_pub --cafile AWS-root-ca-pem.crt --cert eccCert.crt --key ecckey.key -h a2s48sx7uszy0k.iot.us-west-2.amazonaws.com -d -p 8883 -q 1 -t foo/bar -i test --tls-version tlsv1.2 -m "HelloWorld" --ciphers ECDHE-ECDSA-AES128-GCM-SHA256
AAARRGH. Got this error:
Client test sending CONNECT OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Success
(gotta really love the "Error: Success", eh?)
So far I've spent the better part of the day fussing with this. This is way more difficult than it should be.
Subscribe to:
Post Comments (Atom)
Find gojimmypi at gojimmypi.github.io
I'm currently working on my new blog home at gojimmypi.github.io After implementing a variety of features such as dark mode , syntax hi...
-
I decided to finally learn how to program an FPGA! Here are some first impressions and notes to self for future reference. TL;DR Bla...
-
Notes and information on JTAG Debugging the ESP32 WROOM-32 (aka DevKitC, aka ESP32_Core_Board_V2) I started off my day thinking I'd ta...
-
This is a continuation of my prior blog on limit switch mounting hardware design for the CNC3018 . There are plenty of resources on various ...
This comment has been removed by a blog administrator.
ReplyDelete