NRF54L15 AWS IoT MQTT connection issues. Where to store device cert files.

Hi everyone,

I’ve been following the AWS IoT sample, but so far I haven’t been able to establish a connection.

We’re running on a custom board using the nRF54L15, connected to a Quectel EG915 modem via UART. We have a thread managing the PPP connection: it brings the interface up (net_if_up()) and waits for the L4 connection events. Once the connection is established, we perform an SNTP sync using the IPv4 address resolved with zsock_getaddrinfo(). After the time sync completes, a callback notifies the AWS IoT MQTT worker to start the MQTT connection.

Issue 1: DNS Resolution for the AWS IoT Broker

DNS resolution for the broker fails unless we force a static IP.
This is the logic:

	if (sizeof(CONFIG_MQTT_HELPER_STATIC_IP_ADDRESS) > 1) {
		conn_params->hostname.ptr = CONFIG_MQTT_HELPER_STATIC_IP_ADDRESS;

		LOG_DBG("Using static IP address: %s", CONFIG_MQTT_HELPER_STATIC_IP_ADDRESS);
	} else {
		LOG_DBG("Resolving IP address for %s", conn_params->hostname.ptr);
	}

	err = zsock_getaddrinfo(conn_params->hostname.ptr, NULL, &hints, &result);
	if (err) {
		LOG_ERR("getaddrinfo() failed, error %d", err);
		return -err;
	}

zsock_getaddrinfo() returns -3, which is strange because the same function works fine for resolving the NTP server.
Even more confusing: on the SIM card portal, we can see the DNS query for the AWS broker happening correctly — yet our code still times out.

To move forward, we tried defining CONFIG_MQTT_HELPER_STATIC_IP_ADDRESS with the IPv4 address, but we still cannot connect.
The connection returns -116 (timeout). Initially we suspected a certificate issue, but again, from the SIM portal we can see a response coming back from the server — but since it’s TLS, we can’t decode it.

Has anyone experienced this? Could it be related to the PPP setup?

I've attached the key parts of my prj.conf below.

Issue 2: Handling Certificates in Production

What is the recommended way to manage certificates securely on the nRF54L15?

We’ve looked at the TF-M examples, but we’re still unsure how this should work in a real production workflow.

Key questions:

How should certificates be provisioned on a production device?
Can they be embedded in the firmware image and then stored securely by TF-M at runtime?
Should they be erased from normal flash afterwards?
What’s the typical workflow for securely flashing these assets when manufacturing devices?

Any insight from someone who has already implemented this would be extremely helpful.

# CONFIG_SENSOR=y
CONFIG_I2C=y
CONFIG_GPIO=y
CONFIG_GPIO_PCA953X=y
CONFIG_COUNTER=y
CONFIG_COUNTER_MICROCHIP_MCP7940N=y
CONFIG_NFCT_PINS_AS_GPIOS=y
CONFIG_RTC=y

CONFIG_LOG=y
CONFIG_USE_SEGGER_RTT=y
CONFIG_CONSOLE=y
CONFIG_RTT_CONSOLE=y
CONFIG_UART_CONSOLE=n

CONFIG_SERIAL=y
CONFIG_UART_INTERRUPT_DRIVEN=y

CONFIG_ADC=y
CONFIG_NRFX_SAADC=y
CONFIG_NRFX_GPPI=y

CONFIG_NRFX_TIMER22=y

CONFIG_BT=y
CONFIG_BT_DEVICE_NAME="smart"
# CONFIG_BT_CTLR_TX_PWR_0=y
# CONFIG_BT_CTLR_TX_PWR_PLUS_3=y
CONFIG_BT_CTLR_TX_PWR_PLUS_4=y
# CONFIG_BT_CTLR_TX_PWR_MINUS_40=y

