AWS IoT with the ESP8266
I spent some time recently trying to get some ESP8266 devices to connect to AWS IOT. AWS IOT is really just an MQTT broker as a service. However, it has a big caveat for the ESP8266: it requires TLS 1.2.
For the longest time, there was simply no way to do it at all; the libraries for ESP8266 just didn't exist. There were workarounds, such as using websockets via signed requests. That actually works, pretty well, and websockets are officially supported by AWS, but the method is meant to be used from Javascript.
However, things changed with the January 2018 release of the 2.4.0 Arduino SDK. It included a newer axtls library, which supports TLS 1.2! Thinking this was the ideal way to go, I did my best to make it work.
Starting from this sketch and using certificates created using the Amazon CA, I just could not get it to work. I ended up filing this issue, as no matter what I did, it would always complain the certificate was not yet valid. I tried building the axtls library manually with more debugging, etc, but never did figure it out.
So, since I couldn't get the certificates made by Amazon to work, I figured I probably didn't want to use theirs anyway. It'd be easier to setup my own CA and issue certificates from that. I was thinking I could use the just-in-time certificate registration. So, I went ahead and did that, and things got a little further. I could connect, but two things ultimately kept me from moving forward with it:
- The workflow in AWS is cumbersome. First, deploy each device with it's own cert from my CA. When device first connects to AWS, the certificate becomes pending and waits for a lambda function to come activate it, assign policies, and assign it to a thing. After that's done, then the device can connect.
- The initial handshake on the ESP8266 can take between 5 and 15 seconds. During which time, the device is unresponsive...to the point you'd need to disable the software and hardware watchdogs. For my use, this was unacceptable.
Ultimately, if I need to use AWS IoT from a ESP8266, I'll use the websockets approach. Its not ideal, but it works.