Switch to desktop version  
Ewon Flexy 205 MQTT Connection to AWS not possible (routines:PEM_read_bio:no start) - Printable Version

+- Ewon Technical Forum (https://techforum.ewon.biz)
+-- Forum: Development (https://techforum.ewon.biz/forum-50.html)
+--- Forum: Ewon Embedded Technology (https://techforum.ewon.biz/forum-51.html)
+---- Forum: Ewon Data Publishing (https://techforum.ewon.biz/forum-4.html)
+---- Thread: Ewon Flexy 205 MQTT Connection to AWS not possible (routines:PEM_read_bio:no start) (/thread-2782.html)

Ewon Flexy 205 MQTT Connection to AWS not possible (routines:PEM_read_bio:no start) - smehner - 08-08-2025

Hi there,

we are using Ewon Flexy 205 (Firmware: 15.0s1) to publish sensor data from the Siemens PLC to AWS IoT Core.
A few weeks ago we added a new Flexy 205 with the very same BASIC Script, but we don't get it running.

Here is the relevant code BASIC code snippet:



Code:
@LOG("Initialize MQTT, connecting to Aws IoT broker")
    MQTT "OPEN", device_id$, mqtt_broker$
    MQTT "SETPARAM", "Port",      "8883"
    MQTT "SETPARAM", "log",      ""
    MQTT "SETPARAM", "keepalive", "60"
    MQTT "SETPARAM", "cafile",    "/usr/AWS_CA.crt"
    MQTT "SETPARAM", "certfile",  "/usr/device-certificate.pem.crt"
    MQTT "SETPARAM", "keyfile",  "/usr/device-private.pem.key"
//    MQTT "CONNECT"
    ErrorReturned% = GETSYS PRG, "LSTERR"
    IF ErrorReturned% = 28 THEN
      @Log("WAN interface not yet ready. MQTT Launched anyway...")
    ENDIF
    SETSYS PRG, "RESUMENEXT", 0
    NB% = GETSYS PRG, "NBTAGS"
    DIM a(NB%,2)
    FOR i% = 0 TO NB%-1
      k% = i% + 1
      SETSYS Tag, "load", -i%
      a(k%,1) = -i%
      a(k%,2) = 0
      GroupA$ = GETSYS TAG, "IVGROUPA"
      GroupB$ = GETSYS TAG, "IVGROUPB"
      GroupC$ = GETSYS TAG, "IVGROUPC"
      GroupD$ = GETSYS TAG, "IVGROUPD"
      IF GroupA$ = "1" AND MQTT_FEATURE% = 1 THEN Onchange -i%, "a("+ STR$(k%) +",2)= 1"
      IF GroupB$ = "1" AND MQTT_FEATURE% = 1 THEN Onchange -i%, "a("+ STR$(k%) +",2)= 1"
      IF GroupC$ = "1" AND MQTT_FEATURE% = 1 THEN Onchange -i%, "a("+ STR$(k%) +",2)= 1"
    NEXT i%
  ENDIF
//
//
@on_wan()


....

FUNCTION on_wan()
  wan_ip$ = GETSYS PRG,"WANIP"
@LOG("check network connectiviy")
// 1 -> connected; 2 -> not connected
  IF (wan_ip$ <> "0.0.0.0") THEN
    @Log("WAN up: IP: " + wan_ip$)
    @LOG("MQTT-Connect")
    TSET 1, 0
    @send_startup_mail()
    MQTT "CONNECT"
    @send_buffered_mqtt_messages()
  ELSE
    @Log("WAN down - try again in few seconds")
    TSET 1, 10
    ONTIMER 1, "@on_wan()"
  ENDIF
ENDFN

That is the logging output:


Code:
08/08/2025 12:51:34   MQTT    Log (16): Client EWON_04_GB_Kirchberg sending CONNECT
08/08/2025 12:51:31 BASIC   [ERROR] Operation failed (28) 186 : MQTT "CONNECT"
08/08/2025 12:51:31 MQTT    Log (08): OpenSSL Error[1]: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
08/08/2025 12:51:31 MQTT    Log (08): OpenSSL Error[0]: error:0906D06C:PEM routines:PEM_read_bio:no start line
08/08/2025 12:51:31 MQTT    Log (08): Error: Unable to load client key file "/opt/ewon/usr/device-private.pem.key".

It seems obvious that something with the private key file is wrong, but I have no clue what the problem is.
I tried several things:

- followed the instructions from here: https://techforum.ewon.biz/thread-559-post-2874.html to create the AWS certificates (tested Linux/macOS with Node.js and Python)
  - uploaded the certs and renamed as seen in the screenshot
  - did not work (output above)
  - opened the files with filezilla and copied the certificate text 
    - reason: the private cert size was different (original 1706 Byte if I remember correct) and was not clear text anymore 
      - so I put the clear text and saved it remotely
- created the certificates at AWS on the other way  (see screenshot)  and did the same as above
- I tried locally tried the  Python connect_device_package -> that worked
  - I checked the policy and did some modifications so that it worked with my device name and my chosen topics
- I did the same again with the new policy (device connection kit for NodeJS / Python / creating certificates the other way)
- I copied the certificates from the other Ewons that work correctly  -> did not work - same output as above 
- tested connection -> https://tools.ewonsupport.biz/mqtt/ --> that worked (but it is not encrypted and it is not AWS ;-) )
- I tested the AWS IOT Live Data code example from https://tools.ewonsupport.biz/BASIC_Repository/ -> did not work (same error as above)

The current AWS policy is similar to this one:


Code:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive",
        "iot:PublishRetain"
      ],
      "Resource": "arn:aws:iot:<<SECRET>>:topic/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:<<SECRET>>:topicfilter/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:<<SECRET>>:client/Ewon*",
        "arn:aws:iot:<<SECRET>>:client/EWON*"
      ]
    }
  ]
}


It would be great if somebody can give me any hint.

Best,

Stefan