# FOTA over Bluetooth
# CONFIG_BT_PERIPHERAL=y
CONFIG_BOOTLOADER_MCUBOOT=y
# CONFIG_BT_SMP=y
# CONFIG_MCUMGR=y
# CONFIG_NET_BUF=y
# CONFIG_ZCBOR=y
# CONFIG_MCUMGR_TRANSPORT_BT=y
# CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
# CONFIG_MCUMGR_GRP_IMG=y
# CONFIG_MCUMGR_GRP_OS=y
# CONFIG_MCUMGR_GRP_OS_BOOTLOADER_INFO=y
# CONFIG_MCUMGR_TRANSPORT_BT_REASSEMBLY=y
# CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN=y

CONFIG_PWM=y
CONFIG_CLOCK_CONTROL=y
# CONFIG_SPI=y

CONFIG_WDT_LOG_LEVEL_INF=n
CONFIG_WATCHDOG=y
CONFIG_WDT_DISABLE_AT_BOOT=n

CONFIG_REQUIRES_FLOAT_PRINTF=y

CONFIG_CRC=y

CONFIG_ENTROPY_GENERATOR=y
CONFIG_REQUIRES_FULL_LIBC=y
CONFIG_JSON_LIBRARY=y
CONFIG_TEST_RANDOM_GENERATOR=y
CONFIG_INIT_STACKS=y
CONFIG_HW_STACK_PROTECTION=y

# NVS for persistent storage
CONFIG_ZMS=y

# Flash for FOTA
CONFIG_FLASH=y
CONFIG_FLASH_MAP=y
CONFIG_STREAM_FLASH=y
CONFIG_IMG_MANAGER=y

# POSIX
CONFIG_POSIX_API=y
CONFIG_POSIX_NETWORKING=y
CONFIG_ZVFS_OPEN_MAX=21
CONFIG_POSIX_FD_MGMT=n
CONFIG_POSIX_MESSAGE_PASSING=n
CONFIG_POSIX_THREAD_THREADS_MAX=0

# Networking over PPP
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=y
CONFIG_NET_L2_PPP=y
CONFIG_NET_IPV4=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

# DNS
CONFIG_NET_LOG=y
CONFIG_DNS_RESOLVER=y
CONFIG_NET_L2_PPP_OPTION_DNS_USE=n
CONFIG_DNS_SERVER_IP_ADDRESSES=y
CONFIG_DNS_SERVER1="8.8.8.8"
CONFIG_DNS_RESOLVER_MAX_SERVERS=1
CONFIG_DNS_RESOLVER_ADDITIONAL_BUF_CTR=2
CONFIG_NET_SOCKETS_DNS_TIMEOUT=5000
CONFIG_DNS_RESOLVER_LOG_LEVEL_DBG=y

# SNTP
CONFIG_SNTP=y

# Network management
CONFIG_NET_MGMT=y
CONFIG_NET_MGMT_EVENT=y
CONFIG_NET_CONNECTION_MANAGER=y
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NET_CONFIG_NEED_IPV4=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_MAX_CONN=6
CONFIG_NET_SOCKETS_POLL_MAX=8
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_NET_CONTEXT_SNDTIMEO=y
CONFIG_NET_CONTEXT_RCVTIMEO=y
CONFIG_NET_MAX_CONTEXTS=3

# PSA Crypto for SHA-1 (recommended over legacy mbedtls)
CONFIG_NRF_SECURITY=y
CONFIG_PSA_WANT_ALG_SHA_1=y

# AWS IoT Core
CONFIG_AWS_IOT=y
CONFIG_AWS_IOT_BROKER_HOST_NAME="aaaaaaa.eu-west-1.amazonaws.com"
CONFIG_MQTT_HELPER_STATIC_IP_ADDRESS="100.100.100.100"
CONFIG_AWS_IOT_CLIENT_ID_STATIC="" # Should be fetched directly in runtime
CONFIG_AWS_IOT_CLIENT_ID_MAX_LEN=40
CONFIG_AWS_IOT_TOPIC_UPDATE_DELTA_SUBSCRIBE=y
CONFIG_AWS_IOT_TOPIC_GET_ACCEPTED_SUBSCRIBE=y
CONFIG_AWS_IOT_TOPIC_GET_REJECTED_SUBSCRIBE=y
CONFIG_AWS_IOT_LOG_LEVEL_DBG=y

