https://devzone.nordicsemi.com/f/nordic-q-a/119396/tls-handshake-fails-with-alert-level-fatal-description-unknown-caIt seems I cannot post a full explanation of context so here is the short version. Ill add detail after. Devices in field all suddenly unable to connect to GCP host. Problem simplified to https_client sample with url changed to run.app and certificateen-USTelligent Community 13Thu, 27 Feb 2025 15:11:16 GMThttps://devzone.nordicsemi.com/thread/525111?ContentTypeID=1Thu, 27 Feb 2025 15:11:16 GMT137ad170-7792-4731-bb38-c0d22fbe4515:addb90d0-e852-4abc-8154-d7168fb05096H&#229;kon Alseth<p>Hi,</p> <p>&nbsp;</p> <p>I downloaded wr2.pem from here:</p> <p><a href="https://pki.goog/repository/">https://pki.goog/repository/</a></p> <p>&nbsp;</p> <p>Did a quickfix to avoid changing main.c:</p> <p><pre class="ui-code" data-mode="text">diff --git a/samples/net/https_client/CMakeLists.txt b/samples/net/https_client/CMakeLists.txt index 2a937786ed..975b511569 100644 --- a/samples/net/https_client/CMakeLists.txt +++ b/samples/net/https_client/CMakeLists.txt @@ -14,7 +14,7 @@ set(gen_dir ${CMAKE_CURRENT_BINARY_DIR}/certs) zephyr_include_directories(${gen_dir}) generate_inc_file_for_target( app - cert/DigiCertGlobalG2.pem + cert/wr2.pem ${gen_dir}/DigiCertGlobalG2.pem.inc ) </pre></p> <p>and set CONFIG_HTTPS_HOSTNAME=&quot;run.app&quot;&nbsp;</p> <p>Here&#39;s the output:</p> <p><pre class="ui-code" data-mode="text">*** Using Zephyr OS v3.7.99-1f8f3dc29142 *** HTTPS client sample started Bringing network interface up [00:00:00.536,163] &lt;inf&gt; nrf_modem_lib_trace: Trace thread ready [00:00:00.543,640] &lt;inf&gt; nrf_modem_lib_trace: Trace level override: 2 Provisioning certificate Certificate match Connecting to the network +CEREG: 2,&quot;8169&quot;,&quot;014ACE00&quot;,7 +CSCON: 1 +CSCON: 0 +CSCON: 1 +CGEV: ME PDN ACT 0 %MDMEV: SEARCH STATUS 2 +CEREG: 1,&quot;8169&quot;,&quot;014ACE00&quot;,7,,,&quot;00001010&quot;,&quot;11000001&quot; Network connectivity established and IP address assigned Looking up run.app +CGEV: IPV6 0 Resolved 216.239.32.53 (AF_INET) Connecting to run.app:443 Sent 57 bytes Received 207 bytes &gt; HTTP/1.1 404 Not Found Finished, closing socket. +CGEV: ME PDN DEACT 0 +CEREG: 0 +CGEV: ME DETACH +CSCON: 0 Network connectivity lost Disconnected from the network</pre></p> <p></p> <p>And pcapng:&nbsp;<a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/341496_5F00_.pcapng">devzone.nordicsemi.com/.../341496_5F00_.pcapng</a></p> <p></p> <p>&nbsp;</p> <p>Q1: What mfw are you using?</p> <p><span style="text-decoration:line-through;">Q2: Have you checked that the wr2.pem is updated on your end?</span></p> <p>Your comment indicate that you use the latest.</p> <p>Q3: Could you add a top-level root CA to another tag in addition? wr2 is a intermediate cert.</p> <p>&nbsp;&nbsp;</p> <p>Kind regards,</p> <p>Håkon</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/525071?ContentTypeID=1Thu, 27 Feb 2025 13:39:32 GMT137ad170-7792-4731-bb38-c0d22fbe4515:340f4b03-4122-4a92-a1d2-a5b81603f91eSST<p>Here is the curl line:</p> <p><pre class="ui-code" data-mode="text">curl -v --tlsv1.2 --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 --cacert wr2.pem --request POST --data &#39;test&#39; https://run.app/ </pre></p> <p>The certificate is here (It seems I cannot attach it):</p> <p><a href="https://i.pki.goog/wr2.pem">https://i.pki.goog/wr2.pem</a></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/525069?ContentTypeID=1Thu, 27 Feb 2025 13:30:29 GMT137ad170-7792-4731-bb38-c0d22fbe4515:896b9dd8-c5ce-436e-943b-643539a7ed2aSST<p>Here is the capture:</p> <p><a href="https://devzone.nordicsemi.com/cfs-file/__key/communityserver-discussions-components-files/4/sterile_2D00_with_2D00_wr2.pcapng">devzone.nordicsemi.com/.../sterile_2D00_with_2D00_wr2.pcapng</a></p><div style="clear:both;"></div>