• State Not Answered
  • Replies 11 replies
  • Subscribers 69 subscribers
  • Views 423 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 334074
Options

https_client certificate change: "Certificate mismatch" error showing up

skar001

Hello,

I am currently working with the Nordic nRF9160DK and am using the https_client example from the examples in the nRF Connect via VS Code (on Windows OS), and as far as I know it is the latest release (v2.7.0). I have already successfully established a connection with example.com and was able to send/receive data. However, I am having some issues when attempting to change the certificate. I am attempting to connect to dweet.io, and when running the demo, I receive an output which says "Certificate mismatch" and "err: 111" (see image below):

I have also received a different output before as well (shown below):

I made the following changes to the source code based on what seemed like it had needed changing and based on previous DevZone posts I have seen with similar issues. I linked the main issue that I followed here:  changing certificate in https_client sample  

I also referenced the following documentation: 

https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/modem/modem_key_mgmt.html#cert-dwload 

https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/net/https_client/README.html 

https://docs.nordicsemi.com/bundle/ncs-2.4.0/page/zephyr/connectivity/networking/api/http.html 

Added the .pem file (filename dweet.io.pem) in the /cert directory, as well as added "...\n":

Updated the certificate definition in main.c:

Changed HTTPS_HOSTNAME in kconfig:

I also attempted to change the CMakeLists.txt file to include the dweet.io.pem:

I do not believe this to be an issue with the SIM card, since I am using the nanoSIM that was included with the 9160DK, and had no issues when connecting to example.com

Any help in resolving this issue would be greatly appreciated. 

Parents
  • 0

    Hi,

    You could start by checking if you have a proper name for the dweet pem certificate. I noticed that when downloaded from the dweet.io website, it had name dweet-io.pem but you used dweet.io.pem. Was it a typo on your end or you changed the name on purpose? 

    Additionally, you could try to download AmazonRootCA1.pem, put it in the cert folder, and use it in main.c like this:

    static const char cert[] = {
	#include "..\cert\AmazonRootCA1.pem"

	/* Null terminate certificate if running Mbed TLS on the application core.
	 * Required by TLS credentials API.
	 */
	IF_ENABLED(CONFIG_TLS_CREDENTIALS, (0x00))
};


    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi Dejan,

    Thank you for your reply. There was no change in the certificate name on my end. When I downloaded the file, the name was "dweet.io." Can I ask the procedure that you followed to download the .pem certificate?

    Additionally, I attempted the AmazonRootCA1.pem like you requested, and received the same output:

    static const char cert[] = {
	#include "AmazonRootCA1.pem"

	/* Null terminate certificate if running Mbed TLS on the application core.
	 * Required by TLS credentials API.
	 */
	IF_ENABLED(CONFIG_TLS_CREDENTIALS, (0x00))
};

    I would like to note that I did not include the "..\cert" portion since this resulted in build errors for me

  • 0 in reply to skar001

    Hi,

    skar001 said:
    There was no change in the certificate name on my end. When I downloaded the file, the name was "dweet.io." Can I ask the procedure that you followed to download the .pem certificate?

    I used Firefox to download a certificate. In the address bar left to the address dweet.io, you can see a padlock symbol. If you click on that one and go to More Information, a new window opens - "Page Information - https://dweet.io". Choose Security tab and click on Show Certificate. On dweet.io tab scroll down until you find 2 PEM files available for download. Click on "PEM (cert)" to download dweet-io.pem file.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Thank you for the information, dejans. Does the specific browser that is being used make a difference? I am using Google Chrome, and what I saw when following a similar procedure is what I sent you.

Reply Children
  • 0 in reply to skar001

    Hi,

    I have checked using Chrome. Certificate file name was automatically offered, and it was different than in Firefox as you mentioned previously - dweet.io. However, when I exported the certificate, it was automatically assigned crt format. Can you verify that you changed the extension of the file to pem?

    Have you put all your certificates in your <project_folder>\cert directory?

    Best regards,
    Dejan 

  • 0 in reply to dejans

    Hi dejans,

    I actually ended up downloading firefox in order to obtain the certificate the same way that you did, and I received a different .pem and a different file. When using the certificate from Firefox, this was my output:

    I am not sure what is causing the 405 error at this point with the connection, since the output is showing data being sent and received

  • 0 in reply to skar001

    Hi,

    You can find information about 405 Method Not Allowed status code in HTTP response status codes in the MDN documentation.

    Best regards,
    Dejan

  • 0 in reply to dejans

    dejans,

    So it looks like dweet.io is not supporting some type of method that the nRF9160DK is attempting to use to establish the https connection. Does Nordic have a list or documentation somewhere of some web domains that do support the same methods as the https_client example with the 9160DK?

    Can you also specify which https methods (POST, PUT, TRACE, etc.) this application is using to establish an https connection? I believe what causes a 405 error is when the client uses a method that is not supported by the web browser. The image below shows the methods that are supported by example.com, which is the web browser that https_client uses by default for the application.

  • 0 in reply to skar001

    Hi,

    To avoid getting 405 error you need to change the method to GET in main.c

    #define HTTP_HEAD		\
				"GET / HTTP/1.1\r\n"	\
				"Host: " CONFIG_HTTPS_HOSTNAME ":" HTTPS_PORT "\r\n"		\
				"Connection: close\r\n\r\n"

    When I tried this, I ended up with the error "recv() failed err 122". This error is EMSGSIZE and it means that there is a problem with a message size - too big message. The sample has a buffer of 2 KB which is not enough for receiving the response from the server. The buffer size was chosen to be 2 KB because the sample was implemented to download only the headers, not the message body. First option for avoiding the error is to increase RECV_BUF_SIZE. I have tried this myself, but there still seems to be more data than the buffer could handle. Another option would be that you modify the implementation of the sample so that it receives and prints the response in parts.

    Best regards,
    Dejan

Related