# MQTT helper library
CONFIG_MQTT_HELPER=y
CONFIG_MQTT_HELPER_SEC_TAG=201
CONFIG_MQTT_HELPER_LAST_WILL=y
CONFIG_MQTT_HELPER_LOG_LEVEL_DBG=y
CONFIG_MQTT_HELPER_PORT=8883
CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=n

# MQTT - Maximum MQTT keepalive timeout specified by AWS IoT Core
CONFIG_MQTT_KEEPALIVE=1200
CONFIG_MQTT_CLEAN_SESSION=y

# TLS (provided by nRF Security, not builtin)
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=1
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=n
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y

CONFIG_TLS_CREDENTIALS=y
CONFIG_TLS_CREDENTIALS_BACKEND_VOLATILE=y
CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
# CONFIG_BUILD_WITH_TFM=y
# CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE=y

# Modem subsystem
CONFIG_MODEM=y
CONFIG_PM_DEVICE=y
CONFIG_MODEM_CELLULAR=y
CONFIG_MODEM_CELLULAR_APN="onomondo"

# Statistics
CONFIG_MODEM_STATS=n
CONFIG_SHELL=n

# Logging
CONFIG_MODEM_MODULES_LOG_LEVEL_DBG=y

# NET buffers
CONFIG_NET_PKT_TX_COUNT=6
CONFIG_NET_PKT_RX_COUNT=6
CONFIG_NET_BUF_TX_COUNT=12
CONFIG_NET_BUF_RX_COUNT=6

# Modem buffers
CONFIG_MODEM_CMUX_MTU=512
CONFIG_MODEM_CMUX_WORK_BUFFER_SIZE=520

# Stack Sizes
CONFIG_NET_TX_STACK_SIZE=2048
CONFIG_NET_RX_STACK_SIZE=2048
CONFIG_NET_MGMT_EVENT_STACK_SIZE=1024
## For workers
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_ISR_STACK_SIZE=512
CONFIG_MQTT_HELPER_STACK_SIZE=4096

# Heap sizes
CONFIG_HEAP_MEM_POOL_IGNORE_MIN=y
CONFIG_MBEDTLS_HEAP_SIZE=45000
CONFIG_HEAP_MEM_POOL_SIZE=32000

Best regards,

Fernando Fontes

Top Replies

Emil Lenngren 5 months ago in reply to Fernando Fontes +1

Fernando Fontes said: I want to protect certs from being read essentially, to avoid impersonating of the machine. This does not make sense. A certificate does not contain any secret credentials; just…

0 Sigurd Hellesvik 5 months ago in reply to Fernando Fontes

Fernando Fontes said:
For TLS I've these settings:

CONFIG_MBEDTLS_TLS_LIBRARY=y

CONFIG_MBEDTLS_X509_LIBRARY=y

CONFIG_MBEDTLS_RSA_C=y

CONFIG_MBEDTLS_PKCS1_V15=y

CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=1

CONFIG_MBEDTLS=y

CONFIG_MBEDTLS_ENABLE_HEAP=y

CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=n

CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y

I dont see any enabling of PSA algorithms in either this or your above prj.conf.

Try to enable the same algorithms as the PSA TLS sample.
PS: Keep an eye out for Kconfig Override Warnings

Fernando Fontes said:
I want to protect certs from being read essentially, to avoid impersonating of the machine.

Good and clear answer!

So as I said below:
"As you can see, Mbed TLS runs in NSPE, meaning that the certificates has to be in NSPE when you run TLS, no matter what. "

That said, you can still store the certs in SPE during rest.
Looking a bit around to explain this I remembered that we do have provisioning support for credentials for our Wi-Fi solution. And that is "cert handling in the nRF application", which is essentially the same as you do.

So I recommend that you have a look at how we do it in the SoftAP Wi-Fi provision sample and the SoftAP Wi-Fi provision library, as well as the docs on Wi-Fi Management.

Does this explain what you need?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Fernando Fontes 5 months ago in reply to Sigurd Hellesvik

Hi, thank you for the ongoing support,

Sigurd Hellesvik said:
I dont see any enabling of PSA algorithms in either this or your above prj.conf.

