• State Verified Answer
  • Replies 2 replies
  • Subscribers 74 subscribers
  • Views 592 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 293984
Options

Changing AWS Region Endpoint for Sending MQTT Messages in AWS_IoT

jake11212

Hello,

I created a device on AWS and corresponding certificates/shadows on the us-west-1 server.  I'm able to successfully connect and send to this endpoint, but want to migrate to a different region on AWS.  Is it necessary to create new certificates for the device on the new region and re-provision the device?  I'm using a version of the aws_iot sample in NRF Connect 1.8.0 and was under the impression that I could change the endpoint by changing the prj.conf file field CONFIG_AWS_IOT_BROKER_HOST_NAME to the new endpoint, but when I try to connect I get the error 

E: Cloud MQTT input error: -128.

The only thing changed between the working and non-working versions is the CONFIG_AWS_IOT_BROKER_HOST_NAME so this seems to be the cause.  Is there a simple way to use the same device with the same certificate to send to a different endpoint without starting the whole provisioning/certificate process over?

Thanks!

Parents
  • +1

    Hi Jake,

    1) I think the "migrate" here means using the same configuration to create a new endpoint, they have different names, so basically two separate endpoints. When you add the thing device into the new endpoint, you should generate certificates for this new setup.

    2) I am not sure if the two endpoints generate the same certificates or not, but you should be able to verify. Let me give you some background knowledge first. The MQTT communication needs Two-way TLS Authentication, so your thing and device need to have the following authentication data ready. In the Create a thing in AWS IoT process, AWS help you generate the yellow parts, and stored Cellular Device Certificate. For different endpoints, I am not sure if they use the same algorithm and same input((assume you use the same thing name and so on, but maybe some endpoint-related inputs are different)) to generate the keys. You can go through the process and compare if these data are same or not from two endpoints.

    • Cellular Device(Client)
      • AWS Cloud CA(AWS RooT CA)
      • Cellular Device Certificate with Public Key
      • Cellular Device Private Key for decryption(MQTT/FOTA)
    • AWS Cloud endpoint(Server)
      • Cellular Device Certificate
      • AWS Cloud Certificate with Public Key
      • AWS Cloud Private Key for decryption

    Best regards,

    Charlie

Reply
  • +1

    Hi Jake,

    1) I think the "migrate" here means using the same configuration to create a new endpoint, they have different names, so basically two separate endpoints. When you add the thing device into the new endpoint, you should generate certificates for this new setup.

    2) I am not sure if the two endpoints generate the same certificates or not, but you should be able to verify. Let me give you some background knowledge first. The MQTT communication needs Two-way TLS Authentication, so your thing and device need to have the following authentication data ready. In the Create a thing in AWS IoT process, AWS help you generate the yellow parts, and stored Cellular Device Certificate. For different endpoints, I am not sure if they use the same algorithm and same input((assume you use the same thing name and so on, but maybe some endpoint-related inputs are different)) to generate the keys. You can go through the process and compare if these data are same or not from two endpoints.

    • Cellular Device(Client)
      • AWS Cloud CA(AWS RooT CA)
      • Cellular Device Certificate with Public Key
      • Cellular Device Private Key for decryption(MQTT/FOTA)
    • AWS Cloud endpoint(Server)
      • Cellular Device Certificate
      • AWS Cloud Certificate with Public Key
      • AWS Cloud Private Key for decryption

    Best regards,

    Charlie

Children
Related
Terms of service