https_client certificate change: "Certificate mismatch" error

nRF Connect VS Code Extension (v2.7.0); Windows; nRF9160DK; https_client example application

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello,

I am currently working with the Nordic nRF9160DK and am using the https_client example from the examples in the nRF Connect via VS Code, and as far as I know it is the latest release (v2.7.0). I have already successfully established a connection with example.com and was able to send/receive data. However, I am having some issues when attempting to change the certificate. I am attempting to connect to dweet.io, and when running the demo, I receive an output which says "Certificate mismatch" and "err: 111" (see image below):

I made the following changes to the source code based on what seemed like it had needed changing and based on previous DevZone posts I have seen with similar issues. I linked the main issue that I followed here:  changing certificate in https_client sample  

I also referenced the following documentation: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/modem/modem_key_mgmt.html#cert-dwload 

Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

Updated the certificate definition in main.c:

Changed HTTPS_HOSTNAME in kconfig:

Any help in resolving this issue would be greatly appreciated.

Parents Reply Children
  • The nRF9160 SiP is an Arm Cortex M33 which includes an application core and a modem. The limit is inside of the LTE modem, which means all nRF91-series are currently limited by this 2kB limit. 

    From the modem FW release notes:

    *** Limitations
    ***************
    - TLS/DTLS
        - Secure socket buffer size is 2kB.
        - Maximum length of DTLS datagram is 1kB.
        - One TLS handshake at a time is supported.
        - Concurrent secure connections
            - Maximum server certificate chain size has a limit of 4kB.
            - Two active connections are supported when serialized DTLS connection exists.
            - Two active connections are supported when client certificate size is over 1kB.
            - Two active connections are supported when GNSS acquisition is active.
            - Three active connections are supported when client certificate size is 1kB or less.
            - Four serialized DTLS connections are supported.
        - Server certificate expiry time is not verified.
        - pkcs#8 is not supported.
        - Maximum number of supported credentials is 32. The actual amount depends on size of
          credentials as memory area reserved for credentials may be a limiting factor as well.
     


    The issue can easily be worked around by ensuring that you use correct certificate size which are designed for IoT devices and not PC/browsers.

  • Hello, I am using nrf9160 dev kit and hosted sample file in github.com and trying to download file using http download example. I am getting http connect error -111. Looks like its certificate error. What are the steps to generate certificates(size should be < 2kb) for this site: raw.githubusercontent.com/.../README.txt

  • Hi Sunny,

    I've found that the best way to obtain X.509 certificate in the proper format is to use Firefox as a browser when accessing the site, and following the same steps to obtain the certificate. Firefox is typically more open source an generates a .pem file as well as a .pem chain in a format that is very user friendly with the 9160DK.

    Hope this helps.

Related