https_client certificate change: "Certificate mismatch" error

nRF Connect VS Code Extension (v2.7.0); Windows; nRF9160DK; https_client example application

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hello,

I am currently working with the Nordic nRF9160DK and am using the https_client example from the examples in the nRF Connect via VS Code, and as far as I know it is the latest release (v2.7.0). I have already successfully established a connection with example.com and was able to send/receive data. However, I am having some issues when attempting to change the certificate. I am attempting to connect to dweet.io, and when running the demo, I receive an output which says "Certificate mismatch" and "err: 111" (see image below):

I made the following changes to the source code based on what seemed like it had needed changing and based on previous DevZone posts I have seen with similar issues. I linked the main issue that I followed here:  changing certificate in https_client sample  

I also referenced the following documentation: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/modem/modem_key_mgmt.html#cert-dwload 

Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

Updated the certificate definition in main.c:

Changed HTTPS_HOSTNAME in kconfig:

Any help in resolving this issue would be greatly appreciated.

Parents
  • Hello, 

    am currently working with the Nordic nRF9160DK and am using the https_client example from the GitHub repository

    What version of the nRF Connect SDK are you running? Last updated 2021 seems to be very old, i.e. here is a screenshot from NCS tag v2.7.0

    I would recommend going through our Developer Academy - Cellular IoT Fundementals if this is your first time with Nordic Semiconductor. 

    I'm not sure what DevZone posts you are referring to, I would recommend including these to be able to understand what you are trying to achieve. 

    cereg: 5,"4115","0336f50f",7,0,17,"11100000","11100000"

    Your first screenshot tells me that your device is rejected by the network in the Network registration status notification +CEREG. Position 7 - reject cause - includes Cause #17 – Network failure
    This EMM cause is sent to the UE if the MME cannot service an UE generated request because of PLMN failures.

    What SIM are you using ?


    Kind regards,
    Øyvind

  • Hi Oyvind,

    I updated my original message on this ticket in order to more accurately reflect the issue I am dealing with, as well as provide some more information on my setup.

    I confirmed that I am using the latest version (2.7.0) and I am using the iBasis nano SIM that came with the device. I believe that there are no issues with this SIM card, since I already successfully connected to example.com (see image below):

    I think this issue is directly related to my attempt to change the certificate to a different web browser other than example.com

  • Hi Stefanos, 

    Happy to here you resolved the issue. 

    The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

    Kind regards,
    Øyvind

  • Thank you for the information.

    The 2kB limitation is inside the modem itself and cannot be changed, unfortunately.

    Do you know if this is specific to the 9160DK board or if this limit is for any device that is using the nRF9160 chip for development?

  • The nRF9160 SiP is an Arm Cortex M33 which includes an application core and a modem. The limit is inside of the LTE modem, which means all nRF91-series are currently limited by this 2kB limit. 

    From the modem FW release notes:

    *** Limitations
    ***************
    - TLS/DTLS
        - Secure socket buffer size is 2kB.
        - Maximum length of DTLS datagram is 1kB.
        - One TLS handshake at a time is supported.
        - Concurrent secure connections
            - Maximum server certificate chain size has a limit of 4kB.
            - Two active connections are supported when serialized DTLS connection exists.
            - Two active connections are supported when client certificate size is over 1kB.
            - Two active connections are supported when GNSS acquisition is active.
            - Three active connections are supported when client certificate size is 1kB or less.
            - Four serialized DTLS connections are supported.
        - Server certificate expiry time is not verified.
        - pkcs#8 is not supported.
        - Maximum number of supported credentials is 32. The actual amount depends on size of
          credentials as memory area reserved for credentials may be a limiting factor as well.
     


    The issue can easily be worked around by ensuring that you use correct certificate size which are designed for IoT devices and not PC/browsers.

  • Hello, I am using nrf9160 dev kit and hosted sample file in github.com and trying to download file using http download example. I am getting http connect error -111. Looks like its certificate error. What are the steps to generate certificates(size should be < 2kb) for this site: raw.githubusercontent.com/.../README.txt

  • Hi Sunny,

    I've found that the best way to obtain X.509 certificate in the proper format is to use Firefox as a browser when accessing the site, and following the same steps to obtain the certificate. Firefox is typically more open source an generates a .pem file as well as a .pem chain in a format that is very user friendly with the 9160DK.

    Hope this helps.

Reply
  • Hi Sunny,

    I've found that the best way to obtain X.509 certificate in the proper format is to use Firefox as a browser when accessing the site, and following the same steps to obtain the certificate. Firefox is typically more open source an generates a .pem file as well as a .pem chain in a format that is very user friendly with the 9160DK.

    Hope this helps.

Children
No Data
Related