Try to enable the same algorithms as the PSA TLS sample.
PS: Keep an eye out for Kconfig Override Warnings

I had these:

CONFIG_NRF_SECURITY=y

CONFIG_PSA_WANT_ALG_SHA_1=y

CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y

CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y

CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y

But I've enabled all the others that you mentioned but still, I'm getting -116.

I also have a TLS error now sometimes:

[00:00:25.510,201] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:25.510,477] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20004a00, pkt=0x2002a44c, st=0, user_data=0
[00:00:25.750,041] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=1905346554 Ack=573331281 Len=512 [ESTABLISHED Seq=573331281 Ack=1905346554]
[00:00:25.750,348] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:25.750,624] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20004a00, pkt=0x2002a44c, st=0, user_data=0
[00:00:25.989,981] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=1905347066 Ack=573331281 Len=512 [ESTABLISHED Seq=573331281 Ack=1905347066]
[00:00:25.990,288] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:25.990,565] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20004a00, pkt=0x2002a44c, st=0, user_data=0
[00:00:26.229,805] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=1905347578 Ack=573331281 Len=512 [ESTABLISHED Seq=573331281 Ack=1905347578]
[00:00:26.230,112] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:26.230,388] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20004a00, pkt=0x2002a44c, st=0, user_data=0
[00:00:26.470,041] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK Seq=1905348090 Ack=573331281 Len=512 [ESTABLISHED Seq=573331281 Ack=1905348090]
[00:00:26.470,341] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:26.470,614] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20004a00, pkt=0x2002a44c, st=0, user_data=0
[00:00:26.472,440] <dbg> net_tcp: net_tcp_recv: (): context: 0x20004a00, cb: 0x23a21, user_data: 0
[00:00:26.473,245] <dbg> net_tcp: tcp_send_data: (): conn: 0x2002a55c total=7, unacked_len=7, send_win=1280, mss=1460
[00:00:26.473,547] <dbg> net_tcp: tcp_send_data: (): conn: 0x2002a55c send_data_timer=0, send_data_retries=0
[00:00:26.473,964] <err> net_sock_tls: TLS handshake error: -0x3b00
[00:00:26.478,312] <dbg> net_sock: zsock_close_ctx: (): close: ctx=0x20004a00, fd=6
[00:00:26.478,678] <dbg> net_tcp: net_tcp_recv: (): context: 0x20004a00, cb: 0, user_data: 0
[00:00:26.478,912] <dbg> net_sock: zsock_flush_queue: (): discarding pkt 0x2002a44c
[00:00:26.479,184] <dbg> net_tcp: net_tcp_put: ():  [ESTABLISHED Seq=573331281 Ack=1905348602]
