No way to use key pair on esp32 native e.g. ESP32-S2 feather (not airlift)

[twi11ie]

Is there a way to connect to a MQTT broker that requires key pairs (like AWS MQTT)

Examples and code seem to only support ESP32 co processors. How can this be done on a ESP32-S3 feather?

# Create a socket pool
pool = socketpool.SocketPool(wifi.radio)

ssl_context = ssl.create_default_context() 

# how to set these in the SSL context or MQTT for socket wrap?  e.g. AWS thing cert and .pem
# {"key": DEVICE_KEY, "cert": DEVICE_CERT}

client = MQTT.MQTT(broker=aws_endpoint socket_pool=pool, ssl_context=ssl_context)

# in micropython it can be done this way with umqtt.simple
mqtt_client = MQTTClient(aws_client_id, aws_endpoint, ssl=True, ssl_params={'key': DEVICE_KEY, 'cert': DEVICE_CERT})

[brentru]

Please see this project which uses AWS IoT: https://learn.adafruit.com/pyportal-iot-plant-monitor-with-aws-iot-and-circuitpython

[twi11ie]

@brentru thanks for the quick response. that example uses adafruit_esp32spi CircuitPython driver library for using ESP32 as WiFi co-processor using SPI However I am using the ESP32-S2 feather and ESP32-S2 QT PY.

[brentru]

The example on that guide will need to be modified to work for the ESP32-S2's "native wifi" instead of "airlift wifi".

We have example native networking code here: https://github.com/adafruit/Adafruit_CircuitPython_MiniMQTT/tree/main/examples/native_networking

[twi11ie]

@brentru thanks again. I did look at that example. It may work for some/most password based brokers. Unfortunately for AWS IOT we would need a way to (1) set the the AWS IOT thing public/private keys OR (2) support/set SSL ALPN. e.g. custom IOT auth

In more detail... based on my understanding, for MQTT to work in AWS with native networking (Feather/QT Py ESP32-S2) we would need ways of setting additional SSL context

# option 1 set this in SSL context - (I tested in micropython)
ssl_params = {"key": DEVICE_KEY, "cert": DEVICE_CERT}
mqtt_client = MQTTClient("testclientid", aws_endpoint, ssl=True, ssl_params=ssl_params)

# option 2 create a un/pw custom auth in AWS IOT core (I tested with desktop python)
# that would work around the cert issue, but we would need a way to set alpn in circuit python ssl context
ssl_context = ssl.create_default_context()
ssl_context.set_alpn_protocols(["mqtt"])
mqtt_client.tls_set_context(ssl_context)
# at that point you can give AWS extra params in the mqtt client username field
username= "username?x-amz-customauthorizer-name=CUSTOM_AUTH_NAME"
mqtt_client.username_pw_set(username, password=pw)

[brentru]

@twi11ie I do not currently have time to dive into AWS IoT with CircuitPython again, I'll reopen and keep this issue open for now in case someone wants to tackle this bug.

You can set SSL context using the CircuitPython ssl module, https://circuitpython.readthedocs.io/en/latest/shared-bindings/ssl/index.html, https://circuitpython.readthedocs.io/en/latest/shared-bindings/socketpool/index.html

[zbauman3]

For future readers who are having issues getting this working, like me, here is what I ended up doing:

pool = socketpool.SocketPool(wifi.radio)
ssl_context = ssl.create_default_context()

# Set AWS Device Certificate and AWS RSA Private Key
ssl_context.load_cert_chain(certfile=DEVICE_CERT_PATH, keyfile=DEVICE_KEY_PATH)

# Set up a MiniMQTT Client
mqtt_client = MQTT.MQTT(
    broker="XXXXXXXXXXXX.iot.us-east-1.amazonaws.com",
    port=8883,
    is_ssl=True, # This was the most important part. I missed this for a while
    client_id="basicPubSub",
    socket_pool=pool,
    ssl_context=ssl_context,
)

# Initialize AWS IoT MQTT API Client
mqtt_aws_client = MQTT_AWS(mqtt_client)

[brentru]

Closing via #164