https_client certificate change: "Certificate mismatch" error

Hello, 

am currently working with the Nordic nRF9160DK and am using the https_client example from the GitHub repository

What version of the nRF Connect SDK are you running? Last updated 2021 seems to be very old, i.e. here is a screenshot from NCS tag v2.7.0

I would recommend going through our Developer Academy - Cellular IoT Fundementals if this is your first time with Nordic Semiconductor. 

I'm not sure what DevZone posts you are referring to, I would recommend including these to be able to understand what you are trying to achieve. 

cereg: 5,"4115","0336f50f",7,0,17,"11100000","11100000"

Your first screenshot tells me that your device is rejected by the network in the Network registration status notification +CEREG. Position 7 - reject cause - includes Cause #17 – Network failure
This EMM cause is sent to the UE if the MME cannot service an UE generated request because of PLMN failures.

What SIM are you using ?

Kind regards,
Øyvind

Hi Oyvind,

I updated my original message on this ticket in order to more accurately reflect the issue I am dealing with, as well as provide some more information on my setup.

I confirmed that I am using the latest version (2.7.0) and I am using the iBasis nano SIM that came with the device. I believe that there are no issues with this SIM card, since I already successfully connected to example.com (see image below):

I think this issue is directly related to my attempt to change the certificate to a different web browser other than example.com

Hi Øyvind,

I attempted to do a modem trace in the nRF Desktop application like you said. When attempting to run a modem trace with the AT_client sample like you said, I could not even successfully do a modem trace before checking the SIM card:

I also loaded the asset_tracker_v2 and attempted to do a modem trace with this program:

The trace was successful, but the application had a hard time checking the SIM card activation. In the terminal, I see the message "Device is in shell mode":

Will the device operate differently when in shell mode? I am not sure how to continue from here.

Øyvind said:

Looking at the certificate already available in the https_client sample, this does not have \n

You are correct that the original certificate does not have "...\n." The reason why I added it was because I saw someone else do this in a similar issue to mine here when attempting to change their certificate. I also received several build errors with a different certificate if the "...\n" was not added to every line. I re-flashed the original https_client sample to my nRF9160 DK, and this is the exact output of the application:

*** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
*** Using Zephyr OS v3.6.99-100befc70c74 ***
HTTPS client sample started
Bringing network interface up
Provisioning certificate
Certificate mismatch
Provisioning certificate
Connecting to the network
+CEREG: 2,"A204","0053C016",7
+CSCON: 1
+CGEV: ME PDN ACT 0,0
+CNEC_ESM: 50,0
+CEREG: 5,"A204","0053C016",7,,,"11100000","11100000"
Network connectivity established and IP address assigned
Looking up example.com
Resolved 93.184.215.14 (AF_INET)
Connecting to example.com:443
Sent 61 bytes
Received 372 bytes

>        HTTP/1.1 200 OK

Finished, closing socket.
+CGEV: ME PDN DEACT 0
+CEREG: 0
+CGEV: ME DETACH
+CSCON: 0
Network connectivity lost
Disconnected from the network

I am a bit confused, since the output here indicates to me that the https connection to example.com was successful. However, I am still receiving "certificate mismatch" in my output before the connection is established, and the modem trace wasn't successful.

I also removed the "...\n" from my .pem file that I am trying to use so that I can show you the errors that pop up when this is not included in the .pem file (see image below):

Just to clarify, the .pem file that I am attempting to use is from dweet.io, and I grabbed the x.509 certificate in Google chrome as shown in the image below:

When attempting to run my https_client application with a different certificate, this is the exact output I am receiving:

*** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
*** Using Zephyr OS v3.6.99-100befc70c74 ***
testing changes
HTTPS client sample started
Bringing network interface up
Provisioning certificate
Certificate mismatch
Provisioning certificate
Connecting to the network
+CEREG: 2,"A283","03CE4715",7
+CSCON: 1
+CGEV: ME PDN ACT 0,0
+CNEC_ESM: 50,0
+CEREG: 5,"A283","03CE4715",7,,,"11100000","11100000"
Network connectivity established and IP address assigned
Looking up dweet.io
Resolved 52.73.7.7 (AF_INET)
Connecting to dweet.io:443
connect() failed, err: 111
+CGEV: ME PDN DEACT 0
+CEREG: 0
+CGEV: ME DETACH
+CSCON: 0
Network connectivity lost
Disconnected from the network

From what I can tell, this is the same reject cause that I was receiving before.

Hi Øyvind,

Just wanted to update you and let you know I tried a different SIM and was able to do a successful modem trace.

However, even after the successful modem trace, I am still received the exact same issues as before with the https_client application. I believe this now confirms that even with a working SIM card, the issue is not related to the SIM card.

Hi Øyvind,

One more update for you, I needed to change the #include in the main code as well as one line in the MakeFile and now the "...\n" is no longer needed.

That being said, I am still having the exact same issue.

Thanks for confirming SIM functionality. 

skar001 said:

Just to clarify, the .pem file that I am attempting to use is from dweet.io, and I grabbed the x.509 certificate in Google chrome as shown in the image below:

Web sites often use a certificate that is much larger, designed for use with computer and phones with a larger memory, etc. The nRF9160 has a limitation of 2kB. Could you please provide the modem trace to verify the certificate size you have downloaded.

Øyvind, when I have https_client flashed to my nRF9160DK, I am unable to do a modem trace. I can only do a modem trace when I have the asset_tracker_v2 demo application flashed to the board. Here is the modem trace file with asset_tracker_v2:

trace-2024-10-08T12-33-41.775Z.mtrace

Does the modem trace file need to be with https_client flashed to the board?

Please advise.

Øyvind, when I have https_client flashed to my nRF9160DK, I am unable to do a modem trace. I can only do a modem trace when I have the asset_tracker_v2 demo application flashed to the board. Here is the modem trace file with asset_tracker_v2:

trace-2024-10-08T12-33-41.775Z.mtrace

Does the modem trace file need to be with https_client flashed to the board?

Please advise.

The provided modem trace does not show any issues. 

You will need to enable modem traces in the https_client sample by including the Modem trace module from the Modem library integration layer i.e. setting CONFIG_NRF_MODEM_LIB_TRACE=y in your pjr.conf

Kind regards,
Øyvind

Øyvind,

I attempted to include the setting in the config file like you had mentioned, and received errors when attempting to flash the application to my device (Note: there were no build errors, the image above was only when I attempted to flash the application to the board).

Please verify that you have enabled the UART backend when building the project by using:

west build --board board_target -- -D<image_name>_SNIPPET="nrf91-modem-trace-uart"

As described under: 

• Adding the nrf91-modem-trace-uart snippet to send modem traces over UART. See nRF91 modem tracing with UART backend using snippets for more details.

Hi Øyvind,

I was able to resolve the issue, but I have a different question regarding the .pem file size limit.

Øyvind said:

The nRF9160 has a limitation of 2kB.

Is there a way to increase the limitation to allow for larger X.509 certificates? I know I am able to increase the size of the receive buffer in the source code, but I am not sure if this is the same thing.

Thanks

Hi Stefanos, 

Happy to here you resolved the issue. 

The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

Kind regards,
Øyvind