❓︎ AWS IoT MQTT sample build fails with undefined reference to 'mbedtls_ssl_*' errors (nRF9151, SDK v2.9.0)

Hi,

Do you use Zephyr aws_iot_mqtt sample?
Can you try to use aws_iot sample instead? What is the result?

Can you please upload your prj.conf and complete build log?
You can do this by clicking on Upload or on Image/video/file -> Upload.

Best regards,
Dejan

aws_iot_mqtt build config error log:

/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_release':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:537: undefined reference to `mbedtls_ssl_config_free'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:538: undefined reference to `mbedtls_ssl_free'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_mbedtls_init':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1299: undefined reference to `mbedtls_ssl_set_bio'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1310: undefined reference to `mbedtls_ssl_config_defaults'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1390: undefined reference to `mbedtls_ssl_conf_rng'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1428: undefined reference to `mbedtls_ssl_setup'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1386: undefined reference to `mbedtls_ssl_conf_authmode'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1402: undefined reference to `mbedtls_ssl_conf_ciphersuites'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_opt_ciphersuite_list_set':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1553: undefined reference to `mbedtls_ssl_conf_ciphersuites'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_session_get':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:652: undefined reference to `mbedtls_ssl_session_load'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_session_restore':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:708: undefined reference to `mbedtls_ssl_session_init'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:716: undefined reference to `mbedtls_ssl_set_session'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:722: undefined reference to `mbedtls_ssl_session_free'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_mbedtls_reset':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1166: undefined reference to `mbedtls_ssl_session_reset'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_mbedtls_handshake':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1199: undefined reference to `mbedtls_ssl_handshake'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_session_save':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:610: undefined reference to `mbedtls_ssl_session_save'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:618: undefined reference to `mbedtls_ssl_session_save'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_session_store':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:678: undefined reference to `mbedtls_ssl_session_init'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:680: undefined reference to `mbedtls_ssl_get_session'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:692: undefined reference to `mbedtls_ssl_session_free'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `ztls_poll_prepare_pollin':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:2976: undefined reference to `mbedtls_ssl_get_bytes_avail'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `ztls_socket_data_check':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:3088: undefined reference to `mbedtls_ssl_read'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:3131: undefined reference to `mbedtls_ssl_get_bytes_avail'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `ztls_poll_update_pollin':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:3141: undefined reference to `mbedtls_ssl_get_bytes_avail'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `recv_tls':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:2589: undefined reference to `mbedtls_ssl_read'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_alloc':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:467: undefined reference to `mbedtls_ssl_init'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:468: undefined reference to `mbedtls_ssl_config_init'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `send_tls':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:2294: undefined reference to `mbedtls_ssl_write'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_opt_ciphersuite_list_get':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1571: undefined reference to `mbedtls_ssl_list_ciphersuites'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `tls_opt_ciphersuite_used_get':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1599: undefined reference to `mbedtls_ssl_get_ciphersuite'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: /home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:1604: undefined reference to `mbedtls_ssl_get_ciphersuite_id'
/home/dnk034/ncs/toolchains/b77d8c1312/opt/zephyr-sdk/arm-zephyr-eabi/bin/../lib/gcc/arm-zephyr-eabi/12.2.0/../../../../arm-zephyr-eabi/bin/ld.bfd: zephyr/subsys/net/libsubsys__net.a(sockets_tls.c.obj): in function `ztls_close_ctx':
/home/dnk034/ncs/v2.9.0/zephyr/subsys/net/lib/sockets/sockets_tls.c:2118: undefined reference to `mbedtls_ssl_close_notify'
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.
FAILED: _sysbuild/sysbuild/images/aws_iot_mqtt-prefix/src/aws_iot_mqtt-stamp/aws_iot_mqtt-build /media/dnk034/NEWDATA/manoj/workspace/nrf9151/mod_firm_test_sdk_2.9.0/aws_iot_mqtt/build/_sysbuild/sysbuild/images/aws_iot_mqtt-prefix/src/aws_iot_mqtt-stamp/aws_iot_mqtt-build
cd /media/dnk034/NEWDATA/manoj/workspace/nrf9151/mod_firm_test_sdk_2.9.0/aws_iot_mqtt/build/aws_iot_mqtt && /home/dnk034/ncs/toolchains/b77d8c1312/usr/local/bin/cmake --build .
ninja: build stopped: subcommand failed.
FATAL ERROR: command exited with status 1: /home/dnk034/ncs/toolchains/b77d8c1312/usr/local/bin/cmake --build /media/dnk034/NEWDATA/manoj/workspace/nrf9151/mod_firm_test_sdk_2.9.0/aws_iot_mqtt/build

* The terminal process terminated with exit code: 1.
* Terminal will be reused by tasks, press any key to close it.

proj.config

CONFIG_AWS_ENDPOINT="a31goxxxxxxxxx.iot.eu-west-1.amazonaws.com"
CONFIG_AWS_MQTT_PORT=8883
CONFIG_AWS_THING_NAME="zephyr_sample"
CONFIG_AWS_PUBLISH_TOPIC="zephyr_sample/data"
CONFIG_AWS_SUBSCRIBE_TOPIC="zephyr_sample/downlink"
CONFIG_AWS_TEST_SUITE_DQP=n

CONFIG_MAIN_STACK_SIZE=4096
CONFIG_ENTROPY_GENERATOR=y
CONFIG_TEST_RANDOM_GENERATOR=y
CONFIG_INIT_STACKS=y
CONFIG_HW_STACK_PROTECTION=y
CONFIG_REQUIRES_FULL_LIBC=y
CONFIG_SNTP=y
CONFIG_JSON_LIBRARY=y
CONFIG_POSIX_API=y

# DNS
CONFIG_DNS_RESOLVER=y
CONFIG_DNS_RESOLVER_ADDITIONAL_BUF_CTR=2
CONFIG_DNS_RESOLVER_MAX_SERVERS=1
CONFIG_DNS_SERVER_IP_ADDRESSES=y
CONFIG_DNS_SERVER1="8.8.8.8"
CONFIG_NET_SOCKETS_DNS_TIMEOUT=5000
CONFIG_DNS_RESOLVER_LOG_LEVEL_DBG=n