[00:00:26.479,408] <dbg> net_tcp: net_tcp_put: (): context 0x20004a00 CONNECTED
[00:00:26.479,613] <dbg> net_tcp: net_tcp_put: (): conn 0x2002a55c pending 7 bytes
[00:00:26.479,844] <dbg> net_tcp: tcp_conn_unref: (): conn: 0x2002a55c, ref_count=2
[00:00:26.480,059] <err> mqtt_helper: mqtt_connect, error: -113
[00:00:26.480,254] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_TRANSPORT_CONNECTING --> MQTT_STATE_DISCONNECTED
[00:00:26.480,523] <err> aws_iot: mqtt_helper_connect, error: -113
[00:00:26.480,697] <err> connection: aws_iot_connect, error: -113
[00:00:26.692,924] <dbg> net_tcp: tcp_resend_data: (tcp_work): send_data_retries=0
[00:00:26.693,176] <dbg> net_tcp: tcp_new_reno_log: (tcp_work): conn: 0x2002a55c, ca timeout, cwnd=1460, ssthres=2920, fast_pend=0
[00:00:26.693,680] <dbg> net_tcp: tcp_send_data: (tcp_work): conn: 0x2002a55c total=7, unacked_len=7, send_win=1280, mss=1460
[00:00:26.694,021] <dbg> net_tcp: tcp_send_data: (tcp_work): conn: 0x2002a55c send_data_timer=0, send_data_retries=0
[00:00:26.730,618] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=1905348602 Ack=573331281 Len=371 [ESTABLISHED Seq=573331281 Ack=1905348602]
[00:00:26.730,926] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:26.731,533] <dbg> net_tcp: tcp_in: (rx_q[0]): FIN,ACK Seq=1905348973 Ack=573331288 Len=0 [ESTABLISHED Seq=573331281 Ack=1905348973]
[00:00:26.731,836] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:26.732,204] <dbg> net_tcp: tcp_setup_last_ack_timer: (rx_q[0]): TCP connection in passive close, not disposing yet (waiting 22753ms)
[00:00:26.732,525] <dbg> net_tcp: tcp_in: (rx_q[0]): ESTABLISHED->LAST_ACK
[00:00:26.852,418] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK Seq=1905348974 Ack=573331288 Len=0 [LAST_ACK Seq=573331289 Ack=1905348974]
[00:00:26.852,711] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:26.912,202] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK Seq=1905348974 Ack=573331288 Len=0 [LAST_ACK Seq=573331289 Ack=1905348974]
[00:00:26.912,496] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:26.945,272] <dbg> net_tcp: tcp_resend_data: (tcp_work): send_data_retries=0
[00:00:27.129,325] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK Seq=1905348974 Ack=573331289 Len=0 [LAST_ACK Seq=573331289 Ack=1905348974]
[00:00:27.129,617] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:27.129,876] <dbg> net_tcp: tcp_conn_close_debug: (rx_q[0]): conn: 0x2002a55c closed by TCP stack (tcp_in():3489)
[00:00:27.130,157] <dbg> net_tcp: tcp_conn_close_debug: (rx_q[0]): LAST_ACK->CLOSED
[00:00:27.130,369] <dbg> net_tcp: tcp_conn_unref: (rx_q[0]): conn: 0x2002a55c, ref_count=1
[00:00:27.130,643] <dbg> net_ctx: net_context_unref: (tcp_work): Context 0x20004a00 released

