Connecting device to AWS IoT Core (aws_fota)

I've been trying to connect my device to AWS IoT for a week, but I'm getting the same error "no matter what" I do (ERROR: mqtt_connect -45), which seemingly is an authorization issue of some kind?

Here are the exact steps I'm doing to connect my device:

  1. Register my thing in AWS IoT Core.
    1. I register a single thing
    2. I create a certificate using one-click certificate creation, I download the public key, private key, the Amazon Root CA 1, and I click activate.
    3. I attach a policy matching the one given in
  2. I load the project and configure my device
    1. I load the project from Open nRF Connect SDK Project (using the fw-nrfconnect-nrf v1.0.0)
      1. CMakeLists.txt -> ncs/nrf/samples/nrf9160/aws_fota/CMakeLists.txt
      2. Board directory -> ncs/zephyr/boards/arm/nrf9160_pca10090
      3. Board name -> nrf9160_pca10090ns
      4. Build directory -> ncs/nrf/samples/nrf9160/aws_fota/build_nrf9160_pca10090ns
    2. I put the contents of the certificates in the certificates.h file. CLOUD_CLIENT_PRIVATE_KEY is the private key, CLOUD_CLIENT_PUBLIC_CERTIFICATE is the public key and CLOUD_CA_CERTIFICATE is Amazon Root CA 1.I go to Project -> Configure nRF Connect SDK Project -> menuconfig
      1. I set the AWS IoT MQTT broker hostname to the URL found in things -> <my-thing-name> -> Interact -> HTTPS
      2. I set the AWS IoT MQTT broker port to 8883
      3. I set the Custom MQTT Client Id to <my-thing-name>
      4. I uncheck Use provisioned certificates
  3. I flash the sample onto the board
    1. I go to Build -> Build and Debug
    2. When the debug screen appears I click the green arrow in the top right corner which runs the program.

This process gives the following output:

LTE Link Connecting ...

LTE Link Connected!

IPv4 Address 0x68e7dd12

client_id: <my-thing-name>

ERROR: mqtt_connect -45

Please help me resolve this as I can't identify which step(s) I'm missing.

Thank you in advance. 

No Data
  • The mqtt_connect: -45 by checking the error codes means operation not supported on the socket. This is usually caused by a misconfiguration of the certificates which are provisioned.

    Unchecking Use provisioned certificates will provide certificates to the security tag selected in the Kconfig. I don't think you need to add the CONFIG_NRF_CLOUD_PROVISION_CERTIFICATES=y option as this would be for the nRF Cloud library.

    From what I can see from your post your problem is probably what you state here CLOUD_CLIENT_PUBLIC_CERTIFICATE is the public key

    This is not your public key, but your public certificate from AWS, the file generated from AWS, is usually formatted in the following form <certificate-set-id>-certificate.pem.crt this file as mentioned before has the  -----BEGIN CERTIFICATE----- at the beginning of the file. The private key file should have a -----BEGIN RSA PRIVATE KEY----- at the beginning, and the file format is usually <certificate-set-id>-private.pem.key.

    It's also important, as mentioned before that you follow the formatting of the certificates.h file by having \n endings at the end of each new line in the certificates.h header file. 

    I do recommend after provisioning your certificates, and you get a successful MQTT connection, that you check the Use provisioned certificates option again. This reduces the tear on the modem flash by not writing the certificates again to the modem. Also, by having the option unchecked, your certificates will be stored in the firmware image and when flashed in the flash of the device. By re-enabling the option, you avoid both these problems