# Generic networking options
CONFIG_NETWORKING=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_IPV6=y
CONFIG_NET_IPV4=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

# Logging
CONFIG_LOG=y

# Network buffers
CONFIG_NET_PKT_RX_COUNT=32
CONFIG_NET_PKT_TX_COUNT=16
CONFIG_NET_BUF_RX_COUNT=64
CONFIG_NET_BUF_TX_COUNT=32

# MQTT
CONFIG_MQTT_LIB=y
CONFIG_MQTT_LIB_TLS=y
CONFIG_MQTT_KEEPALIVE=60
CONFIG_MQTT_LIB_TLS_USE_ALPN=y

# TLS
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=65536
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_AES_ROM_TABLES=y
CONFIG_MBEDTLS_TLS_VERSION_1_2=y
CONFIG_MBEDTLS_MEMORY_DEBUG=y
CONFIG_MBEDTLS_HAVE_TIME_DATE=y
CONFIG_MBEDTLS_SSL_ALPN=y

kconfig:

#
# Copyright (c) 2023 Lucas Dietrich <[email protected]>
#
# SPDX-License-Identifier: Apache-2.0
#

menu "AWS"
mainmenu "AWS IoT Core MQTT sample application"

config AWS_ENDPOINT
string "AWS endpoint"
default ""
help
Endpoint (hostname) of the AWS MQTT broker.
Note that the endpoint is different when using AWS Device Advisor.

config AWS_MQTT_PORT
int "MQTT Port"
default 8883
help
Set port of AWS MQTT broker.

config AWS_THING_NAME
string "AWS Thing name"
default "myThingName"
help
Set the AWS Thing name created on IoT Console

config AWS_SUBSCRIBE_TOPIC
string "MQTT subscribe topic"
default "myThingName/downlink"
help
MQTT topic the client should subscribe to.

config AWS_PUBLISH_TOPIC
string "MQTT publish topic"
default "myThingName/data"
help
MQTT topic the client should publish to.

choice AWS_TEST_SUITE
prompt "Device Advisor test suite"
default AWS_TEST_SUITE_NONE
help
Select the AWS Device Advisor test suite to run.

config AWS_TEST_SUITE_NONE
bool "No test suite running"

config AWS_TEST_SUITE_DQP
bool "Device Qualification Program (DQP)"
help
Make sure your region supports AWS Device Advisor for DQP

config AWS_TEST_SUITE_RECV_QOS1
bool "Test suite for receiving QoS 1 messages"
help
For single test case "MQTT Client Puack QoS1"

endchoice

config AWS_QOS
int "MQTT QoS"
default 0 if AWS_TEST_SUITE_DQP
default 1 if AWS_TEST_SUITE_RECV_QOS1
default 0
range 0 1
help
Quality of Service to use for publishing and subscribing to topics.
Notes:
- Use QoS 0 when passing DQP test suite
- QoS 2 is not supported by AWS MQTT broker

config AWS_EXPONENTIAL_BACKOFF
bool "enable exponential backoff"
default n if AWS_TEST_SUITE_DQP || AWS_TEST_SUITE_RECV_QOS1
default y
help
Enable AWS exponential backoff for reconnecting to AWS MQTT broker.

endmenu

source "Kconfig.zephyr"

cmake:

# SPDX-License-Identifier: Apache-2.0

cmake_minimum_required(VERSION 3.20.0)

find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
project(aws_iot_mqtt)

if(USE_DUMMY_CREDS)
set(creds "src/creds/dummy.c")
else()
if(NOT EXISTS ${APPLICATION_SOURCE_DIR}/src/creds/key.c OR
NOT EXISTS ${APPLICATION_SOURCE_DIR}/src/creds/cert.c OR
NOT EXISTS ${APPLICATION_SOURCE_DIR}/src/creds/ca.c)
message(FATAL_ERROR
"Credentials not found. Please run "
"'python3 src/creds/convert_keys.py' before building"
)
endif()

set(creds "src/creds/ca.c" "src/creds/key.c" "src/creds/cert.c")
endif()

target_sources(app PRIVATE "src/main.c" ${creds})
target_sources_ifdef(CONFIG_NET_DHCPV4 app PRIVATE "src/dhcp.c")

and code we dont any changes done

this is our aws iot mqtt example build error log and proj config this is not correctly build right now we set certs correctly using py script as needed and update end point etc. as needed 

in only aws iot example run and build successfully but this has no option to add certificate etc. options

we want to use aws iot mqtt example instead of aws iot  because it help me for mqtt manage, aws and it certificate add manage to build this program and tell us why sample code of aws_iot_mqtt is not build successfully,and this is take our huge number of ram so also solution of these

if aws iot example code we manage certificate and easily publish subscribe with different topic this is possible please tell us also because this is less number of ram uses

best regards,
Milan

Hi Milan,

Milan Pipaliya said:

in only aws iot example run and build successfully but this has no option to add certificate etc. options

Milan Pipaliya said:

if aws iot example code we manage certificate and easily publish subscribe with different topic this is possible please tell us also because this is less number of ram uses

Relevant information about certificates for AWS IoT can be found in AWS IoT sample, AWS IoT library and NCS Intermediate Course lesson 9 exercise 7.

Best regards,
Dejan

Hi Dejan,

In the AWS IoT example, we are facing a few issues:

1. When we try to set the certificates using nRF Connect app → Cellular Monitor → Cellular Manager, we first apply CFUN=4, add the certificates, and set the security tag. However, it continuously shows “cert updating” and never completes the update process.

2. The aws_iot example project configuration includes MCUboot and other system settings. Because of this, our custom PCB does not boot properly — it seems the reason is that no child image is created. There are multiple configuration files such as board/board.conf, sysbuild/proj.conf, and the main project config, which makes it a bit confusing how the child image is actually executed. If you have any suggestions on how to handle this, that would be very helpful.