I also still see timeouts on different attempts:

[00:00:27.379,960] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x20004a00, pkt=0x2002a44c, st=0, user_data=0
[00:00:27.416,641] <dbg> net_sock: zsock_close_ctx: (): close: ctx=0x20004a00, fd=6
[00:00:27.416,873] <dbg> net_tcp: net_tcp_recv: (): context: 0x20004a00, cb: 0, user_data: 0
[00:00:27.417,152] <dbg> net_tcp: net_tcp_put: ():  [ESTABLISHED Seq=578166781 Ack=3654714008]
[00:00:27.417,376] <dbg> net_tcp: net_tcp_put: (): context 0x20004a00 CONNECTED
[00:00:27.417,592] <dbg> net_tcp: net_tcp_put: (): TCP connection in active close, not disposing yet (waiting 22753ms)
[00:00:27.418,278] <dbg> net_tcp: net_tcp_put: (): ESTABLISHED->FIN_WAIT_1
[00:00:27.418,483] <dbg> net_tcp: tcp_conn_unref: (): conn: 0x2002a55c, ref_count=2
[00:00:27.418,703] <err> mqtt_helper: mqtt_connect, error: -116
[00:00:27.418,882] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_TRANSPORT_CONNECTING --> MQTT_STATE_DISCONNECTED
[00:00:27.419,154] <err> aws_iot: mqtt_helper_connect, error: -116
[00:00:27.419,328] <err> connection: aws_iot_connect, error: -116
[00:00:27.703,358] <dbg> net_tcp: tcp_resend_data: (tcp_work): send_data_retries=0
[00:00:27.739,331] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=3654714008 Ack=578166781 Len=512 [FIN_WAIT_1 Seq=578166782 Ack=3654714008]
[00:00:27.739,636] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:27.739,996] <dbg> net_tcp: net_tcp_reply_rst: (rx_q[0]): RST Seq=578166781 Len=0
[00:00:27.740,247] <dbg> net_tcp: tcp_in: (rx_q[0]): FIN_WAIT_1->TIME_WAIT
[00:00:27.740,825] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK Seq=3654714520 Ack=578166782 Len=0 [TIME_WAIT Seq=578166782 Ack=3654714008]
[00:00:27.741,118] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:27.998,799] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK Seq=3654714520 Ack=578166782 Len=0 [TIME_WAIT Seq=578166782 Ack=3654714008]
[00:00:27.999,088] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:28.030,475] <inf> sanitation_handler: [KP] Msta.: IDLE
[00:00:28.030,673] <inf> sanitation_handler: [IC] Msta.: RUNNING
[00:00:28.030,865] <inf> sanitation_handler: [CC] Msta.: IDLE
[00:00:28.031,058] <inf> sanitation_handler: [WF] Msta.: IDLE
[00:00:28.331,047] <inf> sanitation_handler: [DP] Msta.: IDLE
[00:00:28.331,256] <inf> sanitation_handler: [FJ] Msta.: IDLE
[00:00:28.379,026] <dbg> net_tcp: tcp_in: (rx_q[0]): ACK,PSH Seq=3654714008 Ack=578166782 Len=512 [TIME_WAIT Seq=578166782 Ack=3654714008]
[00:00:28.379,329] <dbg> net_tcp: tcp_in: (rx_q[0]): Lowering send window from 27648 to 1280
[00:00:28.379,569] <err> net_tcp: conn: 0x2002a55c, new bytes 513 during TIME-WAIT state sending reset
[00:00:28.379,932] <dbg> net_tcp: net_tcp_reply_rst: (rx_q[0]): RST Seq=578166782 Len=0
[00:00:29.239,974] <dbg> net_tcp: tcp_timewait_timeout: (tcp_work): conn: 0x2002a55c  [TIME_WAIT Seq=578166782 Ack=3654714008]
[00:00:29.240,269] <dbg> net_tcp: tcp_conn_close_debug: (tcp_work): conn: 0x2002a55c closed by TCP stack (tcp_timewait_timeout():1867)
[00:00:29.240,569] <dbg> net_tcp: tcp_conn_close_debug: (tcp_work): TIME_WAIT->CLOSED
[00:00:29.240,784] <dbg> net_tcp: tcp_conn_unref: (tcp_work): conn: 0x2002a55c, ref_count=1
[00:00:29.241,049] <dbg> net_ctx: net_context_unref: (tcp_work): Context 0x20004a00 released

Could it still be priority issues related for the timeouts at least?

What about the TLS error? It seems that the MCU is rejecting the CA certs from AWS. But I've checked more than once and I'm doing the provision as the examples:

    ret = tls_credential_add(CONFIG_MQTT_HELPER_SEC_TAG, TLS_CREDENTIAL_SERVER_CERTIFICATE, public_cert, public_cert_len);
    if (ret < 0)
    {
        LOG_ERR("Failed to add device certificate: %d", ret);
        goto exit;
    }

    ret = tls_credential_add(CONFIG_MQTT_HELPER_SEC_TAG, TLS_CREDENTIAL_PRIVATE_KEY, private_key, private_key_len);
    if (ret < 0)
    {
        LOG_ERR("Failed to add device private key: %d", ret);
        goto exit;
    }

    ret = tls_credential_add(CONFIG_MQTT_HELPER_SEC_TAG, TLS_CREDENTIAL_CA_CERTIFICATE, ca_cert, ca_cert_len);
    if (ret < 0)
    {
        LOG_ERR("Failed to add device private key: %d", ret);
        goto exit;
    }

and I've used the convertkeys.py to generate the ca.c, cert.c and key.c files which are properly imported on the CMAKE:

