https_client certificate change: "Certificate mismatch" error

Hello, 

am currently working with the Nordic nRF9160DK and am using the https_client example from the GitHub repository

What version of the nRF Connect SDK are you running? Last updated 2021 seems to be very old, i.e. here is a screenshot from NCS tag v2.7.0

I would recommend going through our Developer Academy - Cellular IoT Fundementals if this is your first time with Nordic Semiconductor. 

I'm not sure what DevZone posts you are referring to, I would recommend including these to be able to understand what you are trying to achieve. 

cereg: 5,"4115","0336f50f",7,0,17,"11100000","11100000"

Your first screenshot tells me that your device is rejected by the network in the Network registration status notification +CEREG. Position 7 - reject cause - includes Cause #17 – Network failure
This EMM cause is sent to the UE if the MME cannot service an UE generated request because of PLMN failures.

What SIM are you using ?

Kind regards,
Øyvind

Hi Oyvind,

I updated my original message on this ticket in order to more accurately reflect the issue I am dealing with, as well as provide some more information on my setup.

I confirmed that I am using the latest version (2.7.0) and I am using the iBasis nano SIM that came with the device. I believe that there are no issues with this SIM card, since I already successfully connected to example.com (see image below):

I think this issue is directly related to my attempt to change the certificate to a different web browser other than example.com

Øyvind,

I attempted to include the setting in the config file like you had mentioned, and received errors when attempting to flash the application to my device (Note: there were no build errors, the image above was only when I attempted to flash the application to the board).

Please verify that you have enabled the UART backend when building the project by using:

west build --board board_target -- -D<image_name>_SNIPPET="nrf91-modem-trace-uart"

As described under: 

• Adding the nrf91-modem-trace-uart snippet to send modem traces over UART. See nRF91 modem tracing with UART backend using snippets for more details.

Hi Øyvind,

I was able to resolve the issue, but I have a different question regarding the .pem file size limit.

Øyvind said:

The nRF9160 has a limitation of 2kB.

Is there a way to increase the limitation to allow for larger X.509 certificates? I know I am able to increase the size of the receive buffer in the source code, but I am not sure if this is the same thing.

Thanks

Hi Stefanos, 

Happy to here you resolved the issue. 

The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

Kind regards,
Øyvind

Thank you for the information.

Øyvind said:

The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

Do you know if this is specific to the 9160DK board or if this limit is for any device that is using the nRF9160 chip for development?

Thank you for the information.

Øyvind said:

The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

Do you know if this is specific to the 9160DK board or if this limit is for any device that is using the nRF9160 chip for development?

The nRF9160 SiP is an Arm Cortex M33 which includes an application core and a modem. The limit is inside of the LTE modem, which means all nRF91-series are currently limited by this 2kB limit. 

From the modem FW release notes:

*** Limitations
***************
- TLS/DTLS
    - Secure socket buffer size is 2kB.
    - Maximum length of DTLS datagram is 1kB.
    - One TLS handshake at a time is supported.
    - Concurrent secure connections
        - Maximum server certificate chain size has a limit of 4kB.
        - Two active connections are supported when serialized DTLS connection exists.
        - Two active connections are supported when client certificate size is over 1kB.
        - Two active connections are supported when GNSS acquisition is active.
        - Three active connections are supported when client certificate size is 1kB or less.
        - Four serialized DTLS connections are supported.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.

The issue can easily be worked around by ensuring that you use correct certificate size which are designed for IoT devices and not PC/browsers.

Hello, I am using nrf9160 dev kit and hosted sample file in github.com and trying to download file using http download example. I am getting http connect error -111. Looks like its certificate error. What are the steps to generate certificates(size should be < 2kb) for this site: raw.githubusercontent.com/.../README.txt

Hi Sunny,

I've found that the best way to obtain X.509 certificate in the proper format is to use Firefox as a browser when accessing the site, and following the same steps to obtain the certificate. Firefox is typically more open source an generates a .pem file as well as a .pem chain in a format that is very user friendly with the 9160DK.

Hope this helps.