Hello, we are trying to follow of your tutorial How to send IoT/telematics data to Amazon AWS , we have followed the tutorial but we probably missed something (although we have tried many times) as we cannot get the stream to connect to AWS; the error log entry: {"error_code":-1,"event_code":403,"origin_id":113449,"origin_type":12,"reason":"failed to connect","timestamp":1648558158.300358} we have triple checked that: the selected protocol is 'aws_iot' the endpoint is the correct one the content of the active certificate (certificate and the private key) is matching the (single) certificate attached to the thing in AWS the active policy attached to the certificate holds the following: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iam::aws:policy/AWSIoTDataAccess" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iam::aws:policy/AWSIoTDataAccess" }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": "arn:aws:iam::aws:policy/AWSIoTDataAccess" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iam::aws:policy/AWSIoTDataAccess" } ] } what additional information do you need to point us to where the problem is? Thank s much in advance! WT

following the support from Mr. Aliaksandr Adamovich, updating the Policy fixed the connection issue: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*" } ] } if("undefined"!==typeof hljs)hljs._ha();else if("undefined"===typeof hljsLoading){hljsLoading=1;var a=document.getElementsByTagName("head")[0],e=document.createElement("link");e.type="text/css";e.rel="stylesheet";e.href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/styles/default.min.css";a.appendChild(e);e=document.createElement("script");e.type="text/javascript";e.onload=function(){var d={},f=0;hljs._hb=function(b){b.removeAttribute("data-hljs");var c=b.innerHTML;c in d?b.innerHTML=d[c]:(7 now the Stream connects as it should, next step in hardening the Policy. Thank you for your support!

Error connecting to AWS IoT

wheelietips

Hello,

we are trying to follow of your tutorial How to send IoT/telematics data to Amazon AWS, we have followed the tutorial but we probably missed something (although we have tried many times) as we cannot get the stream to connect to AWS; the error log entry:

{"error_code":-1,"event_code":403,"origin_id":113449,"origin_type":12,"reason":"failed to connect","timestamp":1648558158.300358}

we have triple checked that:

the selected protocol is 'aws_iot'
the endpoint is the correct one
the content of the active certificate (certificate and the private key) is matching the (single) certificate attached to the thing in AWS
the active policy attached to the certificate holds the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iam::aws:policy/AWSIoTDataAccess" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iam::aws:policy/AWSIoTDataAccess" }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": "arn:aws:iam::aws:policy/AWSIoTDataAccess" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iam::aws:policy/AWSIoTDataAccess" } ] }

what additional information do you need to point us to where the problem is?
Thank s much in advance!
WT

shal

wheelietips the most effective way to receive flespi support is to contact us via HelpBox. There you can share access to your account and in business time we reply mostly in real time.

But once the problem is figured out it will be great if you share the final answer here, to build enrich knowledge level for the community.

wheelietips

shal, opps, just got your reply, will do that too!

wheelietips

additional info; looking into AWS Diagnosing connectivity issues, specifically the 'Authentication' part, validating the configured certificate, testing the connection to our AWS thing with the same settings used on our stream:

endpoint
certification
private key

`openssl s_client -connect aqwkc=SALTED_KEY=q0m0-ats.iot.us-east-2.amazonaws.com:8443 -CAfile c:\CA.pem -cert c:\cert.pem -key c:\key.pem
CONNECTED(000001A0)
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = *.iot.us-east-2.amazonaws.com

verify return:1

Certificate chain
0 s:CN = *.iot.us-east-2.amazonaws.com
i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 24 00:00:00 2021 GMT; NotAfter: Aug 3 23:59:59 2022 GMT
1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
i:C = US, O = Amazon, CN = Amazon Root CA 1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 22 00:00:00 2015 GMT; NotAfter: Oct 19 00:00:00 2025 GMT
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