# Copyright (c) 2023 Lucas Dietrich <[email protected]>
# SPDX-License-Identifier: Apache-2.0

import glob
import os


def bin2array(name, fin, fout):
    with open(fin, 'rb') as f:
        data = f.read()

    data += b'\0'  # add null terminator

    with open(fout, 'w') as f:
        f.write("#include <stdint.h>\n")
        f.write(f"const uint8_t {name}[] = {{")
        for i in range(0, len(data), 16):
            f.write("\n\t")
            f.write(", ".join(f"0x{b:02x}" for b in data[i:i+16]))
            f.write(",")
        f.write("\n};\n")
        f.write(f"const uint32_t {name}_len = sizeof({name});\n")

    print(
        f"[{name.center(13, ' ')}]: {os.path.relpath(fin)} -> {os.path.relpath(fout)}")


if __name__ == "__main__":
    creds_dir = os.path.dirname(os.path.realpath(__file__))

    creds = glob.glob(f"{creds_dir}/*.pem.*")

    cert_found, key_found = False, False

    for cred in creds:
        if cred.endswith('-certificate.pem.crt'):
            bin2array("public_cert", cred, os.path.join(creds_dir, "cert.c"))
            cert_found = True
        elif cred.endswith('-private.pem.key'):
            bin2array("private_key", cred, os.path.join(creds_dir, "key.c"))
            key_found = True

    if not cert_found:
        print("No certificate found !")
    if not key_found:
        print("No private key found !")

    bin2array("ca_cert", os.path.join(creds_dir, "AmazonRootCA1.pem"),
              os.path.join(creds_dir, "ca.c"))

I see that the CA certfile is received correctly by the MCU...

Best regards,

0 Emil Lenngren 5 months ago in reply to Fernando Fontes

Fernando Fontes said:
I want to protect certs from being read essentially, to avoid impersonating of the machine.

This does not make sense. A certificate does not contain any secret credentials; just identity information, public keys and signatures etc. Note that certificates are also typically sent in plaintext over the air (at least with TLS 1.2). What would make sense to store in a secure storage is the private key matching a certificate's public key, which is only useful in case you want that the server should authenticate the client (assuming nRF54 is the TLS client).
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Fernando Fontes 5 months ago in reply to Fernando Fontes

Fernando Fontes said:
I see that the CA certfile is received correctly by the MCU...

Best regards,

Ok, I was actually able to trace the TLS error that was mentioning that the cert file was not supported and after going through multiple samples and comparing the proj.conf I finally got it working and the Handshake was successufully done.

However, I was still hitting error -116 which was timeout?? Then at some point it worked without changing anything...

I've increased CONFIG_MBEDTLS_HEAP_SIZE=90000 and now it seems to work at first attempt most of the times, but still not sure if that was it. The value before was 45000. The problem is that my ram is now at 93%... And I'm afraid I will not have enough for the rest of the application.

Will leave it for now this way and after having the FOTA working I might go back to this and try to optimize...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sigurd Hellesvik 5 months ago in reply to Emil Lenngren

Fernando Fontes said:
However, I was still hitting error -116 which was timeout?? Then at some point it worked without changing anything...

If the error was there and then disappeared without you changing anything on the nRF side, it is hard to know what this could be. One guess would be that something changed on the server side. Maybe it was down for some minutes?

Fernando Fontes said:
I've increased CONFIG_MBEDTLS_HEAP_SIZE=90000 and now it seems to work at first attempt most of the times, but still not sure if that was it. The value before was 45000. The problem is that my ram is now at 93%... And I'm afraid I will not have enough for the rest of the application.

I see some samples where this number has similar high values, such as https://github.com/nrfconnect/sdk-nrf/commit/7b2927d92a5f5f9a17d3c65ceb5adba859358be7.

If you want to optimize this, I would suggest that you try to monitor the heap usage.
I did spend some time trying to monitor MbedTLS heap usage myself, but have not had any luck with that yet.

If you get back to try and optimize, feel free to let me know, and I will give it another go.

Emil Lenngren said:
This does not make sense. A certificate does not contain any secret credentials; just identity information, public keys and signatures etc. Note that certificates are also typically sent in plaintext over the air (at least with TLS 1.2). What would make sense to store in a secure storage is the private key matching a certificate's public key, which is only useful in case you want that the server should authenticate the client (assuming nRF54 is the TLS client).

Thaks for the clarification Emil!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel