Do you have Amazon AWS Tutorial..?

[kittinook]

Hi, I've interested this board. Do you have the example for communication between the board and AWS IoT cloud?

[botletics]

Not currently, no. However, there are example AT command logs I have from SIMCom for Microsoft Azure which theoretically should work for other platforms like AWS IoT and anything that requires certificates. Basically you store the certificate in the SIM7000's EFS (electronic file system) and use the SSL commands to connect.

[kittinook]

Thanks for your fast response, you can share example AT command logs for Microsoft Azure. I can't find the example AT command in this web http://www.simcomm2m.com/En/module/detail.aspx?id=175.

[botletics]

I can't share it publicly so you would have to order a Botletics shield before I could share it.

[bradleytompkins]

Can you share these with me? We have purchased several botletics shields to experiment with, and are trying to get them talking to Azure IoT Hub.

[botletics]

Please email me, botletics "at" gmail "dot" com.

[slipiduche]

Not currently, no. However, there are example AT command logs I have from SIMCom for Microsoft Azure which theoretically should work for other platforms like AWS IoT and anything that requires certificates. Basically you store the certificate in the SIM7000's EFS (electronic file system) and use the SSL commands to connect.

Hi, there are some example where shows how store and read data from SIM7000's EFS?

[botletics]

This should help but also check the related AT command manual.

[slipiduche]

This should help but also check the related AT command manual.

oh thanks you. i'm realy confused, i don't know from where extract the .cer, i mean a SD? a web server? or the download from pc?. where i could put the .cer to apply these commands.

thanks so much.

[botletics]

That depends on what platform you're using (Azure, AWS, etc.) and that file would be on your computer and sent to the SIM7000 via USB with AT commands.

[slipiduche]

i have a doubt, the certificate must be in what format? i try this
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----

and not connect

at log is that
<sub>�<---
OK
--->AT+CFSgfis=3,"root_ca.pem"
�<---
+CFSGFIS: 1189

OK</sub>

+CNACT: 1,"100.100.197.199"

OK
--->AT+SMCONF="URL",a5xpqsmvbu9sq-ats.iot.us-west-2.amazonaws.com,8883

<sub>�<---
OK
--->AT+SMCONF="CLIENTID",device2

�<---
OK
--->AT+SMCONF="KEEPTIME",60

�<---
OK
--->AT+SMCONF="CLEANSS",0

�<---
OK
--->AT+SMCONF="QOS",0

�<---
OK
--->AT+CSSLCFG?

�<---
OK
--->AT+CSSLCFG="sslversion",0,3

�<---
OK
--->AT+CSSLCFG=0,1,0

�<---
ERROR

--->AT+CSSLCFG=convert,2,root_ca.pem

�<---
OK
--->AT+CSSLCFG=convert,1,my_client.pem,my_key.pem

�<---
OK
--->AT+CSSLCFG?

�<---
OK
--->AT+CIPSTATUS
�<---
OK

STATE: IP GPRSACT
--->AT+CIFSR
�<---
100.100.197.199

--->AT+CIPSTATUS
�<---
OK

STATE: IP STATUS
--->AT+SMSSL=1,root_ca.pem,my_client.pem

�<---
OK
--->AT+SMSSL?

�<---
+SMSSL: 1,"root_ca.pem","my_client.pem"

OK
--->AT+CSSLCFG?

�<---
OK
--->AT+CGATT?

�<---
+CGATT: 1

OK
--->AT+SMCONN

�<---
ERROR</sub>

When i try not secure connection with cloudmqtt these commands works but not with AWS

[brunokruse]

Not currently, no. However, there are example AT command logs I have from SIMCom for Microsoft Azure which theoretically should work for other platforms like AWS IoT and anything that requires certificates. Basically you store the certificate in the SIM7000's EFS (electronic file system) and use the SSL commands to connect.

This issue should be open. I saw the azure example in your AT Command Logs; thank you for that. However, it seems AWS only supports Https. The firmware on some of the shields support SSL only via TCP. Is there info on specific firmware releases and features to confirm? I am using B017000G.

[botletics]

Sorry, I'm not sure if there's anything on specific firmware versions.

[jefflikesbagels]

I apologize in advance for my ignorance, as this is my first time programming a SIM7000. I am trying to perform the same task as above but using hologram.io. I created a new function in the Adafruit_FONA.cpp library and called it postDataHTTPS:

boolean Adafruit_FONA::postDataHTTPS(const char *request_type, const char *URL, const char *body, const char *token, uint32_t bodylen) {
  // NOTE: Need to open socket/enable GPRS before using this function
  // char auxStr[64];
  
    sendCheckReply(F("AT+GMR"), ok_reply, 10000);
	sendCheckReply(F("AT+CNACT=1,\"hologram\""), ok_reply, 10000);
	sendCheckReply(F("AT+CNACT?"), ok_reply, 10000);
	sendCheckReply(F("AT+CSSLCFG=\"convert\",2,\"hologram.cer\""), ok_reply, 10000);
	sendCheckReply(F("AT+SHSSL=1,\"hologram.cer\""), ok_reply, 10000);

	char urlBuff[strlen(URL) + 22];
	sprintf(urlBuff, "AT+SHCONF=\"URL\",\"%s\"", URL);
	if (! sendCheckReply(urlBuff, ok_reply, 10000))
		return false;
	
	sendCheckReply(F("AT+SHCONF=\"BODYLEN\",100"), ok_reply, 10000);
	sendCheckReply(F("AT+SHCONF=\"HEADERLEN\",100"), ok_reply, 10000);
	sendCheckReply(F("AT+SHCONN"), ok_reply, 10000);
	
	char dataBuff[strlen(body) + 22];
	sprintf(dataBuff, "AT+SHBOD=\"%s\",100", body);
	