3. In the aws_iot_mqtt example, we can successfully build and run it on our custom PCB. The cellular connection, certificate, and endpoint setup all complete correctly. However, we’re facing two runtime issues:

   • SNTP time error: It returns error -22, but when we debug and execute slowly, it sometimes succeeds in getting the time.

   • AWS connection error: It gives error -116, even though our certificates and endpoint are configured correctly.
     

     /*
      * aws iot mqtt example main.c file
      */
     
     #include "creds/creds.h"
     #include "dhcp.h"
     
     #include <errno.h>
     #include <stdio.h>
     #include <stdlib.h>
     
     #include <zephyr/net/socket.h>
     #include <zephyr/net/dns_resolve.h>
     #include <zephyr/net/mqtt.h>
     #include <zephyr/net/sntp.h>
     #include <zephyr/net/tls_credentials.h>
     #include <zephyr/data/json.h>
     #include <zephyr/random/random.h>
     #include <zephyr/posix/time.h>
     #include <zephyr/logging/log.h>
     
     
     #if defined(CONFIG_MBEDTLS_MEMORY_DEBUG)
     #include <mbedtls/memory_buffer_alloc.h>
     #endif
     
     
     #include <modem/nrf_modem_lib.h>
     #include <modem/lte_lc.h>
     
     static K_SEM_DEFINE(lte_connected, 0, 1);
     
     LOG_MODULE_REGISTER(aws, LOG_LEVEL_DBG);
     
     // #define SNTP_SERVER "0.pool.ntp.org"
     #define SNTP_SERVER "pool.ntp.org"
     
     
     #define AWS_BROKER_PORT CONFIG_AWS_MQTT_PORT
     
     #define MQTT_BUFFER_SIZE 1024u
     #define APP_BUFFER_SIZE	 4096u
     
     #define MAX_RETRIES	    10u
     #define BACKOFF_EXP_BASE_MS 1000u
     #define BACKOFF_EXP_MAX_MS  60000u
     #define BACKOFF_CONST_MS    5000u
     
     static struct sockaddr_in aws_broker;
     
     static uint8_t rx_buffer[MQTT_BUFFER_SIZE];
     static uint8_t tx_buffer[MQTT_BUFFER_SIZE];
     static uint8_t buffer[APP_BUFFER_SIZE]; /* Shared between published and received messages */
     
     static struct mqtt_client client_ctx;
     
     static const char mqtt_client_name[] = CONFIG_AWS_THING_NAME;
     
     static uint32_t messages_received_counter;
     static bool do_publish;	  /* Trigger client to publish */
     static bool do_subscribe; /* Trigger client to subscribe */
     
     #if (CONFIG_AWS_MQTT_PORT == 443 && !defined(CONFIG_MQTT_LIB_WEBSOCKET))
     static const char * const alpn_list[] = {"x-amzn-mqtt-ca"};
     #endif
     
     #define TLS_TAG_DEVICE_CERTIFICATE 1
     #define TLS_TAG_DEVICE_PRIVATE_KEY 1
     #define TLS_TAG_AWS_CA_CERTIFICATE 2
     
     static const sec_tag_t sec_tls_tags[] = {
     	TLS_TAG_DEVICE_CERTIFICATE,
     	TLS_TAG_AWS_CA_CERTIFICATE,
     };
     
     static int setup_credentials(void)
     {
     	int ret;
     
     	ret = tls_credential_add(TLS_TAG_DEVICE_CERTIFICATE, TLS_CREDENTIAL_SERVER_CERTIFICATE,
     				 public_cert, public_cert_len);
     	if (ret < 0) {
     		LOG_ERR("Failed to add device certificate: %d", ret);
     		goto exit;
     	}
     
     	ret = tls_credential_add(TLS_TAG_DEVICE_PRIVATE_KEY, TLS_CREDENTIAL_PRIVATE_KEY,
     				 private_key, private_key_len);
     	if (ret < 0) {
     		LOG_ERR("Failed to add device private key: %d", ret);
     		goto exit;
     	}
     
     	ret = tls_credential_add(TLS_TAG_AWS_CA_CERTIFICATE, TLS_CREDENTIAL_CA_CERTIFICATE, ca_cert,
     				 ca_cert_len);
     	if (ret < 0) {
     		LOG_ERR("Failed to add device private key: %d", ret);
     		goto exit;
     	}
     
     exit:
     	return ret;
     }
     
     static int subscribe_topic(void)
     {
     	int ret;
     	struct mqtt_topic topics[] = {{
     		.topic = {.utf8 = CONFIG_AWS_SUBSCRIBE_TOPIC,
     			  .size = strlen(CONFIG_AWS_SUBSCRIBE_TOPIC)},
     		.qos = CONFIG_AWS_QOS,
     	}};
     	const struct mqtt_subscription_list sub_list = {
     		.list = topics,
     		.list_count = ARRAY_SIZE(topics),
     		.message_id = 1u,
     	};
     
     	LOG_INF("Subscribing to %hu topic(s)", sub_list.list_count);
     
     	ret = mqtt_subscribe(&client_ctx, &sub_list);
     	if (ret != 0) {
     		LOG_ERR("Failed to subscribe to topics: %d", ret);
     	}
     
     	return ret;
     }
     
     static int publish_message(const char *topic, size_t topic_len, uint8_t *payload,
     			   size_t payload_len)
     {
     	static uint32_t message_id = 1u;
     
     	int ret;
     	struct mqtt_publish_param msg;
     
     	msg.retain_flag = 0u;
     	msg.message.topic.topic.utf8 = topic;
     	msg.message.topic.topic.size = topic_len;
     	msg.message.topic.qos = CONFIG_AWS_QOS;
     	msg.message.payload.data = payload;
     	msg.message.payload.len = payload_len;
     	msg.message_id = message_id++;
     
     	ret = mqtt_publish(&client_ctx, &msg);
     	if (ret != 0) {
     		LOG_ERR("Failed to publish message: %d", ret);
     	}
     