v:NotBefore: Sep 2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT

Server certificate
-----BEGIN CERTIFICATE-----
MIIGDDCCBPSgAwIBAgIQDMqqaZJHitOWUJTY=SALTED_KEY=qhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0yMTA4MjQwMDAwMDBaFw0yMjA4MDMy
MzU5NTlaMCgxJjAkBgNVBAMMHSouaW90LnVzLWVhc3QtMi5hbWF6b25hd3MuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkg2vZ6rP1i6hiUU3Lvs5
ZfwoKlMdY8VkscDoKPGKDKRtMSonTc2CavKVwfTLH+qHvbbHS7hB1WaY72fvEIBK
kpP9LnXiz4M4U=SALTED_KEY=qx98yAD0EaxQHfBF4R85b2w+VP4jX8d95Mbyqouw
nFCtuCfJguWlBaJuVh7yvUqIlNTdq85BW0zj/q3s0F43UXTpJvYDSXghFuZL4bB+
HKPrYKNGSt8BUNXXOuEVZ1VVaXCbFVSsyNNqiutU7VH6NmVDkO23FdvZ9NK1+upO
qcwoCX65gEiIcCY74X0q8zpmXrwwA3T96rQhtgCZ8+IpZkv865b81p4+7Mwkx1zG
ywIDAQABo4IDEjCCAw4wHwYDVR0jBBgwFoAUWaRmBlKge5WSPKOUByeWdFv5PdAw
HQYDVR0OBBYEFIUbeiSSDSUWcGT292vnpl7PnmQIMEUGA1UdEQQ+MDyCHSouaW90
LnVzLWVhc3QtMi5hbWF6b25hd3MuY29tghtpb3QudXMtZWFzdC0yLmFtYXpvbmF3
cy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1U=SALTED_KEY=AQUFBwMBBggrBgEF
BQcDAjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnNjYTFiLmFtYXpvbnRy
dXN0LmNvbS9zY2ExYi5jcmwwEwYDVR0gBAwwCjAIBgZngQwBAgEwdQYIKwYBBQUH
AQEEaTBnMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5zY2ExYi5hbWF6b250cnVz
dC5jb20wNgYIKwYBBQUHMAKGKmh0dHA6Ly9jcnQuc2NhMWIuYW1hem9udHJ1c3Qu
Y29tL3NjYTFiLmNydDAMBgNVHRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0E
ggFpAWcAdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAXt6lr2d
AAAEAwBGMEQCIAGBHrgls9JOqNj+D+7aJwcGs1JfH6A8wLCwqjhRZhhPAiAAjbxa
w+gS4G9ojyMUay8p5/alBA4zQDwoM29YPjWWrQB2AFGjsPX9AXmcVm24N3iPDKR6
zBsny/eeiEKaDf7Uiw=SALTED_KEY=UAAAQDAEcwRQIgOJeSNFXPDtoWP4aTFP5V
u+aMlaBSR44GaaJf3sD8Y1wCIQCbvnYEvYKgXW33+O8MaAEXWi5xEpYG2lTlZh9M
PUTZ/QB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABe3qWvVwA
AAQDAEcwRQIhAJk+alFlpuySpBYzPBbxhjp7zl/Lb/p/V+RG2OkjAru5AiAWTNuW
+CtB2pCAdqxpnWNRLdpwgmGuAUox31354iapvzANBgkqhkiG9w0BAQsFAAOCAQEA
hg2cAiDH6Sf68gdfeI26AM5eRWthx1LL15rsuf8k/7pfDFBWZsyiRjIh0/SM9k/D
3vxz6haAMfPoWFiWdT5KjBaLl0B93pxPak2war97zhkbVN6MkGt5qC/EpLU64NCj
0dOp+aLuU=SALTED_KEY=uUQQlCTsQ+O4EwTYakttx7FzI+uWjQvS9gVqjf7niwkig
LSsGs2qLSd86Q08GxhcdoxkeT6vCxsmiUvFEMChYcTggu4RRDh3FzhspSvrNhXTJ
EtHMl4sgI3BY9sIzZ/XGTv0TqJm4rwYgoWNQHx9XLti2/WBw3sjTDWI6cBhdZyBk
SxCkwjQMNB9h7Trr/qq51g==
-----END CERTIFICATE-----
subject=CN = *.iot.us-east-2.amazonaws.com

issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA512:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA512:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA

Server Temp Key: ECDH, prime256v1, 256 bits

SSL handshake has read 5527 bytes and written 1622 bytes

Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 2DCC0B8689D45C4374314C6D03FB469C692E8327C0D403B56A9757937C2A96C6
Session-ID-ctx:
Master-Key: 17E1AFFA62D107=SALTED_KEY=4A24B57AFC0E5F714C8ABF
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1648621402
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---`

if the verification is OK for the same info in the stream settings, what else could be the reason for our flespi stream failing to connect?

wheelietips

following the support from Mr. Aliaksandr Adamovich, updating the Policy fixed the connection issue:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

now the Stream connects as it should, next step in hardening the Policy.

Thank you for your support!