Friday, April 7, 2017

Setting up AWS CLI for IoT



I've been wanting to get my ESP8266 to talk MQTT to AWS.

steverino on twitter provided this link:

http://blogs.paasmer.co/series-blogs-connect-esp-8266-nodemcu-aws-iot/

But first the AWS Command Line Interface needs to be installed (no sense in making things EASY, eh, takes away all the fun).

So first Amazon has some online instructions:

http://docs.aws.amazon.com/cli/latest/userguide/installing.html

simply, really: in a git bash shell:

pip install --upgrade --user awscli

then add the path:

http://docs.aws.amazon.com/cli/latest/userguide/awscli-install-windows.html#awscli-install-windows-path

which in my case was this: %USERPROFILE%\AppData\Roaming\Python\Scripts

next, after restarting the git bash shell to have the new path available, a simple command:

aws configure

There was some confusion as to what, exactly to enter for the prompt: AWS Access Key ID [None]:

As this page (from [your name] - Security Credentials):

https://console.aws.amazon.com/iam/home?/security_credential

will indicate that you should ensure to have deleted all the (root) Access Keys.

There's also an option to "Get Started with IAM Users"... that's what we want:

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

...and use the Access key and Secret access key for the first two aws config prompts.

next is to figure out the region (a name without spaces!). In my case, that's us-west-2.

Moving on to the security configuration, I spent hours fussing with the "aws iot create-certificate-from-csr" before before submitting an AWS CLI issue here:

https://github.com/aws/aws-cli/issues/2535

The problem there - was apparently when copy/pasting the aws command, one or more of the dashes were converted to evil dashes (some sort of character that looks and acts like a dash, but is not!)

the corrected command is:

aws iot create-certificate-from-csr --certificate-signing-request file://eccCsr.csr --certificate-pem-outfile eccCert.crt --set-as-active

The MQTT is available for Windows and Linux. The Windows version gives this additional install message:




But I chose the Raspberry Pi version since it is in the main repository (and I was getting an error in Windows):



Install on RPi with this command:

sudo apt-get install mosquitto

but alas, that's not enough ... and there's nothing on the Mosquitto web site to indicate that. But I found this helpful site:

http://jpmens.net/2013/09/01/installing-mosquitto-on-a-raspberry-pi/

that shows the install command with a few options:

sudo apt-get install mosquitto mosquitto-clients python-mosquitto

OpenSSL also needs to be installed:

sudo apt-get install openssl

and so I'm trying the sample test at:

https://aws.amazon.com/blogs/iot/elliptic-curve-cryptography-and-forward-secrecy-support-in-aws-iot-3/

Specifically this command:

mosquitto_pub --cafile AWSIoTCACert.crt --cert eccCert.crt --key ecckey.key -h a2s48sx7uszy0k.iot.us-west-2.amazonaws.com -d -p 8883 -q 1 -t foo/bar -i test --tls-version tlsv1.2 -m "HelloWorld" --ciphers ECDHE-ECDSA-AES128-GCM-SHA256

but alas I don't have a "AWSIoTCACert.crt " file,

So I found this link:

http://iot-hackseries.s3-website-us-west-2.amazonaws.com/aws-iot.html

That said to "click here" to download this CA:

https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem

I saved mine as AWS-root-ca-pem.crt and tried this command:

mosquitto_pub --cafile AWS-root-ca-pem.crt --cert eccCert.crt --key ecckey.key -h a2s48sx7uszy0k.iot.us-west-2.amazonaws.com -d -p 8883 -q 1 -t foo/bar -i test --tls-version tlsv1.2 -m "HelloWorld" --ciphers ECDHE-ECDSA-AES128-GCM-SHA256

AAARRGH. Got this error:

Client test sending CONNECT OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Error: Success

(gotta really love the "Error: Success", eh?)

So far I've spent the better part of the day fussing with this. This is way more difficult than it should be.




1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete

comments are welcome, but I prefer not to allow links to promotions or other unrelated services.

Find gojimmypi at gojimmypi.github.io

I'm currently working on my new blog home at  gojimmypi.github.io After implementing a variety of features such as dark mode , syntax hi...