	//if (! sendCheckReply(dataBuff, ok_reply, 10000))
	//	return false;
	sendCheckReply(dataBuff, ok_reply, 10000);
	//sendCheckReply(F("AT+SHBOD=\"TEST\",100"), ok_reply, 10000);
  
	sendCheckReply(F("AT+SHAHEAD=\"Content-Length\",\"120\""), ok_reply, 10000);
	sendCheckReply(F("AT+SHSTATE?"), ok_reply, 10000);
	sendCheckReply(F("AT+SHREQ=3"), ok_reply, 10000);
	sendCheckReply(F("AT+SHREAD=0,227"), ok_reply, 10000);
	sendCheckReply(F("AT+SHDISC"), ok_reply, 10000);
  
  return true;
}

I've been reading the SIM7000 documentation for the HTTPS commands, and I am struggling to get it working as I am sure I have mistakes somewhere. In my Arduino sketch I have the following:

        // Post data to website via 2G or LTE CAT-M/NB-IoT
        // Create char buffers for the floating point numbers for sprintf
        // Make sure these buffers are long enough for your request URL
        char URL[150];
        char body[100];
        char deviceID[] = "######";
        char tagID[] = "[\"_RESTAPI_\", \"WATER_LOW\"]";
        char message[] = "\"Water_Low\"";

        // POST request
        sprintf(URL, "https://dashboard.hologram.io/api/1/csr/rdm");
        sprintf(body, "{\"deviceid\": %s, \"tags\": %s, \"data\": %s}", deviceID, tagID, message);

        Serial.println(F("Attempting to perform HTTPS POST..."));
        Serial.print("URL: ");
        Serial.print(URL);
        Serial.println();
        Serial.print("Body: ");
        Serial.print(body);
        Serial.println();
        if (!fona.postDataHTTPS("POST", URL, body)){
          Serial.println(F("Failed to complete HTTPS POST!"));
        } else {
          Serial.println(F("Successfully performed HTTPS POST!"));
        }

When the sketch runs, I get the following on the serial monitor:

Attempting to perform HTTPS POST...
URL: https://dashboard.hologram.io/api/1/csr/rdm
Body: {"deviceid": ######, "tags": ["_RESTAPI_", "WATER_LOW"], "data": "Water_Low"}
	---> AT+GMR
	<--- Revision:1351B03SIM7000A
	---> AT+CNACT=1,"hologram"
	<--- ERROR
	---> AT+CNACT?
	<--- +CNACT: 1,"###.###.###.###"
	---> AT+CSSLCFG="convert",2,"hologram.cer"
	<--- ERROR
	---> AT+SHSSL=1,"hologram.cer"
	<--- OK
	---> AT+SHCONF="URL","https://dashboard.hologram.io/api/1/csr/rdm"
	<--- OK
	---> AT+SHCONF="BODYLEN",100
	<--- OK
	---> AT+SHCONF="HEADERLEN",100
	<--- OK
	---> AT+SHCONN
	<--- ERROR
	---> AT+SHBOD="{"deviceid": ######, "tags": ["_RESTAPI_", "WATER_LOW"], "data": "Water_Low"}",100
	<--- ERROR
	---> AT+SHAHEAD="Content-Length","120"
	<--- ERROR
	---> AT+SHSTATE?
	<--- +SHSTATE: 0
	---> AT+SHREQ=3
	<--- ERROR
	---> AT+SHREAD=0,227
	<--- ERROR
	---> AT+SHDISC
	<--- ERROR

I used the LTE_Demo example sketch as a building block, so I have all of the other associated code in place and working well to set up the SIM7000. It is also getting a proper IP address when I issue the AT+CNACT? command.

The first problem is the error on the AT+CSSLCFG command, I think that is preventing the AT+SHCONN and AT+SHBOD commands from working. I am also not sure how I should be handling the quotation marks and commas inside the body for the AT+SHBOD command, do I simply prefix them with a back slash?. Any ideas on what I could be doing wrong? I downloaded the top-level Starfield Class 2 Certification Authority key, which is below:

-----BEGIN CERTIFICATE-----
MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
-----END CERTIFICATE-----

However I am not sure how to include that on the AT+CSSHCFG command.

Edit: I was able to successfully install the QPST software and upload the CA key to the 'customer' directory in the alternate file system of the SIM7000. I now get an "OK" response on the AT+CSSHCFG command. However, I am still getting "ERROR" on the AT+SHCONN command. I wonder if it is related to the AT+SNACT command erroring out too? The following tool was helpful in getting some additional insight on how the certificates work: https://github.com/tmcadam/sim7000-tools

As well as this previous issue: #71

Thanks!

[TimRoadley]

I'm having the same issues as @jefflikesbagels

In addition, I'm concerned that if I release these IoT devices to our customers then we will have to recall them all to update the root CA when those certificates expire.

I wonder if there's a way to force the device to trust the root CA regardless of who it is and then just continue with the HTTPS POST.

I think this would be ok, since the configuration on what we're sending to will be baked in to the firmware of our devices.

Thoughts?

