https_client certificate change: "Certificate mismatch" error

nRF Connect VS Code Extension (v2.7.0); Windows; nRF9160DK; https_client example application

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello,

I am currently working with the Nordic nRF9160DK and am using the https_client example from the examples in the nRF Connect via VS Code, and as far as I know it is the latest release (v2.7.0). I have already successfully established a connection with example.com and was able to send/receive data. However, I am having some issues when attempting to change the certificate. I am attempting to connect to dweet.io, and when running the demo, I receive an output which says "Certificate mismatch" and "err: 111" (see image below):

I made the following changes to the source code based on what seemed like it had needed changing and based on previous DevZone posts I have seen with similar issues. I linked the main issue that I followed here:  changing certificate in https_client sample  

I also referenced the following documentation: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/modem/modem_key_mgmt.html#cert-dwload 

Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

Updated the certificate definition in main.c:

Changed HTTPS_HOSTNAME in kconfig:

Any help in resolving this issue would be greatly appreciated.

Parents
  • Hello, 

    am currently working with the Nordic nRF9160DK and am using the https_client example from the GitHub repository

    What version of the nRF Connect SDK are you running? Last updated 2021 seems to be very old, i.e. here is a screenshot from NCS tag v2.7.0

    I would recommend going through our Developer Academy - Cellular IoT Fundementals if this is your first time with Nordic Semiconductor. 

    I'm not sure what DevZone posts you are referring to, I would recommend including these to be able to understand what you are trying to achieve. 

    cereg: 5,"4115","0336f50f",7,0,17,"11100000","11100000"

    Your first screenshot tells me that your device is rejected by the network in the Network registration status notification +CEREG. Position 7 - reject cause - includes Cause #17 – Network failure
    This EMM cause is sent to the UE if the MME cannot service an UE generated request because of PLMN failures.

    What SIM are you using ?


    Kind regards,
    Øyvind

  • Hi Oyvind,

    I updated my original message on this ticket in order to more accurately reflect the issue I am dealing with, as well as provide some more information on my setup.

    I confirmed that I am using the latest version (2.7.0) and I am using the iBasis nano SIM that came with the device. I believe that there are no issues with this SIM card, since I already successfully connected to example.com (see image below):

    I think this issue is directly related to my attempt to change the certificate to a different web browser other than example.com

  • Just to verify full functionality of your device and SIM card, can you please run e.g. AT client, and then from the Cellular Monitor connect to the DK to capture modem traces. You can also collect modem traces from the sample application (https_client) with the failing host name. 
    These modem traces will provide more information to me to understand the underlying issue on your device. 

    Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

    Looking at the certificate already available in the https_client sample, this does not have \n
    https://github.com/nrfconnect/sdk-nrf/blob/v2.7.0/samples/net/https_client/cert/DigiCertGlobalG2.pem

    Please retry adding the CA certificate as done in the sample. 

    Øyvind said:
    This EMM cause is sent to the UE if the MME cannot service an UE generated request because of PLMN failures.

    Also, please verify and follow-up the reject cause from the network to ensure proper functionality on your board.

    Thank you.

    Kind regards,
    Øyvind

  • Hi Øyvind,

    I attempted to do a modem trace in the nRF Desktop application like you said. When attempting to run a modem trace with the AT_client sample like you said, I could not even successfully do a modem trace before checking the SIM card:

    I also loaded the asset_tracker_v2 and attempted to do a modem trace with this program:

    The trace was successful, but the application had a hard time checking the SIM card activation. In the terminal, I see the message "Device is in shell mode":

    Will the device operate differently when in shell mode? I am not sure how to continue from here.

    Looking at the certificate already available in the https_client sample, this does not have \n

    You are correct that the original certificate does not have "...\n." The reason why I added it was because I saw someone else do this in a similar issue to mine here when attempting to change their certificate. I also received several build errors with a different certificate if the "...\n" was not added to every line. I re-flashed the original https_client sample to my nRF9160 DK, and this is the exact output of the application:

    *** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
    *** Using Zephyr OS v3.6.99-100befc70c74 ***
    HTTPS client sample started
    Bringing network interface up
    Provisioning certificate
    Certificate mismatch
    Provisioning certificate
    Connecting to the network
    +CEREG: 2,"A204","0053C016",7
    +CSCON: 1
    +CGEV: ME PDN ACT 0,0
    +CNEC_ESM: 50,0
    +CEREG: 5,"A204","0053C016",7,,,"11100000","11100000"
    Network connectivity established and IP address assigned
    Looking up example.com
    Resolved 93.184.215.14 (AF_INET)
    Connecting to example.com:443
    Sent 61 bytes
    Received 372 bytes
    
    >        HTTP/1.1 200 OK
    
    Finished, closing socket.
    +CGEV: ME PDN DEACT 0
    +CEREG: 0
    +CGEV: ME DETACH
    +CSCON: 0
    Network connectivity lost
    Disconnected from the network

    I am a bit confused, since the output here indicates to me that the https connection to example.com was successful. However, I am still receiving "certificate mismatch" in my output before the connection is established, and the modem trace wasn't successful.