     	LOG_INF("PUBLISHED on topic \"%s\" [ id: %u qos: %u ], payload: %u B", topic,
     		msg.message_id, msg.message.topic.qos, payload_len);
     	LOG_HEXDUMP_DBG(payload, payload_len, "Published payload:");
     
     	return ret;
     }
     
     static ssize_t handle_published_message(const struct mqtt_publish_param *pub)
     {
     	int ret;
     	size_t received = 0u;
     	const size_t message_size = pub->message.payload.len;
     	const bool discarded = message_size > APP_BUFFER_SIZE;
     
     	LOG_INF("RECEIVED on topic \"%s\" [ id: %u qos: %u ] payload: %u / %u B",
     		(const char *)pub->message.topic.topic.utf8, pub->message_id,
     		pub->message.topic.qos, message_size, APP_BUFFER_SIZE);
     
     	while (received < message_size) {
     		uint8_t *p = discarded ? buffer : &buffer[received];
     
     		ret = mqtt_read_publish_payload_blocking(&client_ctx, p, APP_BUFFER_SIZE);
     		if (ret < 0) {
     			return ret;
     		}
     
     		received += ret;
     	}
     
     	if (!discarded) {
     		LOG_HEXDUMP_DBG(buffer, MIN(message_size, 256u), "Received payload:");
     	}
     
     	/* Send ACK */
     	switch (pub->message.topic.qos) {
     	case MQTT_QOS_1_AT_LEAST_ONCE: {
     		struct mqtt_puback_param puback;
     
     		puback.message_id = pub->message_id;
     		mqtt_publish_qos1_ack(&client_ctx, &puback);
     	} break;
     	case MQTT_QOS_2_EXACTLY_ONCE: /* unhandled (not supported by AWS) */
     	case MQTT_QOS_0_AT_MOST_ONCE: /* nothing to do */
     	default:
     		break;
     	}
     
     	return discarded ? -ENOMEM : received;
     }
     
     const char *mqtt_evt_type_to_str(enum mqtt_evt_type type)
     {
     	static const char *const types[] = {
     		"CONNACK", "DISCONNECT", "PUBLISH", "PUBACK",	"PUBREC",
     		"PUBREL",  "PUBCOMP",	 "SUBACK",  "UNSUBACK", "PINGRESP",
     	};
     
     	return (type < ARRAY_SIZE(types)) ? types[type] : "<unknown>";
     }
     
     static void mqtt_event_cb(struct mqtt_client *client, const struct mqtt_evt *evt)
     {
     	LOG_DBG("MQTT event: %s [%u] result: %d", mqtt_evt_type_to_str(evt->type), evt->type,
     		evt->result);
     
     	switch (evt->type) {
     	case MQTT_EVT_CONNACK: {
     		do_subscribe = true;
     	} break;
     
     	case MQTT_EVT_PUBLISH: {
     		const struct mqtt_publish_param *pub = &evt->param.publish;
     
     		handle_published_message(pub);
     		messages_received_counter++;
     #if !defined(CONFIG_AWS_TEST_SUITE_RECV_QOS1)
     		do_publish = true;
     #endif
     	} break;
     
     	case MQTT_EVT_SUBACK: {
     #if !defined(CONFIG_AWS_TEST_SUITE_RECV_QOS1)
     		do_publish = true;
     #endif
     	} break;
     
     	case MQTT_EVT_PUBACK:
     	case MQTT_EVT_DISCONNECT:
     	case MQTT_EVT_PUBREC:
     	case MQTT_EVT_PUBREL:
     	case MQTT_EVT_PUBCOMP:
     	case MQTT_EVT_PINGRESP:
     	case MQTT_EVT_UNSUBACK:
     	default:
     		break;
     	}
     }
     
     static void aws_client_setup(void)
     {
     	mqtt_client_init(&client_ctx);
     
     	client_ctx.broker = &aws_broker;
     	client_ctx.evt_cb = mqtt_event_cb;
     
     	client_ctx.client_id.utf8 = (uint8_t *)mqtt_client_name;
     	client_ctx.client_id.size = sizeof(mqtt_client_name) - 1;
     	client_ctx.password = NULL;
     	client_ctx.user_name = NULL;
     
     	client_ctx.keepalive = CONFIG_MQTT_KEEPALIVE;
     
     	client_ctx.protocol_version = MQTT_VERSION_3_1_1;
     
     	client_ctx.rx_buf = rx_buffer;
     	client_ctx.rx_buf_size = MQTT_BUFFER_SIZE;
     	client_ctx.tx_buf = tx_buffer;
     	client_ctx.tx_buf_size = MQTT_BUFFER_SIZE;
     
     	/* setup TLS */
     	client_ctx.transport.type = MQTT_TRANSPORT_SECURE;
     	struct mqtt_sec_config *const tls_config = &client_ctx.transport.tls.config;
     
     	tls_config->peer_verify = TLS_PEER_VERIFY_REQUIRED;
     	tls_config->cipher_list = NULL;
     	tls_config->sec_tag_list = sec_tls_tags;
     	tls_config->sec_tag_count = ARRAY_SIZE(sec_tls_tags);
     	tls_config->hostname = CONFIG_AWS_ENDPOINT;
     	tls_config->cert_nocopy = TLS_CERT_NOCOPY_NONE;
     #if (CONFIG_AWS_MQTT_PORT == 443 && !defined(CONFIG_MQTT_LIB_WEBSOCKET))
     	tls_config->alpn_protocol_name_list = alpn_list;
     	tls_config->alpn_protocol_name_count = ARRAY_SIZE(alpn_list);
     #endif
     }
     
     struct backoff_context {
     	uint16_t retries_count;
     	uint16_t max_retries;
     
     #if defined(CONFIG_AWS_EXPONENTIAL_BACKOFF)
     	uint32_t attempt_max_backoff; /* ms */
     	uint32_t max_backoff;	      /* ms */
     #endif
     };
     
     static void backoff_context_init(struct backoff_context *bo)
     {
     	__ASSERT_NO_MSG(bo != NULL);
     
     	bo->retries_count = 0u;
     	bo->max_retries = MAX_RETRIES;
     