[TimRoadley]

In case it helps anyone, I managed to upload a cert with the following procedure (not using the EFS Explorer)

Copy a CA Root Cert (for the site you're trying to connect to) to the SIM7000:

1. Go to ssltools.com
2. Enter the website you want the root cert for (e.g. https://putsreq.com)
3. Download the root certificate PEM, which should give you a .cer file
4. Strip out all carriage returns and then count the characters in the cert file (look at the bottom of VSCode for a character count)

Use these commands to load the cert onto the SIM7000:

AT+CFSINIT
AT+CFSWFILE=3,"AddTrust.crt",0,1496,10000 <-- 1496 is the char length that noted before
paste the cert data into the terminal within 10 seconds
AT+CFSTERM

This puts the cert in the 'customer' directory on the SIM7000. Tomorrow I'll see if this lets me make that https post, try your luck with this approach in the mean time.

[jefflikesbagels]

@TimRoadley Thanks for the info. I've been thinking about how I can integrate all of this into the Arduino so I can remotely push a new certificate to the EEPROM using some creativity with hologram.io's tools, then use the AT+CFSWFILE command to write the certificate, but unfortunately I'm using an UNO which does not have enough EEPROM space to store the entire certificate. For my use case, I'm just doing a simple DIY project for a friend, so if it lasts until 2034 when the CA expires that's good enough for me haha. I guess I could expand the EEPROM with an additional chip, but at that point for all the extra work involved I might as well just switch to SMS alerts and pay the $0.20 per message instead.

What's strange is the ssltools site is giving me a 502 bad gateway when I tried to download the root certificate, but all of the others work. I originally just used Chrome to export it anyways. I think I am past the certificate part, so now I have to figure out why the AT+SHCONN command is failing.

[jefflikesbagels]

Well this is frustrating. I did some more digging, and found another issue that is preventing me from making progress. According to the SIMCOM technical documentation, the max string size for the URL on the AT+SHCONF and AT+SHREQ commands is 64 bytes. For sending a data route through Hologram, the Arduino needs to do an HTTPS POST to the following URL:
https://dashboard.hologram.io/api/1/csr/rdm?apikey=##############################
I was not adding the API key before (duh - hologram was rejecting the API call), but now that I am adding it, the length of the URL is 81 bytes. I tried setting up an HTTP redirect on my personal web server to shorten the length, but the redirect prevents the hologram REST API from parsing the data properly.

One thing that helped me immensely was using the Restlet Client Chrome Extension. Between that and sifting through the Hologram REST API documentation again helped me figure out what format it's actually expecting.

Getting back to the issue at hand, it could be possible that the AT+SHCONN command fails because the Hologram API is rejecting the connection due to the incorrect URL (without the API key). Surely I am missing something here? The 64 byte URL limit is going to completely break the SIM7000's ability to do HTTPS POST commands to activate Hologram data routes. The next option may be using a TCP socket connection to Hologram Cloud: Socket API, Device Key. It looks like that would be the better solution anyways.

Sorry to derail a bit from the original intention of working with AWS, but I believe the procedure will be very similar to Hologram, so this development will still be beneficial. If I should create a separate issue tracker just let me know. It looks like AWS supports both HTTPS and MQTT calls, while Hologram supports HTTPS and TCP socket calls.

[TimRoadley]

@jefflikesbagels out of interest what firmware version are you running (and what chip)?

My testing has paused since I blew up my SIM7000E with a firmware update. Be careful with firmware over the air (FOTA)!

[jefflikesbagels]

@TimRoadley I have a SIM7000A running 1351B03SIM7000A firmware.

[TimRoadley]

@jefflikesbagels I wonder if https://github.com/botletics/SIM7000-LTE-Shield/blob/master/SIM7000%20Documentation/Firmware/1351B04SIM7000A.rar would help (I have no idea)

[jefflikesbagels]

@TimRoadley Thanks, I went ahead and updated to B04 just for good measure.

I finally got the Arduino sending data to Hologram via the Socket API!!! The issue I found is very silly too. For the FONA library commands, a lot of them are used in the following (or a similar) fashion:

        // Connect to TCP server
        if (!fona.TCPconnect(host, port)) {
          Serial.println(F("Failed to connect to server!"));
          delay(5000);
          break;
        } else {
          Serial.println(F("Successfully connected to server!"));
        }
        delay(5000);
        // Send TCP payload
        if (!fona.TCPsend(TCPpayload,sizeof(TCPpayload))) {
          Serial.println(F("Failed to send TCP payload!"));
          delay(5000);
          break;
        }

Where there is an if statement checking whether the function returned false or true. With this code it was not working properly at all. However, on a whim I decided to try and simplify the code as much as possible, and removed all of these checks down to the following:

        fona.TCPconnect(host, port);
        fona.TCPsend(TCPpayload,sizeof(TCPpayload));
        fona.TCPclose();

And all of a sudden it started working! One thing I noticed before was that I would get the "failed to connect" message on the serial monitor, but would continue receiving responses from the SIM7000, almost like the code is getting ahead of itself. I know I've deviated really far from the original goal of using HTTPS POST, but give this a shot and see if it helps. It's possible that removing all of the extra if statements and logic will allow the SIM7000 to send data properly. Here's the final snippet of code for my TCP socket connection:

        // Send TCP payload to server via LTE CAT-M/NB-IoT
        char host[] = "cloudsocket.hologram.io";
        uint32_t port = 9999;
        char devicekey[] = "xxxxxxxx";
        char data[] = "Water_Low";
        char topics[] = "WATER_LOW";
        char TCPpayload[strlen(devicekey)+strlen(data)+strlen(topics)+24];
        sprintf(TCPpayload, "{\"k\":\"%s\",\"d\":\"%s\",\"t\":\"%s\"}", devicekey, data, topics);
        Serial.println(TCPpayload);

        // Connect to GPRS
        fona.enableGPRS(true);

        // Connect to TCP server
        fona.TCPconnect(host, port);

        // Send TCP payload
        fona.TCPsend(TCPpayload,sizeof(TCPpayload));

        // Disconnect from TCP server
        fona.TCPclose();

        // Disconnect from GPRS
        fona.enableGPRS(false);

[botletics]

Hey guys, there is now a Botletics community forum that makes it easier to post questions and things. Feel free to join!