    I also removed the "...\n" from my .pem file that I am trying to use so that I can show you the errors that pop up when this is not included in the .pem file (see image below):

    Just to clarify, the .pem file that I am attempting to use is from dweet.io, and I grabbed the x.509 certificate in Google chrome as shown in the image below:

    When attempting to run my https_client application with a different certificate, this is the exact output I am receiving:

    *** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
    *** Using Zephyr OS v3.6.99-100befc70c74 ***
    testing changes
    HTTPS client sample started
    Bringing network interface up
    Provisioning certificate
    Certificate mismatch
    Provisioning certificate
    Connecting to the network
    +CEREG: 2,"A283","03CE4715",7
    +CSCON: 1
    +CGEV: ME PDN ACT 0,0
    +CNEC_ESM: 50,0
    +CEREG: 5,"A283","03CE4715",7,,,"11100000","11100000"
    Network connectivity established and IP address assigned
    Looking up dweet.io
    Resolved 52.73.7.7 (AF_INET)
    Connecting to dweet.io:443
    connect() failed, err: 111
    +CGEV: ME PDN DEACT 0
    +CEREG: 0
    +CGEV: ME DETACH
    +CSCON: 0
    Network connectivity lost
    Disconnected from the network

    From what I can tell, this is the same reject cause that I was receiving before.

Reply
  • Hi Øyvind,

    I attempted to do a modem trace in the nRF Desktop application like you said. When attempting to run a modem trace with the AT_client sample like you said, I could not even successfully do a modem trace before checking the SIM card:

    I also loaded the asset_tracker_v2 and attempted to do a modem trace with this program:

    The trace was successful, but the application had a hard time checking the SIM card activation. In the terminal, I see the message "Device is in shell mode":

    Will the device operate differently when in shell mode? I am not sure how to continue from here.

    Looking at the certificate already available in the https_client sample, this does not have \n

    You are correct that the original certificate does not have "...\n." The reason why I added it was because I saw someone else do this in a similar issue to mine here when attempting to change their certificate. I also received several build errors with a different certificate if the "...\n" was not added to every line. I re-flashed the original https_client sample to my nRF9160 DK, and this is the exact output of the application:

    *** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
    *** Using Zephyr OS v3.6.99-100befc70c74 ***
    HTTPS client sample started
    Bringing network interface up
    Provisioning certificate
    Certificate mismatch
    Provisioning certificate
    Connecting to the network
    +CEREG: 2,"A204","0053C016",7
    +CSCON: 1
    +CGEV: ME PDN ACT 0,0
    +CNEC_ESM: 50,0
    +CEREG: 5,"A204","0053C016",7,,,"11100000","11100000"
    Network connectivity established and IP address assigned
    Looking up example.com
    Resolved 93.184.215.14 (AF_INET)
    Connecting to example.com:443
    Sent 61 bytes
    Received 372 bytes
    
    >        HTTP/1.1 200 OK
    
    Finished, closing socket.
    +CGEV: ME PDN DEACT 0
    +CEREG: 0
    +CGEV: ME DETACH
    +CSCON: 0
    Network connectivity lost
    Disconnected from the network

    I am a bit confused, since the output here indicates to me that the https connection to example.com was successful. However, I am still receiving "certificate mismatch" in my output before the connection is established, and the modem trace wasn't successful.

    I also removed the "...\n" from my .pem file that I am trying to use so that I can show you the errors that pop up when this is not included in the .pem file (see image below):

    Just to clarify, the .pem file that I am attempting to use is from dweet.io, and I grabbed the x.509 certificate in Google chrome as shown in the image below:

    When attempting to run my https_client application with a different certificate, this is the exact output I am receiving:

    *** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
    *** Using Zephyr OS v3.6.99-100befc70c74 ***
    testing changes
    HTTPS client sample started
    Bringing network interface up
    Provisioning certificate
    Certificate mismatch
    Provisioning certificate
    Connecting to the network
    +CEREG: 2,"A283","03CE4715",7
    +CSCON: 1
    +CGEV: ME PDN ACT 0,0
    +CNEC_ESM: 50,0
    +CEREG: 5,"A283","03CE4715",7,,,"11100000","11100000"
    Network connectivity established and IP address assigned
    Looking up dweet.io
    Resolved 52.73.7.7 (AF_INET)
    Connecting to dweet.io:443
    connect() failed, err: 111
    +CGEV: ME PDN DEACT 0
    +CEREG: 0
    +CGEV: ME DETACH
    +CSCON: 0
    Network connectivity lost
    Disconnected from the network

    From what I can tell, this is the same reject cause that I was receiving before.

Children
Related