https_client certificate change: "Certificate mismatch" error

nRF Connect VS Code Extension (v2.7.0); Windows; nRF9160DK; https_client example application

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello,

I am currently working with the Nordic nRF9160DK and am using the https_client example from the examples in the nRF Connect via VS Code, and as far as I know it is the latest release (v2.7.0). I have already successfully established a connection with example.com and was able to send/receive data. However, I am having some issues when attempting to change the certificate. I am attempting to connect to dweet.io, and when running the demo, I receive an output which says "Certificate mismatch" and "err: 111" (see image below):

I made the following changes to the source code based on what seemed like it had needed changing and based on previous DevZone posts I have seen with similar issues. I linked the main issue that I followed here:  changing certificate in https_client sample  

I also referenced the following documentation: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/modem/modem_key_mgmt.html#cert-dwload 

Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

Updated the certificate definition in main.c:

Changed HTTPS_HOSTNAME in kconfig:

Any help in resolving this issue would be greatly appreciated.

Parents
  • Hello, 

    am currently working with the Nordic nRF9160DK and am using the https_client example from the GitHub repository

    What version of the nRF Connect SDK are you running? Last updated 2021 seems to be very old, i.e. here is a screenshot from NCS tag v2.7.0

    I would recommend going through our Developer Academy - Cellular IoT Fundementals if this is your first time with Nordic Semiconductor. 

    I'm not sure what DevZone posts you are referring to, I would recommend including these to be able to understand what you are trying to achieve. 

    cereg: 5,"4115","0336f50f",7,0,17,"11100000","11100000"

    Your first screenshot tells me that your device is rejected by the network in the Network registration status notification +CEREG. Position 7 - reject cause - includes Cause #17 – Network failure
    This EMM cause is sent to the UE if the MME cannot service an UE generated request because of PLMN failures.

    What SIM are you using ?


    Kind regards,
    Øyvind

  • Hi Oyvind,

    I updated my original message on this ticket in order to more accurately reflect the issue I am dealing with, as well as provide some more information on my setup.

    I confirmed that I am using the latest version (2.7.0) and I am using the iBasis nano SIM that came with the device. I believe that there are no issues with this SIM card, since I already successfully connected to example.com (see image below):

    I think this issue is directly related to my attempt to change the certificate to a different web browser other than example.com

  • Hi Øyvind,

    I attempted to do a modem trace in the nRF Desktop application like you said. When attempting to run a modem trace with the AT_client sample like you said, I could not even successfully do a modem trace before checking the SIM card:

    I also loaded the asset_tracker_v2 and attempted to do a modem trace with this program:

    The trace was successful, but the application had a hard time checking the SIM card activation. In the terminal, I see the message "Device is in shell mode":

    Will the device operate differently when in shell mode? I am not sure how to continue from here.

    Looking at the certificate already available in the https_client sample, this does not have \n

    You are correct that the original certificate does not have "...\n." The reason why I added it was because I saw someone else do this in a similar issue to mine here when attempting to change their certificate. I also received several build errors with a different certificate if the "...\n" was not added to every line. I re-flashed the original https_client sample to my nRF9160 DK, and this is the exact output of the application:

    *** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
    *** Using Zephyr OS v3.6.99-100befc70c74 ***
    HTTPS client sample started
    Bringing network interface up
    Provisioning certificate
    Certificate mismatch
    Provisioning certificate
    Connecting to the network
    +CEREG: 2,"A204","0053C016",7
    +CSCON: 1
    +CGEV: ME PDN ACT 0,0
    +CNEC_ESM: 50,0
    +CEREG: 5,"A204","0053C016",7,,,"11100000","11100000"
    Network connectivity established and IP address assigned
    Looking up example.com
    Resolved 93.184.215.14 (AF_INET)
    Connecting to example.com:443
    Sent 61 bytes
    Received 372 bytes
    
    >        HTTP/1.1 200 OK
    
    Finished, closing socket.
    +CGEV: ME PDN DEACT 0
    +CEREG: 0
    +CGEV: ME DETACH
    +CSCON: 0
    Network connectivity lost
    Disconnected from the network

    I am a bit confused, since the output here indicates to me that the https connection to example.com was successful. However, I am still receiving "certificate mismatch" in my output before the connection is established, and the modem trace wasn't successful.

    I also removed the "...\n" from my .pem file that I am trying to use so that I can show you the errors that pop up when this is not included in the .pem file (see image below):

    Just to clarify, the .pem file that I am attempting to use is from dweet.io, and I grabbed the x.509 certificate in Google chrome as shown in the image below:

    When attempting to run my https_client application with a different certificate, this is the exact output I am receiving:

    *** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
    *** Using Zephyr OS v3.6.99-100befc70c74 ***
    testing changes
    HTTPS client sample started
    Bringing network interface up
    Provisioning certificate
    Certificate mismatch
    Provisioning certificate
    Connecting to the network
    +CEREG: 2,"A283","03CE4715",7
    +CSCON: 1
    +CGEV: ME PDN ACT 0,0
    +CNEC_ESM: 50,0
    +CEREG: 5,"A283","03CE4715",7,,,"11100000","11100000"
    Network connectivity established and IP address assigned
    Looking up dweet.io
    Resolved 52.73.7.7 (AF_INET)
    Connecting to dweet.io:443
    connect() failed, err: 111
    +CGEV: ME PDN DEACT 0
    +CEREG: 0
    +CGEV: ME DETACH
    +CSCON: 0
    Network connectivity lost
    Disconnected from the network

    From what I can tell, this is the same reject cause that I was receiving before.

  • Hi Øyvind,

    Just wanted to update you and let you know I tried a different SIM and was able to do a successful modem trace.

    However, even after the successful modem trace, I am still received the exact same issues as before with the https_client application. I believe this now confirms that even with a working SIM card, the issue is not related to the SIM card.

  • Hi Øyvind,

    One more update for you, I needed to change the #include in the main code as well as one line in the MakeFile and now the "...\n" is no longer needed.

    That being said, I am still having the exact same issue.

  • Thanks for confirming SIM functionality. 

    skar001 said:
    Just to clarify, the .pem file that I am attempting to use is from dweet.io, and I grabbed the x.509 certificate in Google chrome as shown in the image below:

    Web sites often use a certificate that is much larger, designed for use with computer and phones with a larger memory, etc. The nRF9160 has a limitation of 2kB. Could you please provide the modem trace to verify the certificate size you have downloaded.

  • Øyvind, when I have https_client flashed to my nRF9160DK, I am unable to do a modem trace. I can only do a modem trace when I have the asset_tracker_v2 demo application flashed to the board. Here is the modem trace file with asset_tracker_v2:

    trace-2024-10-08T12-33-41.775Z.mtrace

    Does the modem trace file need to be with https_client flashed to the board?

    Please advise.

Reply Children
Related