[sethivansh6]

1. ssltools.com

In case it helps anyone, I managed to upload a cert with the following procedure (not using the EFS Explorer)

Copy a CA Root Cert (for the site you're trying to connect to) to the SIM7000:

1. Go to ssltools.com
2. Enter the website you want the root cert for (e.g. https://putsreq.com)
3. Download the root certificate PEM, which should give you a .cer file
4. Strip out all carriage returns and then count the characters in the cert file (look at the bottom of VSCode for a character count)

Use these commands to load the cert onto the SIM7000:

AT+CFSINIT
AT+CFSWFILE=3,"AddTrust.crt",0,1496,10000 <-- 1496 is the char length that noted before
paste the cert data into the terminal within 10 seconds
AT+CFSTERM

This puts the cert in the 'customer' directory on the SIM7000. Tomorrow I'll see if this lets me make that https post, try your luck with this approach in the meantime.

@TimRoadley Hey I used all the things you stated from downloading and remove carriage return to sending. But I GOT an error while writing the command

AT+CFSWFILE=3,"dweet.crt",0,1901,10000
DOWNLOAD

ERROR

Do you know any reason why it happened?
do I have to place that file in a certain folder? or do I have to remove Begin certificate and end certificate line?

[blazczak]

@sethivansh6 ERROR during AT+CFSWFILE points at the module not receiving the (correct) file contents within the self-imposed time (you specified 10000 = 10 seconds). Perhaps there is a mismatch on the number of bytes (you specified 1901). No other content validation is performed in this step, it's just a straight EFS put.

Btw, when working in *nix command line, one can just wc -c (or even ls -l) the local file to get the exact number of bytes when preparing the transfer.

[botletics]

Hey guys, please see this AWS AT command log from SIMCom. Hope it helps!

[Aryan-Morteza]

If it's Waveshare module, then hook it up to your PC over USB, open terminal like putty and enter the commands manually. One more thing: you need to use VeriSign legacy certificate from AWS. You can find it here: https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html Amazon Root CA certs do not work, afaik.

Thanks @Scrts the thing is AmazonRootCA would convert fine. the two others would not.

[Scrts]

Do you want to try my files? I can send them by email.

[Aryan-Morteza]

Do you want to try my files? I can send them by email.

That's kind of you.
[email protected]

[Aryan-Morteza]

@Scrts @tronar
The problem was with my certs! I downloaded the new one and they embarked!
Tomorrow I will test it to publish data to IoT core! Will let you know!

Thanks for your time and consideration, guys! Many Thanks!

[Aryan-Morteza]

Hia,

I'm trying to open a connection to AWS via MQTT port 8883.
I set sslversion to 3 --->QAPI_NET_SSL_PROTOCOL_TLS_1_2. Also on the AWS IoT Core set it to IoTSecurityPolicy_TLS12_1_2_2022_10

But I'm still encountering with error, the AT+SMCONN wont work on my setting

, What should I change on the AT commands?

[tronar]

Your time looks fine but NTP is giving you an error ? It depends on bearer connection, check it. (AT+SAPBR=2,1)
I've my own MQTT server, so I can look at the session and see who is aborting it. May be you can do the same, it's not that hard to setup a mosquitto broker.
Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server...

[Scrts]

I highly suggest trying the MQTT on your PC using Mosquitto. Do you have the right policy on AWS to publish? Also does the path sdk/test/python exist? If not, I've seen AWS immediately closing the connection.
Before you try publishing, try doing SMSUB and see if you can send messages from AWS IoT and see if the module receives? Try subscribing to an existing demo path.

[Aryan-Morteza]

Your time looks fine but NTP is giving you an error ? It depends on bearer connection, check it. (AT+SAPBR=2,1) I've my own MQTT server, so I can look at the session and see who is aborting it. May be you can do the same, it's not that hard to setup a mosquitto broker. Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server...

AT+SAPBR=2,1 ---> ERROR
I can get IP and Ping works fine.
"Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server..." I don't understand what exactly should I do?

[Aryan-Morteza]

I highly suggest trying the MQTT on your PC using Mosquitto. Do you have the right policy on AWS to publish? Also does the path sdk/test/python exist? If not, I've seen AWS immediately closing the connection. Before you try publishing, try doing SMSUB and see if you can send messages from AWS IoT and see if the module receives? Try subscribing to an existing demo path.

I have tested the cert and others, publishing data to AWS bia Python SDK works fine, I don't require to send msg from AWS to my device only thing in this step is to send from device to AWS IoT Core

[Scrts]

Afaik AWS will immediately close the connection if you try to do something that your policy prohibis. That's why trying to debug based on SMSUB as a first step would help.

[tronar]

Your time looks fine but NTP is giving you an error ? It depends on bearer connection, check it. (AT+SAPBR=2,1) I've my own MQTT server, so I can look at the session and see who is aborting it. May be you can do the same, it's not that hard to setup a mosquitto broker. Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server...

AT+SAPBR=2,1 ---> ERROR

Mine works ... (schrug)
I'm not completelly sure about the SIM7000 proc and services, but there are some dependencies. Read the command manual. NTP, AFAIK, depends on bearer session being up, and AT+SAPBR is used to close(0), open(1) or query (2) the bearer session. (cid, 1 in my example) Ping works even w/o a bearer up.

I can get IP and Ping works fine. "Also, confirm certs are ok by using mosquitto_sub pointing to the AWS server..." I don't understand what exactly should I do?

Mosquitto is an Apache project that has a broker and client tools (mosquitto_pub and mosquitto_sub). You can use the client to test whatever you want to do manually so you get an idea of who the culprit is. Divide and conquer ?

[Aryan-Morteza]

Here are the specific details of my configuration and the issue at hand:

Device: SIM7000X module
Connectivity: I am using SIM7000X to connect to AWS IoT Core for MQTT communication.
Configuration: I have configured the SIM7000X module with the necessary parameters including the AWS IoT Core endpoint URL, port number (8883 for MQTT over TLS), client ID, and security settings.
Testing: The module is able to establish a connection successfully when using a test MQTT broker (e.g., test.mosquitto.org). However, when attempting to connect to AWS IoT Core using the provided endpoint URL (XXXXXXXXXXXX.iot.us-east-1.amazonaws.com), the connection is not successful.
URL Used: a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com

Additionally, I want to emphasize that I have successfully established connections to AWS IoT Core using the same certificates and credentials when utilizing the Python SDK. Hence, it appears that the issue lies specifically with the SIM7000X module's connection to AWS IoT Core.

I have performed several troubleshooting steps including:

Verifying the correctness of the AWS IoT Core endpoint URL, port number, and client ID.
Ensuring that the SIM7000X module has access to the internet and that there are no firewall or network configuration issues blocking the connection.
Configuring TLS/SSL with appropriate certificates, including the AmazonRootCA12.pem and device-specific certificate files.
Despite these efforts, the connection to AWS IoT Core is not established successfully. When attempting to publish a message, the module returns an error.

Here is an excerpt of the commands and responses [test.mosquitto.org]:

[at+cnact?, +CNACT: 1,"10.193.154.101", OK]
[AT+SNPING4="XXXXXXXXXXXXX.iot.us-east-1.amazonaws.com",3,20,100, +SNPING4: 1,52.71.21.145,60000, +SNPING4: 2,52.71.21.145,60000, +SNPING4: 3,52.71.21.145,60000, OK]
[AT+SAPBR=2,1, +SAPBR: 1,3,"0.0.0.0", OK]
[AT+SMCONF="URL","test.mosquitto.org","1883", OK]
[+O"EM", OK, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR, ATSMCNF=KEPTIE,60, ERROR]
[AT+SMCONF="CLIENTID","iotconsole-84806066-427c-4179-a875-92148ce075c6", OK]
[AT+SMCONF="CLEANSS",1, OK]
[AT+SMCONF="QOS",1, OK]
[AT+SMCONF="TOPIC","sdk/test/python", OK]
[AT+SMCONF?, +SMCONF , CLIENTID: "iotconsole-84806066-427c-4179-a875-92148ce075c6", URL: "test.mosquitto.org:1883", KEEPTIME: 60, USERNAME: "", PASSWORD: "", CLEANSS: 1, QOS: 1, TOPIC: "sdk/test/python", MESSAGE: "", RETAIN: 0, OK]
[AT+SMSSL=1,"AmazonRootCA12.pem","certificate.crt", OK]
[AT+CSSLCFG="convert",2,"AmazonRootCA12.pem", OK]
[AT+CSSLCFG="convert",1,"certificate.crt","private.key", OK]
[AT+CSSLCFG="protocol",0,1, OK]
[AT+CSSLCFG="ignorertctime",0,1, OK]
[AT+CSSLCFG?, OK]
[T+CSSLCFG="sslversion",0,3, OK]
[T+NIG4"1kj-.mnw.o,,010]
[AT+SMCONN, OK]
[]
[AT+SMPUB="sdk/test/python","5",1,1, ERROR]
[]
[AT+SMDISC, OK]
serial closed!

I have also attached a log file containing detailed commands and responses for your reference [AWS end point].

[AT+SNPING4="XXXXXXXXXXXXXXXXX.iot.us-east-1.amazonaws.com",3,20,100, +SNPING4: 1,54.208.232.218,60000, +SNPING4: 2,54.208.232.218,60000, +SNPING4: 3,54.208.232.218,60000, OK]
[AT+SAPBR=2,1, +SAPBR: 1,3,"0.0.0.0", OK]
[AT+SMCONF="URL","XXXXXXXXXXXXXXXXX.iot.us-east-1.amazonaws.com","8883", OK]
[AT+SMCONF="KEEPTIME",60, OK]
[AT+SMCONF="CLIENTID","iotconsole-84806066-427c-4179-a875-92148ce075c6", OK]
[AT+SMCONF="CLEANSS",1, OK]
[A+SMCONF="QOS",1, OK]
[A+MOF"TPC,dtpyhn, O]
[AT+SMCONF?, +SMCONF , CLIENTID: "iotconsole-84806066-427c-4179-a875-92148ce075c6", URL: "XXXXXXXXXXX.iot.us-east-1.amazonaws.com:8883", KEEPTIME: 60, USERNAME: "", PASSWORD: "", CLEANSS: 1, QOS: 1, TOPIC: "sdk/test/python", MESSAGE: "", RETAIN: 0, OK]
[A+SMSSL=1,"AmazonRootCA12.pem","certificate.crt", OK]
[A+CSSLCFG="convert",2,"AmazonRootCA12.pem", OK]
[ACSSLCFG="convert",1,"certificate.crt","private.key", OK]
[AT+CSSLCFG="protocol",0,1, OK]
[AT+CSSLCFG="ignorertctime",0,1, OK]
[AT+CSSLCFG?, OK]
[AT+CSSLCFG="sslversion",0,3, OK]
[AT+SNPING4="XXXXXXXXXXXX.iot.us-east-1.amazonaws.com",3,20,100, +SNPING4: 1,52.20.89.239,60000, +SNPING4: 2,52.20.89.239,60000, +SNPING4: 3,52.20.89.239,60000, OK]
[AT+SMCONN, ERROR]
[]
[AT+SMPUB="sdk/test/python","5",1,1, ERROR]
[]
[A+SMDISC, ERROR]
serial closed!

Could you please assist me in diagnosing and resolving this issue? Any guidance, suggestions, or insights you can provide would be greatly appreciated.

I tried many others configs to establish the connection between SIM7000X and AWS IoT Core, I used a software (Windows-based) and could to successfully establish the connection w/o certs too.

[tronar]

Aryan,
have you tried mosquitto_sub with your "certs" ? Does it work ? I know you said "it works with python" but there are so many things to pay attention to that having a reference implementation helps.
Something along this line:
$ mosquitto_sub --cafile symantec-G4.pem --cert aws.pem --key aws.key -h a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com -p 8883 -t test/#

Also
$ openssl s_client -connect a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com:8883 -showcerts -tls1_2
should help you validate that the CA cert you are using is the one that you should...

[Aryan-Morteza]

Hi there, I'm doing it right now. I think I need a legacy CA root to establish a connection with AWS IoT core. Have u ever succeeded in establishing a connection with cert and CA to AWS IoT core? do u have any website that I can use to download the particular CA and add that to the AWS IoT certificate manager? I tried this one: https://www.digicert.com/kb/digicert-root-certificates.htm but it seems I can establish the connection even with Python SDK. Regards, Aryan

…

On Mon, Feb 19, 2024 at 4:22 PM Carlos G Mendioroz ***@***.***> wrote: Aryan, have you tried mosquitto_sub with your "certs" ? Does it work ? I know you said "it works with python" but there are so many things to pay attention to that having a reference implementation helps. Something along this line: $ mosquitto_sub --cafile symantec-G4.pem --cert aws.pem --key aws.key -h a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com -p 8883 -t test/# Also $ openssl s_client -connect a1hk1jl5lyheoa.iot.us-east-1.amazonaws.com:8883 -showcerts -tls1_2 should help you validate that the CA cert you are using is the one that you should... — Reply to this email directly, view it on GitHub <#58 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGZDFP775HATO7A6XGW62HLYUN35ZAVCNFSM4GKHR2S2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJVGI4DCMJQGUZQ> . You are receiving this because you commented.Message ID: ***@***.***>

[tronar]

Aryan,
you don't have to "try" CA certs, you have to use the one that is needed :) And for that, openssl s_client should help. RTFM ?
I'm not using AWS broker now.

[Aryan-Morteza]

What you mean the ONE I needed, I ran the openssl s_client -connect a1hk1jl5lyheoa-ats.iot.us-east-1.amazonaws.com:8883
and the output is:
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = *.iot.us-east-1.amazonaws.com
verify return:1
4010E29F7F000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:

Certificate chain
0 s:CN = *.iot.us-east-1.amazonaws.com
i:C = US, O = Amazon, CN = Amazon RSA 2048 M01
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 14 00:00:00 2023 GMT; NotAfter: Dec 5 23:59:59 2024 GMT
1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M01
i:C = US, O = Amazon, CN = Amazon Root CA 1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 23 22:21:28 2022 GMT; NotAfter: Aug 23 22:21:28 2030 GMT
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT

Server certificate
-----BEGIN CERTIFICATE-----
MIIGAjCCBOqgAwIBAgIQBX2O4/fGrI8FrUCuUvBtVjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAxMB4XDTIzMTIxNDAwMDAwMFoXDTI0MTIwNTIzNTk1OVowKDEm
MCQGA1UEAwwdKi5pb3QudXMtZWFzdC0xLmFtYXpvbmF3cy5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0k2ft+pRoOgh6BZnZAK+1yQAiq5Ge9Euz
t1YtUYHZYx7ucGoK15XA9F5xsQHH5pqa70eECE6XhmnQRfVlPLw5Hb41W2bFeJj3
seHx3bi7TqRNhx9gF6KKrLGo4d+eJzIAdTrmXTjCr+mMLlE4Ep01eZRWbZDcSx1U
lRZIrWU/10xQyUl8evOByz4k0GYATVFKP0BfVxuL1DNTsRlqzjHC8WPAGq7z/Wbi
KZ+DXqGmeUGmvdQx5RvFqC3OCjRG3SSzC0vcpY3dEtNcdbTSceMdU6FVJjQPSgwx
gB1j1y6uhCWO2LaBK2xBtvKuBxFaL8BbaHRg98HRd0vXRcUW4rkzAgMBAAGjggMS
MIIDDjAfBgNVHSMEGDAWgBSBuA5jiokSGOX6OztQlZ/m5ZAThTAdBgNVHQ4EFgQU
caZbCxMNhVZ7uob+cE5DaiWBIE8wRQYDVR0RBD4wPIIbaW90LnVzLWVhc3QtMS5h
bWF6b25hd3MuY29tgh0qLmlvdC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbTATBgNV
HSAEDDAKMAgGBmeBDAECATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwucjJt
MDEuYW1hem9udHJ1c3QuY29tL3IybTAxLmNybDB1BggrBgEFBQcBAQRpMGcwLQYI
KwYBBQUHMAGGIWh0dHA6Ly9vY3NwLnIybTAxLmFtYXpvbnRydXN0LmNvbTA2Bggr
BgEFBQcwAoYqaHR0cDovL2NydC5yMm0wMS5hbWF6b250cnVzdC5jb20vcjJtMDEu
Y2VyMAwGA1UdEwEB/wQCMAAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AO7N
0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABjGnJk6gAAAQDAEYwRAIg
AqYOtxbFag+jsRSnX/dVyPYh3qteOpCn4eUXkTUX7wICIHGOfZlQUBNuNCcjsT0k
13AL6OjiPe3j7WariS684kJJAHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/
qznYhHMAAAGMacmTzgAABAMARjBEAiAoUVfDJoMe8gK/rYTvjj4fHNPrrAnO8Mhy
1N6iGK6LngIgWDj6X03ESCYWTyyLhOXYgpLwUpcl38WkOi/uzE6nxyIAdwDatr9r
P7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYxpyZO+AAAEAwBIMEYCIQC7
2UGBh6xrR1DM+MwbNwUmj+qaRwoZI6lVKGDz/azxoQIhAPUuVuuVTryPqzNoyUsw
BVcP7GchjnjHo94vSzSkrOLHMA0GCSqGSIb3DQEBCwUAA4IBAQBV3uYeBy/SFjIo
jSSno9bXqwEgbMI1drei/Z+3rC9gLxL3Vm/y38hDwfi6e/LETClQh0nmZJsfo4pR
VND6cxwRTHgZhwA52xX0Filln2UrdaXvy+OfYeszTBsPsVO2GLqO83D28M+Tz8B4
yAILzjm/h7P3Y8abY8n+tsZgNVkcuSuOzBvGKUg2eJj8DAcPys6nsUcc3K4uJikO
7Cp6e7y/qs7Ok4lcuPhF+lxphmkSi7fxCke7/UhuMyT18IwFFadxyOq66r7FC3OI
XNyLhcQ83lDeSX9//lxpLpbXsynPPDEH0ne3koVKJUaxq8GlUlmmdDv6SK72cnj7
zH1a4EjV
-----END CERTIFICATE-----
subject=CN = *.iot.us-east-1.amazonaws.com
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M01

No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA224:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA224:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits

SSL handshake has read 5491 bytes and written 521 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: B3FBD172E1938A634ADF7444A01A8A0B6D324ED8F075BC84D707331F4607EFF1
Session-ID-ctx:
Master-Key: 35336829FFFAC82FA9F5B6ECB531A280F2218B6769E33E4E65A7262B497A37D660F0CEDC7FC5605FC48EC4BDFE3CE5F7
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1708361006
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes

I got confused! I'm not big on SSL stuff, Im looking for a solution to unravel the issue,

[tronar]

Well, confusion is a required prereq for learning...
Do you understand what are you trying to do with certs ? (hint: cross authentication)
Do you understand how PKI works ? (hint: you need one or two common trusted points of reference, a.k.a. CA)
Do you have a basic idea of pub/priv keys ?
openssl s_client is telling you the cert chain that the server is using. Your "ca" cert has to be in that chain for the client to recognize the server as trusted/known. So either "Amazon Root CA 1" or "Starfield Services Root Certificate Authority - G2" should work.

[Scrts]

Are you using legacy certificates as I've told before?
Does your AWS endpoint (I assume US east) support legacy certificate?
Did you update your system clock?

AFAIK the SIM7xxx modules do not support non-legacy certificates. At least they did not work for me at all. Maybe new firmware changed that, but I'd try the proven method.

[tronar]

Hmm, and may be you need to specify SNI (+CSSLCFG: "sni",(0-5),)

[Aryan-Morteza]

Are you using legacy certificates as I've told before? Does your AWS endpoint (I assume US east) support legacy certificate? Did you update your system clock?

AFAIK the SIM7xxx modules do not support non-legacy certificates. At least they did not work for me at all. Maybe new firmware changed that, but I'd try the proven method.

I tried some certificate in this website:
VeriSign Class 3 Public Primary G5 root CA certificate

Not work with Python SDK nor SIM7000 AT command.
The Clock is updated since RPi in connected to internet.
Today I'm going to try CA root from this website: https://www.amazontrust.com/repository/
and Cross-signed Amazon Root CA 1

Also, the firmware is updated.

[Scrts]

What does AT+CCLK? return? Should be current time.

I've used this legacy root CA certificate, which worked well. I've also sent you the same over email before:
https://cacerts.digicert.com/pca3-g5.crt.pem

[tronar]

@Scrts He is using ignorertctime, time should not be an issue.

[Scrts]

@tronar, I was not aware that this is an option from AWS side... I've never tried, so cannot comment. Using NTP to sync time for the module is very easy - just need to know which time zone to select.

[Aryan-Morteza]

What does AT+CCLK? return? Should be current time.

I've used this legacy root CA certificate, which worked well. I've also sent you the same over email before: https://cacerts.digicert.com/pca3-g5.crt.pem

I tried to use it, but first, I have to embark on AWS IoT core certificates section.

