https_client certificate change: "Certificate mismatch" error

skar001 1 month ago

nRF Connect VS Code Extension (v2.7.0); Windows; nRF9160DK; https_client example application

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello,

I am currently working with the Nordic nRF9160DK and am using the https_client example from the examples in the nRF Connect via VS Code, and as far as I know it is the latest release (v2.7.0). I have already successfully established a connection with example.com and was able to send/receive data. However, I am having some issues when attempting to change the certificate. I am attempting to connect to dweet.io, and when running the demo, I receive an output which says "Certificate mismatch" and "err: 111" (see image below):

I made the following changes to the source code based on what seemed like it had needed changing and based on previous DevZone posts I have seen with similar issues. I linked the main issue that I followed here: changing certificate in https_client sample

I also referenced the following documentation: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/modem/modem_key_mgmt.html#cert-dwload

Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

Updated the certificate definition in main.c:

Changed HTTPS_HOSTNAME in kconfig:

Any help in resolving this issue would be greatly appreciated.

Parents

0 Øyvind 1 month ago

Hello,

am currently working with the Nordic nRF9160DK and am using the https_client example from the GitHub repository

What version of the nRF Connect SDK are you running? Last updated 2021 seems to be very old, i.e. here is a screenshot from NCS tag v2.7.0

I would recommend going through our Developer Academy - Cellular IoT Fundementals if this is your first time with Nordic Semiconductor.

I'm not sure what DevZone posts you are referring to, I would recommend including these to be able to understand what you are trying to achieve.

cereg: 5,"4115","0336f50f",7,0,17,"11100000","11100000"

Your first screenshot tells me that your device is rejected by the network in the Network registration status notification +CEREG. Position 7 - reject cause - includes Cause #17 – Network failure
This EMM cause is sent to the UE if the MME cannot service an UE generated request because of PLMN failures.

What SIM are you using ?

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 skar001 1 month ago in reply to Øyvind

Hi Oyvind,

I updated my original message on this ticket in order to more accurately reflect the issue I am dealing with, as well as provide some more information on my setup.

I confirmed that I am using the latest version (2.7.0) and I am using the iBasis nano SIM that came with the device. I believe that there are no issues with this SIM card, since I already successfully connected to example.com (see image below):

I think this issue is directly related to my attempt to change the certificate to a different web browser other than example.com
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 skar001 26 days ago in reply to Øyvind

Øyvind,

I attempted to include the setting in the config file like you had mentioned, and received errors when attempting to flash the application to my device (Note: there were no build errors, the image above was only when I attempted to flash the application to the board).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind 20 days ago in reply to skar001
Please verify that you have enabled the UART backend when building the project by using:

west build --board board_target -- -D<image_name>_SNIPPET="nrf91-modem-trace-uart"

As described under:

Adding the nrf91-modem-trace-uart snippet to send modem traces over UART. See nRF91 modem tracing with UART backend using snippets for more details.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 skar001 18 days ago in reply to Øyvind

Hi Øyvind,

I was able to resolve the issue, but I have a different question regarding the .pem file size limit.

Øyvind said:
The nRF9160 has a limitation of 2kB.

Is there a way to increase the limitation to allow for larger X.509 certificates? I know I am able to increase the size of the receive buffer in the source code, but I am not sure if this is the same thing.

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind 15 days ago in reply to skar001

Hi Stefanos,

Happy to here you resolved the issue.

The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 skar001 14 days ago in reply to Øyvind

Thank you for the information.

Øyvind said:
The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

Do you know if this is specific to the 9160DK board or if this limit is for any device that is using the nRF9160 chip for development?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 skar001 14 days ago in reply to Øyvind

Thank you for the information.

Øyvind said:
The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

Do you know if this is specific to the 9160DK board or if this limit is for any device that is using the nRF9160 chip for development?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Øyvind 14 days ago in reply to skar001

The nRF9160 SiP is an Arm Cortex M33 which includes an application core and a modem. The limit is inside of the LTE modem, which means all nRF91-series are currently limited by this 2kB limit.

From the modem FW release notes:

*** Limitations
***************
- TLS/DTLS
    - Secure socket buffer size is 2kB.
    - Maximum length of DTLS datagram is 1kB.
    - One TLS handshake at a time is supported.
    - Concurrent secure connections
        - Maximum server certificate chain size has a limit of 4kB.
        - Two active connections are supported when serialized DTLS connection exists.
        - Two active connections are supported when client certificate size is over 1kB.
        - Two active connections are supported when GNSS acquisition is active.
        - Three active connections are supported when client certificate size is 1kB or less.
        - Four serialized DTLS connections are supported.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.

The issue can easily be worked around by ensuring that you use correct certificate size which are designed for IoT devices and not PC/browsers.

0 Sunny_1982 8 hours ago in reply to Øyvind

Hello, I am using nrf9160 dev kit and hosted sample file in github.com and trying to download file using http download example. I am getting http connect error -111. Looks like its certificate error. What are the steps to generate certificates(size should be < 2kb) for this site: raw.githubusercontent.com/.../README.txt
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel