• State Not Answered
  • Replies 11 replies
  • Subscribers 69 subscribers
  • Views 421 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 334074
Options

https_client certificate change: "Certificate mismatch" error showing up

skar001

Hello,

I am currently working with the Nordic nRF9160DK and am using the https_client example from the examples in the nRF Connect via VS Code (on Windows OS), and as far as I know it is the latest release (v2.7.0). I have already successfully established a connection with example.com and was able to send/receive data. However, I am having some issues when attempting to change the certificate. I am attempting to connect to dweet.io, and when running the demo, I receive an output which says "Certificate mismatch" and "err: 111" (see image below):

I have also received a different output before as well (shown below):

I made the following changes to the source code based on what seemed like it had needed changing and based on previous DevZone posts I have seen with similar issues. I linked the main issue that I followed here:  changing certificate in https_client sample  

I also referenced the following documentation: 

https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/modem/modem_key_mgmt.html#cert-dwload 

https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/net/https_client/README.html 

https://docs.nordicsemi.com/bundle/ncs-2.4.0/page/zephyr/connectivity/networking/api/http.html 

Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

Updated the certificate definition in main.c:

Changed HTTPS_HOSTNAME in kconfig:

I also attempted to change the CMakeLists.txt file to include the dweet.io.pem:

I do not believe this to be an issue with the SIM card, since I am using the nanoSIM that was included with the 9160DK, and had no issues when connecting to example.com

Any help in resolving this issue would be greatly appreciated. 

Parents
  • 0

    Hi,

    You could start by checking if you have a proper name for the dweet pem certificate. I noticed that when downloaded from the dweet.io website, it had name dweet-io.pem but you used dweet.io.pem. Was it a typo on your end or you changed the name on purpose? 

    Additionally, you could try to download AmazonRootCA1.pem, put it in the cert folder, and use it in main.c like this:

    static const char cert[] = {
	#include "..\cert\AmazonRootCA1.pem"

	/* Null terminate certificate if running Mbed TLS on the application core.
	 * Required by TLS credentials API.
	 */
	IF_ENABLED(CONFIG_TLS_CREDENTIALS, (0x00))
};


    Best regards,
    Dejan

Reply
  • 0

    Hi,

    You could start by checking if you have a proper name for the dweet pem certificate. I noticed that when downloaded from the dweet.io website, it had name dweet-io.pem but you used dweet.io.pem. Was it a typo on your end or you changed the name on purpose? 

    Additionally, you could try to download AmazonRootCA1.pem, put it in the cert folder, and use it in main.c like this:

    static const char cert[] = {
	#include "..\cert\AmazonRootCA1.pem"

	/* Null terminate certificate if running Mbed TLS on the application core.
	 * Required by TLS credentials API.
	 */
	IF_ENABLED(CONFIG_TLS_CREDENTIALS, (0x00))
};


    Best regards,
    Dejan

Children
  • 0 in reply to dejans

    Hi Dejan,

    Thank you for your reply. There was no change in the certificate name on my end. When I downloaded the file, the name was "dweet.io." Can I ask the procedure that you followed to download the .pem certificate?

    Additionally, I attempted the AmazonRootCA1.pem like you requested, and received the same output:

    static const char cert[] = {
	#include "AmazonRootCA1.pem"

	/* Null terminate certificate if running Mbed TLS on the application core.
	 * Required by TLS credentials API.
	 */
	IF_ENABLED(CONFIG_TLS_CREDENTIALS, (0x00))
};

    I would like to note that I did not include the "..\cert" portion since this resulted in build errors for me

  • 0 in reply to skar001

    Hi,

    skar001 said:
    There was no change in the certificate name on my end. When I downloaded the file, the name was "dweet.io." Can I ask the procedure that you followed to download the .pem certificate?

    I used Firefox to download a certificate. In the address bar left to the address dweet.io, you can see a padlock symbol. If you click on that one and go to More Information, a new window opens - "Page Information - https://dweet.io". Choose Security tab and click on Show Certificate. On dweet.io tab scroll down until you find 2 PEM files available for download. Click on "PEM (cert)" to download dweet-io.pem file.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Thank you for the information, dejans. Does the specific browser that is being used make a difference? I am using Google Chrome, and what I saw when following a similar procedure is what I sent you.

  • 0 in reply to skar001

    Hi,

    I have checked using Chrome. Certificate file name was automatically offered, and it was different than in Firefox as you mentioned previously - dweet.io. However, when I exported the certificate, it was automatically assigned crt format. Can you verify that you changed the extension of the file to pem?

    Have you put all your certificates in your <project_folder>\cert directory?

    Best regards,
    Dejan 

  • 0 in reply to dejans

    Hi dejans,

    I actually ended up downloading firefox in order to obtain the certificate the same way that you did, and I received a different .pem and a different file. When using the certificate from Firefox, this was my output:

    I am not sure what is causing the 405 error at this point with the connection, since the output is showing data being sent and received

Related