     #if defined(CONFIG_AWS_EXPONENTIAL_BACKOFF)
     	bo->attempt_max_backoff = BACKOFF_EXP_BASE_MS;
     	bo->max_backoff = BACKOFF_EXP_MAX_MS;
     #endif
     }
     
     /* https://aws.amazon.com/blogs/architecture/exponential-backoff-and-jitter/ */
     static void backoff_get_next(struct backoff_context *bo, uint32_t *next_backoff_ms)
     {
     	__ASSERT_NO_MSG(bo != NULL);
     	__ASSERT_NO_MSG(next_backoff_ms != NULL);
     
     #if defined(CONFIG_AWS_EXPONENTIAL_BACKOFF)
     	if (bo->retries_count <= bo->max_retries) {
     		*next_backoff_ms = sys_rand32_get() % (bo->attempt_max_backoff + 1u);
     
     		/* Calculate max backoff for the next attempt (~ 2**attempt) */
     		bo->attempt_max_backoff = MIN(bo->attempt_max_backoff * 2u, bo->max_backoff);
     		bo->retries_count++;
     	}
     #else
     	*next_backoff_ms = BACKOFF_CONST_MS;
     #endif
     }
     
     static int aws_client_try_connect(void)
     {
     	int ret;
     	uint32_t backoff_ms;
     	struct backoff_context bo;
     
     	backoff_context_init(&bo);
     
     	while (bo.retries_count <= bo.max_retries) {
     		ret = mqtt_connect(&client_ctx);
     		if (ret == 0) {
     			goto exit;
     		}
     
     		backoff_get_next(&bo, &backoff_ms);
     
     		LOG_ERR("Failed to connect: %d backoff delay: %u ms", ret, backoff_ms);
     		k_msleep(backoff_ms);
     	}
     
     exit:
     	return ret;
     }
     
     struct publish_payload {
     	uint32_t counter;
     };
     
     static const struct json_obj_descr json_descr[] = {
     	JSON_OBJ_DESCR_PRIM(struct publish_payload, counter, JSON_TOK_NUMBER),
     };
     
     static int publish(void)
     {
     	struct publish_payload pl = {.counter = messages_received_counter};
     
     	json_obj_encode_buf(json_descr, ARRAY_SIZE(json_descr), &pl, buffer, sizeof(buffer));
     
     	return publish_message(CONFIG_AWS_PUBLISH_TOPIC, strlen(CONFIG_AWS_PUBLISH_TOPIC), buffer,
     			       strlen(buffer));
     }
     
     void aws_client_loop(void)
     {
     	int rc;
     	int timeout;
     	struct pollfd fds;
     
     	aws_client_setup();
     
     	rc = aws_client_try_connect();
     	if (rc != 0) {
     		goto cleanup;
     	}
     
     	fds.fd = client_ctx.transport.tcp.sock;
     	fds.events = POLLIN;
     
     	for (;;) {
     		timeout = mqtt_keepalive_time_left(&client_ctx);
     		rc = poll(&fds, 1u, timeout);
     		if (rc >= 0) {
     			if (fds.revents & POLLIN) {
     				rc = mqtt_input(&client_ctx);
     				if (rc != 0) {
     					LOG_ERR("Failed to read MQTT input: %d", rc);
     					break;
     				}
     			}
     
     			if (fds.revents & (POLLHUP | POLLERR)) {
     				LOG_ERR("Socket closed/error");
     				break;
     			}
     
     			rc = mqtt_live(&client_ctx);
     			if ((rc != 0) && (rc != -EAGAIN)) {
     				LOG_ERR("Failed to live MQTT: %d", rc);
     				break;
     			}
     		} else {
     			LOG_ERR("poll failed: %d", rc);
     			break;
     		}
     
     		if (do_publish) {
     			do_publish = false;
     			publish();
     		}
     
     		if (do_subscribe) {
     			do_subscribe = false;
     			subscribe_topic();
     		}
     	}
     
     cleanup:
     	mqtt_disconnect(&client_ctx);
     
     	close(fds.fd);
     	fds.fd = -1;
     }
     
     int sntp_sync_time(void)
     {
     	int rc;
     	struct sntp_time now;
     	struct timespec tspec;
     
     	// rc = sntp_simple(SNTP_SERVER, SYS_FOREVER_MS, &now);
     	rc = sntp_simple("0.pool.ntp.org", SYS_FOREVER_MS, &now);
     	if (rc == 0) {
     		tspec.tv_sec = now.seconds;
     		tspec.tv_nsec = ((uint64_t)now.fraction * (1000lu * 1000lu * 1000lu)) >> 32;
     
     		clock_settime(CLOCK_REALTIME, &tspec);
     
     		LOG_DBG("Acquired time from NTP server: %u", (uint32_t)tspec.tv_sec);
     	} else {
     		LOG_ERR("Failed to acquire SNTP, code %d\n", rc);
     	}
     	return rc;
     }
     
     static int resolve_broker_addr(struct sockaddr_in *broker)
     {
     	int ret;
     	struct addrinfo *ai = NULL;
     
     	const struct addrinfo hints = {
     		.ai_family = AF_INET,
     		.ai_socktype = SOCK_STREAM,
     		.ai_protocol = 0,
     	};
     	char port_string[6] = {0};
     
     	sprintf(port_string, "%d", AWS_BROKER_PORT);
     	ret = getaddrinfo(CONFIG_AWS_ENDPOINT, port_string, &hints, &ai);
     	if (ret == 0) {
     		char addr_str[INET_ADDRSTRLEN];
     
     		memcpy(broker, ai->ai_addr, MIN(ai->ai_addrlen, sizeof(struct sockaddr_storage)));
     
     		inet_ntop(AF_INET, &broker->sin_addr, addr_str, sizeof(addr_str));
     		LOG_INF("Resolved: %s:%u", addr_str, htons(broker->sin_port));
     	} else {
     		LOG_ERR("failed to resolve hostname err = %d (errno = %d)", ret, errno);
     	}
     
