https_client connection results in error 22 on nRF7002dk

Hi,

I took a HTTPS Client Sample application from nRF SDK v2.6.2 and I cannot make it work.

What I figured out already is that SSL certificate for 'example.com' has changed from Digi Cert Global G2 to DigiCert Global G3. However It still doesn't connect properly.

The only changes that I have done is swapping the SSL certifitacte and adding WIFI credfentials. This is my prj.conf:

#
# Copyright (c) 2023 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# General
CONFIG_HEAP_MEM_POOL_SIZE=1024
CONFIG_MAIN_STACK_SIZE=4096

# Logging
CONFIG_LOG=y

# Network
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=y
CONFIG_NET_CONNECTION_MANAGER=y
CONFIG_NET_CONNECTION_MANAGER_MONITOR_STACK_SIZE=1024

CONFIG_WIFI_CREDENTIALS_STATIC=y
CONFIG_WIFI_CREDENTIALS_STATIC_SSID="abc"
CONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD="xyz"
CONFIG_DNS_RESOLVER=y

The result is as follows:

*** Booting nRF Connect SDK v3.5.99-ncs1-2 ***
HTTPS client sample started
Bringing network interface up
Provisioning certificate
CA certificate already exists, sec tag: 42
Connecting to the network
[00:00:02.095,062] <inf> wifi_mgmt_ext: Connection requested
Network connectivity established and IP address assigned
Looking up example.com
Resolved 23.215.0.136 (AF_INET)
Connecting to example.com:443
connect() failed, err: 22
Network connectivity lost
Disconnected from the network

I also tried it on the latest nRF SDK 2.9.0 and it doesn't connect either.
Please provide a config that works with this sample on nRF7000dk.

I am looking forward for your support!

Parents

0 Elfving 1 month ago

Hi,

What I figured out already is that SSL certificate for 'example.com' has changed from Digi Cert Global G2 to DigiCert Global G3. However It still doesn't connect properly.

Yeah it looks related though it should give another sort of error, as well as being fixed in the newest SDK version. error 22 is wrong value used.

Your issue looks similar to the issue from this previous case though.

Could you double check that the credentials for your network is correct?

And could you see what is being returned on the log with these configs set?

CONFIG_NET_LOG=y

CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y

Regards,

Elfving
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Elfving 1 month ago

Hi,

What I figured out already is that SSL certificate for 'example.com' has changed from Digi Cert Global G2 to DigiCert Global G3. However It still doesn't connect properly.

Yeah it looks related though it should give another sort of error, as well as being fixed in the newest SDK version. error 22 is wrong value used.

Your issue looks similar to the issue from this previous case though.

Could you double check that the credentials for your network is correct?

And could you see what is being returned on the log with these configs set?

CONFIG_NET_LOG=y

CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y

Regards,

Elfving
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Hardware CI 1 month ago in reply to Elfving

Net credendials (ssid+password) are fine. You can tell by the successful DNS resolve of the hostname.
I am providing detailed net logs as requested:

SDK 2.6.2 + DigiCertGlobalG3.pem
*** Booting nRF Connect SDK v3.5.99-ncs1-3 *** HTTPS client sample started Bringing network interface up Provisioning certificate Connecting to the network [00:00:04.688,171] <inf> wifi_mgmt_ext: Connection requested [00:00:08.780,609] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e28, st=0, user_data=(nil) [00:00:08.814,453] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e6c, st=0, user_data=(nil) [00:00:08.869,812] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e28, st=0, user_data=(nil) [00:00:08.898,040] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e6c, st=0, user_data=(nil) [00:00:08.898,345] <inf> net_dhcpv4: Received: 10.213.127.217 Network connectivity established and IP address assigned Looking up example.com [00:00:08.931,701] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e28, st=0, user_data=(nil) [00:00:08.931,915] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.931,945] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.931,976] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.932,006] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.932,037] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.932,067] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.932,098] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.932,098] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.932,128] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.932,159] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.932,189] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -103 [00:00:08.947,753] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e6c, st=0, user_data=(nil) [00:00:08.947,937] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.947,967] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.947,998] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.948,028] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.948,059] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.948,089] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.948,120] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.948,150] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.948,150] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.948,181] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.948,211] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -100 [00:00:08.948,242] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): getaddrinfo entries overflow [00:00:08.948,272] <dbg> net_sock_addr: dns_resolve_cb: (rx_q[0]): dns status: -103 Resolved 23.192.228.84 (AF_INET) [00:00:08.949,096] <dbg> net_sock_tls: tls_alloc: (main): Allocated TLS context, 0x2000dce0 [00:00:08.949,645] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x2000ea70, fd=10 Connecting to example.com:443 [00:00:09.397,033] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050de4, st=0, user_data=(nil) connect() failed, err: 22 [00:00:09.415,191] <dbg> net_sock: z_impl_zsock_close: (main): close: ctx=0x2000dce0, fd=9 [00:00:09.415,374] <dbg> net_sock: z_impl_zsock_close: (main): close: ctx=0x2000ea70, fd=10 [00:00:09.465,881] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e28, st=0, user_data=(nil) [00:00:09.707,916] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050de4, st=0, user_data=(nil) [00:00:09.722,564] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e28, st=0, user_data=(nil) [00:00:09.735,443] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050de4, st=0, user_data=(nil) [00:00:09.736,694] <dbg> net_sock_packet: zpacket_received_cb: (rx_q[0]): ctx=0x2000e900, pkt=0x20050e28, st=0, user_data=(nil) Network connectivity lost Disconnected from the network [00:00:10.457,611] <dbg> net_sock: z_impl_zsock_close: (): close: ctx=0x2000e900, fd=4 [00:00:10.467,742] <dbg> net_sock: z_impl_zsock_close: (net_mgmt): close: ctx=0x20044980, fd=6 [00:00:10.468,444] <dbg> net_sock: z_impl_zsock_close: (net_mgmt): close: ctx=0x20046a70, fd=8 [00:00:10.469,085] <dbg> net_sock: z_impl_zsock_close: (net_mgmt): close: ctx=0x200459f8, fd=7 [00:00:10.470,886] <dbg> net_sock: z_impl_zsock_close: (): close: ctx=0x20043908, fd=5