[tronar]

@Scrts It's not from AWS side, is for client side to decide if presented cert is valid "now". If you set "ignorertctime", then server cert time validity will not be checked.
Also, TZ does not matter, it's only important if you want to display local time but irrelevant for cert validity checks.

[tronar]

@aryan, what do you mean by "embark" ? Enroll ?
In the page you are showing, pay attention: it's asking for a CSR, not for a certificate. You need to understand PKI first...

[Aryan-Morteza]

@aryan, what do you mean by "embark" ? Enroll ? In the page you are showing, pay attention: it's asking for a CSR, not for a certificate. You need to understand PKI first...

It means loading, Troner I know you have very good knowledge of SSH and SSL stuff. I'm not big on that, I have a little knowledge about the working flow of private key and public key.

I know there are three files from AWS IoT core, and for establishing a connection between RPI hat sim7000 and AWS IoT core I have to use them. I loaded them on my module, but I can't establish a connection. AT+SMCONN returns nothing or sometimes an error.

about the picture U right, my bad check this out:
I admire your research attitude BTW I think the problem would be solved W/O gaining knowledge about the abbreviations you've told me.

Cheers

[Aryan-Morteza]

What does AT+CCLK? return? Should be current time.

I've used this legacy root CA certificate, which worked well. I've also sent you the same over email before: https://cacerts.digicert.com/pca3-g5.crt.pem

Yes! Thank you Mate, The thing is I have loaded it in my AWS IoT console and tried via Python SDK, but it seems it aint work.
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)
I tried with SIM7000 to AT+SMCONN returns nothing, unfortunately.

[Scrts]

I've used mosquitto to debug and it worked before.
"C:\Program Files\mosquitto\mosquitto_sub.exe" --cert certificate.crt --key private.key --cafile LegacyRoot.pem -h a1mfxzzzxxxyyy.iot.us-west-2.amazonaws.com -p 8883 -t "test"

AT+SMCONN returns nothing at all? Maybe it is trying a connection and it times out?

For the "certificate embark on AWS IoT" - I am not sure what are you doing and where are you doing this? Those CA certificates are already available for AWS - you do not have to do anything additional.
If you go to AWS IoT -> Security -> Certificates, these are the ones that you create and upload to your device.

Also what policy did you assign to your own certificate? I suggest you make a really loose one for the beginning. I've used this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

[Aryan-Morteza]

I've used mosquitto to debug and it worked before. "C:\Program Files\mosquitto\mosquitto_sub.exe" --cert certificate.crt --key private.key --cafile LegacyRoot.pem -h a1mfxzzzxxxyyy.iot.us-west-2.amazonaws.com -p 8883 -t "test"

AT+SMCONN returns nothing at all? Maybe it is trying a connection and it times out?

For the "certificate embark on AWS IoT" - I am not sure what are you doing and where are you doing this? Those CA certificates are already available for AWS - you do not have to do anything additional. If you go to AWS IoT -> Security -> Certificates, these are the ones that you create and upload to your device.

Also what policy did you assign to your own certificate? I suggest you make a really loose one for the beginning. I've used this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

Hello,

I tried "C:\Program Files\mosquitto\mosquitto_sub.exe" --cert certificate.crt --key private.key --cafile LegacyRoot.pem -h a1mfxzzzxxxyyy.iot.us-west-2.amazonaws.com -p 8883 -t "test" with my certs and everything works.

When I'm using the legacy certificate using AT+command once I use SMSLL at command, module kinda reset and disconnect from port and then reconnect again:
At+cnact?
+CNACT: 1,"10.193.64.56"

OK
AT+SMSSL=1,"AmazonRootCA1234.pem","certificate.crt"
SMS Ready

DST: 0

*PSUTTZ: 24/02/27,10:31:35","+00",0
at+cnact?
+CNACT: 0,"0.0.0.0"

OK

Also, I explored that Im using the client id from MQTT test client/Connection details/Client ID which is not correct and I must use the manage/things/name. I did amend and I'm still encountered with the issue above.

Additionally, I used the new certs they work with SMSSL but SMCONN outcome is error:
AT+CNACT?
+CNACT: 1,"10.193.128.11"

OK
AT+CSSLCFG="ignorertctime",0,1
OK
AT+CSSLCFG="convert",2,"AmazonRootCA1.pem"
OK
AT+CSSLCFG="convert",1,"certificate.crt","private.key"
OK
AT+CSSLCFG?
OK
AT+CSSLCFG="sslversion",0,3
OK
AT+SMCONF=URL,*********************.iot.us-east-1.amazonaws.com,8883
OK
AT+SMCONF="CLIENTID","end1"
OK
AT+SMCONF="CLEANSS",0
OK
AT+SMCONF="QOS",0
OK
AT+SMCONF="TOPIC","sdk/test/python"
OK
AT+SMCONF="RETAIN",0
OK
AT+SMCONF="KEEPTIME",60
OK
AT+SMCONF?
+SMCONF
CLIENTID: "end1"
URL: ****************.iot.us-east-1.amazonaws.com:8883"
KEEPTIME: 60
USERNAME: ""
PASSWORD: ""
CLEANSS: 0
QOS: 0
TOPIC: "sdk/test/python"
MESSAGE: ""
RETAIN: 0

OK
AT+SMSSL=1,"AmazonRootCA1.pem","certificate.crt"
OK
AT+SMCONN
ERROR

the policy also was and is the same like your suggestion.

based on this image it seems module partially connect with mqtt but something wrong with the module or aws. Also it seems with sim7600 you can connect to the AWS IoT Core without suffering.