     	freeaddrinfo(ai);
     
     	return ret;
     }
     
     // static void lte_handler(const struct lte_lc_evt *const evt)
     // {
     //     if ((evt->type == LTE_LC_EVT_NW_REG_STATUS) &&
     //         (evt->nw_reg_status == LTE_LC_NW_REG_REGISTERED_HOME ||
     //          evt->nw_reg_status == LTE_LC_NW_REG_REGISTERED_ROAMING)) {
     //         k_sem_give(&lte_connected);
     //     }
     // }
     
     static void lte_handler(const struct lte_lc_evt *const evt)
     {
         switch (evt->type)
         {
         case LTE_LC_EVT_NW_REG_STATUS:
             if ((evt->nw_reg_status != LTE_LC_NW_REG_REGISTERED_HOME) &&
                 (evt->nw_reg_status != LTE_LC_NW_REG_REGISTERED_ROAMING))
             {
                 break;
             }
             LOG_INF("Network registration status: %s",
                    evt->nw_reg_status == LTE_LC_NW_REG_REGISTERED_HOME ? "Connected - home network" : "Connected - roaming");
             k_sem_give(&lte_connected);
             break;
         case LTE_LC_EVT_RRC_UPDATE:
             LOG_INF("RRC mode: %s", evt->rrc_mode == LTE_LC_RRC_MODE_CONNECTED ? "Connected" : "Idle");
             break;
         default:
             break;
         }
     }
     static int modem_configure(void)
     {
         int err = nrf_modem_lib_init();
         if (err) {
             return err;
         }
         err = lte_lc_connect_async(lte_handler);
         if (err) {
             return err;
         }
         k_sem_take(&lte_connected, K_FOREVER);
         return 0;
     }
     // #include <modem/lte_lc.h>
     
     // void wait_for_lte(void)
     // {
     // 	int err;
     // 	printk("Connecting to LTE...\n");
     // 	err = lte_lc_init_and_connect();
     // 	if (err) {
     // 		printk("LTE connect failed: %d\n", err);
     // 		return;
     // 	}
     // 	printk("LTE connected.\n");
     // }
     
     int main(void)
     {
     	modem_configure();
     #if defined(CONFIG_NET_DHCPV4)
     	app_dhcpv4_startup();
     #endif
     // wait_for_lte();
     
     	sntp_sync_time();
     
     	setup_credentials();
     
     	for (;;) {
     		resolve_broker_addr(&aws_broker);
     
     		aws_client_loop();
     
     #if defined(CONFIG_MBEDTLS_MEMORY_DEBUG)
     		size_t cur_used, cur_blocks, max_used, max_blocks;
     
     		mbedtls_memory_buffer_alloc_cur_get(&cur_used, &cur_blocks);
     		mbedtls_memory_buffer_alloc_max_get(&max_used, &max_blocks);
     		LOG_INF("mbedTLS heap usage: MAX %u/%u (%u) CUR %u (%u)", max_used,
     			CONFIG_MBEDTLS_HEAP_SIZE, max_blocks, cur_used, cur_blocks);
     #endif
     
     		k_sleep(K_SECONDS(1));
     	}
     
     	return 0;
     }
     

     
     
     

     #aws iot mqtt example proj config
     CONFIG_AWS_IOT_LOG_LEVEL_DBG=y
     CONFIG_AWS_TEST_SUITE_DQP=n
     
     CONFIG_MAIN_STACK_SIZE=4096
     CONFIG_ENTROPY_GENERATOR=y
     CONFIG_TEST_RANDOM_GENERATOR=y
     CONFIG_INIT_STACKS=y
     CONFIG_HW_STACK_PROTECTION=y
     CONFIG_REQUIRES_FULL_LIBC=y
     CONFIG_SNTP=y
     CONFIG_JSON_LIBRARY=y
     CONFIG_POSIX_API=y
     
     # DNS
     CONFIG_DNS_RESOLVER=y
     CONFIG_DNS_RESOLVER_ADDITIONAL_BUF_CTR=2
     CONFIG_DNS_RESOLVER_MAX_SERVERS=1
     CONFIG_DNS_SERVER_IP_ADDRESSES=y
     CONFIG_DNS_SERVER1="8.8.8.8"
     CONFIG_NET_SOCKETS_DNS_TIMEOUT=5000
     CONFIG_DNS_RESOLVER_LOG_LEVEL_DBG=n
     
     # Generic networking options
     CONFIG_NETWORKING=y
     CONFIG_NET_UDP=y
     CONFIG_NET_TCP=y
     CONFIG_NET_IPV6=y
     CONFIG_NET_IPV4=y
     CONFIG_NET_SOCKETS=y
     CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
     
     # Logging
     CONFIG_LOG=y
     
     # Network buffers
     CONFIG_NET_PKT_RX_COUNT=32
     CONFIG_NET_PKT_TX_COUNT=16
     CONFIG_NET_BUF_RX_COUNT=64
     CONFIG_NET_BUF_TX_COUNT=32
     
     # MQTT
     CONFIG_MQTT_LIB=y
     CONFIG_MQTT_LIB_TLS=y
     CONFIG_MQTT_KEEPALIVE=600
     CONFIG_MQTT_LIB_TLS_USE_ALPN=y
     
     # TLS
     CONFIG_NRF_SECURITY=y
     CONFIG_MBEDTLS_TLS_LIBRARY=y
     CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
     CONFIG_MBEDTLS_ENABLE_HEAP=y
     CONFIG_MBEDTLS_HEAP_SIZE=65536
     CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
     CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
     CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y
     CONFIG_MBEDTLS_AES_ROM_TABLES=y
     CONFIG_MBEDTLS_TLS_VERSION_1_2=y
     CONFIG_MBEDTLS_MEMORY_DEBUG=y
     CONFIG_MBEDTLS_HAVE_TIME_DATE=y
     CONFIG_MBEDTLS_SSL_ALPN=y
     # CONFIG_NRF_SECURITY=y
     # CONFIG_MBEDTLS_ENABLE_HEAP=y
     # CONFIG_MBEDTLS_HEAP_SIZE=65536
     # CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
     # CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
     # CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y
     # CONFIG_MBEDTLS_TLS_VERSION_1_2=y
     CONFIG_MBEDTLS_SSL_CLI_C=y
     CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=y
     
