Hello,
I've been trying to get mqtt_x509_DER.ino example sketch running this evening. Here's my setup using IDE v1.8.8

• cloned the esp8266 tools as directed
• using AWS IOT console, created a thing called 'espdev', downloaded the pem files and ca1, used linux openssl to create der files

openssl x509 -in  ####-certificate.pem.crt -out cert.der -outform DER
openssl rsa -in ######-private.pem.key -out private.der -outform DER
openssl x509 -in AmazonRootCA1.pem -out ca.der -outform DER

• loaded a fsbrowser sketch to upload cert, private, ca der files to 3M SPIFFS

• found and set my AWS_endpoint (A little unclear where I get this, got it from AWS_IOT console using the test screen).

• this AWS_endpoint gets DNS resolved using linux command line ping IP resolved this endpoint.

• I verified timeClient.update() gets correct epoch time.

Here's the sketch output using microcom,

SDK:2.2.1(cfd48f3)/Core:2.5.0-66-gf139519=20500066/lwIP:STABLE-2_1_2_RELEASE/glue:1.1-2-ga501b57/BearSSL:6778687

Connecting to devAP
scandone
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 1
cnt 

connected with devAP, channel 11
dhcp client start...
ip:192.168.0.147,mask:255.255.255.0,gw:192.168.0.1
.
WiFi connected
IP address: 
192.168.0.147
time of day UTC 2019-03-29 05:36:28
Heap: 41040
Success to open cert file
cert loaded
Success to open private cert file
private key loaded
Success to open ca
ca loaded
Heap: 37112
Attempting MQTT connection...BSSL:_connectSSL: start connection
pm open,type:2 0
BSSL:Connected!
failed, rc=-4 try again in 5 seconds
WiFiClientSecure SSL error: Unknown error code.
Attempting MQTT connection...BSSL:_run_until: Not connected
BSSL:_connectSSL: start connection
BSSL:Connected!
failed, rc=-4 try again in 5 seconds
WiFiClientSecure SSL error: Unknown error code.zeeboo
Attempting MQTT connection...BSSL:_run_until: Not connected
BSSL:_connectSSL: start connection
BSSL:Connected!
failed, rc=-4 try again in 5 seconds
WiFiClientSecure SSL error: Unknown error code.

I looked over this issue's comments and https://raphberube.com/blog/2019/02/18/Making-the-ESP8266-work-with-AWS-IoT.html but didn't stumble on anything new.

So my question is ...

1. in reconnect function, what should be the string passed to client.connect()?
   void reconnect() {
   // Loop until we're reconnected
   while (!client.connected()) {
   Serial.print("Attempting MQTT connection...");
   // Attempt to connect
   if (client.connect("ESPthing")) {

Thanks for taking the time to read this and for developing this MQTT TLS connectivity option.
Craig

mqtt_x509_DER.ino.txt

I regenerated my certs, activated it and attached my IOTPolicy and it works!!! Thanks so much.

How did you genereted your certs?

I used
openssl x509 -in .\aaaaaaaaaa-certificate.pem.crt -out cert.der -outform DER

openssl rsa -in .\aaaaaaaa-private.pem.key -out private.der -outform DER writing RSA key

openssl x509 -in .\AmazonRootCA1.pem.txt -out ca.der -outform DER

My policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Connect",
"iot:Subscribe",
"iot:Receive"
],
"Resource": "arn:aws:iot:us-east-1:xxxxxxxxxxx:topic/outTopic"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Connect",
"iot:Subscribe",
"iot:Receive"
],
"Resource": "arn:aws:iot:us-east-1:xxxxxxxxxxx:topic/inTopic"
}
]
}

I also tried to make another certs and make all the steps again, but I'm still getting
AttemptingMQTT connection...failed, rc=-4 try again in 5 seconds

@MBezerril Hey! Did you solve issue?

Yes, @esin. I found some tutorials how to create certificates and found another problem. I didn't put the SPIFFS's size to 4MB. When I uploaded the code after the files, my code overwrited part of the files, because the memory wasn't corretly mapped.

Thanks!

All certificates need to have policy, I also faced the same issue and after attaching the policy. It worked.