     CONFIG_MBEDTLS_SSL_SRV_C=y
     CONFIG_MBEDTLS_SSL_CLI_C=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
     
     CONFIG_HEAP_MEM_POOL_SIZE=16384
     
     CONFIG_MBEDTLS_CIPHER=y
     CONFIG_MBEDTLS_MD=y
     
     # Required mbedTLS dependencies
     CONFIG_MBEDTLS_PK_C=y
     CONFIG_MBEDTLS_PK_PARSE_C=y
     CONFIG_MBEDTLS_PK_WRITE_C=y
     CONFIG_MBEDTLS_RSA_C=y
     CONFIG_MBEDTLS_PKCS1_V15=y
     CONFIG_MBEDTLS_ECP_C=y
     CONFIG_MBEDTLS_ECDSA_C=y
     CONFIG_MBEDTLS_ECDH_C=y
     CONFIG_MBEDTLS_DHM_C=y
     CONFIG_MBEDTLS_GCM_C=y
     CONFIG_MBEDTLS_SHA256_C=y
     CONFIG_MBEDTLS_X509_USE_C=y
     CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
     
     CONFIG_MBEDTLS_RSA_C=y
     CONFIG_MBEDTLS_DHM_C=y
     
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=y
     CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION=y
     CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y
     
     
     
     CONFIG_CONSOLE=n #for wifi uart keep this n
     CONFIG_USE_SEGGER_RTT=y
     CONFIG_RTT_CONSOLE=y
     CONFIG_LOG_BACKEND_RTT=y
     CONFIG_LOG_BACKEND_UART=n
     CONFIG_UART_CONSOLE=n
     
     CONFIG_NRF_MODEM_LIB=y
     CONFIG_LTE_LINK_CONTROL=y
     
     
     # Let the modem handle sockets, DNS, and SNTP
     CONFIG_NET_NATIVE=n
     CONFIG_NET_SOCKETS_OFFLOAD=y
     
     CONFIG_SNTP_LOG_LEVEL_DBG=y
     
     

     #aws iot mqtt example proj config
     CONFIG_AWS_IOT_LOG_LEVEL_DBG=y
     CONFIG_AWS_TEST_SUITE_DQP=n
     
     CONFIG_MAIN_STACK_SIZE=4096
     CONFIG_ENTROPY_GENERATOR=y
     CONFIG_TEST_RANDOM_GENERATOR=y
     CONFIG_INIT_STACKS=y
     CONFIG_HW_STACK_PROTECTION=y
     CONFIG_REQUIRES_FULL_LIBC=y
     CONFIG_SNTP=y
     CONFIG_JSON_LIBRARY=y
     CONFIG_POSIX_API=y
     
     # DNS
     CONFIG_DNS_RESOLVER=y
     CONFIG_DNS_RESOLVER_ADDITIONAL_BUF_CTR=2
     CONFIG_DNS_RESOLVER_MAX_SERVERS=1
     CONFIG_DNS_SERVER_IP_ADDRESSES=y
     CONFIG_DNS_SERVER1="8.8.8.8"
     CONFIG_NET_SOCKETS_DNS_TIMEOUT=5000
     CONFIG_DNS_RESOLVER_LOG_LEVEL_DBG=n
     
     # Generic networking options
     CONFIG_NETWORKING=y
     CONFIG_NET_UDP=y
     CONFIG_NET_TCP=y
     CONFIG_NET_IPV6=y
     CONFIG_NET_IPV4=y
     CONFIG_NET_SOCKETS=y
     CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
     
     # Logging
     CONFIG_LOG=y
     
     # Network buffers
     CONFIG_NET_PKT_RX_COUNT=32
     CONFIG_NET_PKT_TX_COUNT=16
     CONFIG_NET_BUF_RX_COUNT=64
     CONFIG_NET_BUF_TX_COUNT=32
     
     # MQTT
     CONFIG_MQTT_LIB=y
     CONFIG_MQTT_LIB_TLS=y
     CONFIG_MQTT_KEEPALIVE=600
     CONFIG_MQTT_LIB_TLS_USE_ALPN=y
     
     # TLS
     CONFIG_NRF_SECURITY=y
     CONFIG_MBEDTLS_TLS_LIBRARY=y
     CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
     CONFIG_MBEDTLS_ENABLE_HEAP=y
     CONFIG_MBEDTLS_HEAP_SIZE=65536
     CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
     CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
     CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y
     CONFIG_MBEDTLS_AES_ROM_TABLES=y
     CONFIG_MBEDTLS_TLS_VERSION_1_2=y
     CONFIG_MBEDTLS_MEMORY_DEBUG=y
     CONFIG_MBEDTLS_HAVE_TIME_DATE=y
     CONFIG_MBEDTLS_SSL_ALPN=y
     # CONFIG_NRF_SECURITY=y
     # CONFIG_MBEDTLS_ENABLE_HEAP=y
     # CONFIG_MBEDTLS_HEAP_SIZE=65536
     # CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
     # CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
     # CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y
     # CONFIG_MBEDTLS_TLS_VERSION_1_2=y
     CONFIG_MBEDTLS_SSL_CLI_C=y
     CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=y
     
     CONFIG_MBEDTLS_SSL_SRV_C=y
     CONFIG_MBEDTLS_SSL_CLI_C=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
     
     CONFIG_HEAP_MEM_POOL_SIZE=16384
     
     CONFIG_MBEDTLS_CIPHER=y
     CONFIG_MBEDTLS_MD=y
     
     # Required mbedTLS dependencies
     CONFIG_MBEDTLS_PK_C=y
     CONFIG_MBEDTLS_PK_PARSE_C=y
     CONFIG_MBEDTLS_PK_WRITE_C=y
     CONFIG_MBEDTLS_RSA_C=y
     CONFIG_MBEDTLS_PKCS1_V15=y
     CONFIG_MBEDTLS_ECP_C=y
     CONFIG_MBEDTLS_ECDSA_C=y
     CONFIG_MBEDTLS_ECDH_C=y
     CONFIG_MBEDTLS_DHM_C=y
     CONFIG_MBEDTLS_GCM_C=y
     CONFIG_MBEDTLS_SHA256_C=y
     CONFIG_MBEDTLS_X509_USE_C=y
     CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
     
     CONFIG_MBEDTLS_RSA_C=y
     CONFIG_MBEDTLS_DHM_C=y
     
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
     CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=y
     CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION=y
     CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y
     
     
     
     CONFIG_CONSOLE=n #for wifi uart keep this n
     CONFIG_USE_SEGGER_RTT=y
     CONFIG_RTT_CONSOLE=y
     CONFIG_LOG_BACKEND_RTT=y
     CONFIG_LOG_BACKEND_UART=n
     CONFIG_UART_CONSOLE=n
     
     CONFIG_NRF_MODEM_LIB=y
     CONFIG_LTE_LINK_CONTROL=y
     
     
     # Let the modem handle sockets, DNS, and SNTP
     CONFIG_NET_NATIVE=n
     CONFIG_NET_SOCKETS_OFFLOAD=y
     
     CONFIG_SNTP_LOG_LEVEL_DBG=y
     
     

Best regards,
Milan Pipaliya

Hi Milan,

Milan Pipaliya said:

When we try to set the certificates using nRF Connect app → Cellular Monitor → Cellular Manager, we first apply CFUN=4, add the certificates, and set the security tag. However, it continuously shows “cert updating” and never completes the update process.

You can double-check if you have properly generated certificates using Cellular Monitor Certificate Manager. Do you have a screenshot which shows "cert updating"?

Milan Pipaliya said:

The aws_iot example project configuration includes MCUboot and other system settings. Because of this, our custom PCB does not boot properly — it seems the reason is that no child image is created. There are multiple configuration files such as board/board.conf, sysbuild/proj.conf, and the main project config, which makes it a bit confusing how the child image is actually executed. If you have any suggestions on how to handle this, that would be very helpful.

Below are some resources related to sysbuild:
sysbuild
configuring sysbuild
sysbuild
sysbuild images
sysbuild explained
migrating to sysbuild

Milan Pipaliya said:

In the aws_iot_mqtt example, we can successfully build and run it on our custom PCB. The cellular connection, certificate, and endpoint setup all complete correctly. However, we’re facing two runtime issues:

• SNTP time error: It returns error -22, but when we debug and execute slowly, it sometimes succeeds in getting the time.

• AWS connection error: It gives error -116, even though our certificates and endpoint are configured correctly.

Can you share complete log which shows mentioned errors?

Best regards,
Dejan

Hi Milan,

Milan Pipaliya said:

When we try to set the certificates using nRF Connect app → Cellular Monitor → Cellular Manager, we first apply CFUN=4, add the certificates, and set the security tag. However, it continuously shows “cert updating” and never completes the update process.

You can double-check if you have properly generated certificates using Cellular Monitor Certificate Manager. Do you have a screenshot which shows "cert updating"?

Milan Pipaliya said:

The aws_iot example project configuration includes MCUboot and other system settings. Because of this, our custom PCB does not boot properly — it seems the reason is that no child image is created. There are multiple configuration files such as board/board.conf, sysbuild/proj.conf, and the main project config, which makes it a bit confusing how the child image is actually executed. If you have any suggestions on how to handle this, that would be very helpful.

Below are some resources related to sysbuild:
sysbuild
configuring sysbuild
sysbuild
sysbuild images
sysbuild explained
migrating to sysbuild

Milan Pipaliya said:

In the aws_iot_mqtt example, we can successfully build and run it on our custom PCB. The cellular connection, certificate, and endpoint setup all complete correctly. However, we’re facing two runtime issues:

• SNTP time error: It returns error -22, but when we debug and execute slowly, it sometimes succeeds in getting the time.

• AWS connection error: It gives error -116, even though our certificates and endpoint are configured correctly.

Can you share complete log which shows mentioned errors?

Best regards,
Dejan

Hi Dejan,

Thank you for the support.

Our aws_iot_mqtt sample is now running properly on our custom PCB, and certificates + endpoint configuration are working fine. However, we are still facing one issue:

Issue: Long connection delay after reset/flash

Many times, when we reset the board or flash the firmware, the modem shows the log:

After this long wait, the device eventually connects and successfully sends data to AWS IoT.
So the connection works correctly, but the initial attach sometimes takes a very long time.

If needed, we can share logs for the cases where the connection delay happens.

Please suggest what could cause this restricted LTE wait or how we can avoid this long delay during attach.

we try in coap client example code and some time we want this kind of issue also facing

we are using hologram esim 

Best regards,
Milan

Hi Milan,

Which network does your device connect to?

Milan Pipaliya said:

Issue: Long connection delay after reset/flash

Many times, when we reset the board or flash the firmware, the modem shows the log:

Waiting 30 minutes – restricted LTE network

Can you check if your device encountered modem reset loop restriction?
Reset loop can be detected by the modem. Please have a look at modem domain event notifications %MDMEV.

Best regards,
Dejan

we have network of hologram esim lte network

we not reset we only flash new code that time starting 30 minutes restriction after code work as it is

Hi,

Milan Pipaliya said:

we have network of hologram esim lte network

Which network operator does your device connect to? Can you provide link to your network operator's webpage?

Have you checked if you get any additional message when using previously mentioned %MDMEV?

Is your device able to recover and continue to work as expected after 30 minutes restriction has passed?

Best regards,
Dejan

now when i after publish then when we safe disconnect cellular, and dis connect aws after we reset and flash this 30 minute issue not occurs