SDK 2.6.2 + fullchain.pem
*** Booting nRF Connect SDK v3.5.99-ncs1-3 *** HTTPS client sample started Bringing network interface up Provisioning certificate Failed to register CA certificate: -5

SDK 2.9.0 + DigiCertGlobalG3.pem
*** Booting nRF Connect SDK v2.9.0-7787b2649840 *** *** Using Zephyr OS v3.7.99-1f8f3dc29142 *** HTTPS client sample started Bringing network interface up [00:00:00.548,126] <dbg> net_sock_svc: socket_service_thread: (net_socket_service): Service WEST_TOPDIR/zephyr/subsys/net/lib/dns/resolve.c:38 has 1 pollable sockets [00:00:00.548,156] <dbg> net_sock_svc: socket_service_thread: (net_socket_service): Monitoring 1 socket entries Provisioning certificate CA certificate already exists, sec tag: 42 Connecting to the network [00:00:08.706,115] <inf> wifi_mgmt_ext: Connection requested --- 2 messages dropped --- [00:00:13.017,913] <dbg> net_sock: zsock_socket_internal: (rx_q[0]): socket: ctx=0x2000f200, fd=13 [00:00:13.020,721] <dbg> net_sock_svc: socket_service_thread: (net_socket_service): Received restart event. [00:00:13.030,242] <inf> net_dhcpv4: Received: 10.213.127.217 Network connectivity established and IP address assigned Looking up example.com [00:00:13.031,066] <dbg> net_sock_addr: exec_query: (main): Timeout 5000 [00:00:13.349,884] <dbg> net_sock: zsock_received_cb: (rx_q[0]): ctx=0x2000f200, pkt=0x200560b0, st=0, user_data=0 --- 5 messages dropped --- [00:00:13.350,677] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.350,708] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.350,738] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.350,769] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.350,799] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.350,830] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.350,860] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.350,891] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.410,491] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.410,522] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.410,552] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.410,583] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.410,614] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.410,644] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.410,675] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.410,705] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.410,736] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.410,766] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.410,797] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -100 [00:00:13.410,827] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): getaddrinfo entries overflow [00:00:13.410,858] <dbg> net_sock_addr: dns_resolve_cb: (net_socket_service): dns status: -103 Resolved 23.192.228.84 (AF_INET) [00:00:13.411,132] <dbg> net_sock_tls: tls_alloc: (main): Allocated TLS context, 0x2000e438 [00:00:13.411,712] <dbg> net_sock: zsock_socket_internal: (main): socket: ctx=0x2000f2b8, fd=15 Connecting to example.com:443 [00:00:13.708,740] <err> net_sock_tls: Failed to parse CA certificate, err: -0x3a00 connect() failed, err: 22 [00:00:13.709,014] <dbg> net_sock: z_impl_zsock_close: (main): close: ctx=0x2000f2b8, fd=15 [00:00:13.861,267] <dbg> net_sock: z_impl_zsock_close: (rx_q[0]): close: ctx=0x2000f200, fd=13 [00:00:13.861,572] <dbg> net_sock: zsock_socket_internal: (rx_q[0]): socket: ctx=0x2000f200, fd=13 [00:00:13.866,088] <dbg> net_sock_svc: socket_service_thread: (net_socket_service): Received restart event. Network connectivity lost Disconnected from the network

SDK 2.9.0 + fullchain.pem*** Booting nRF Connect SDK v2.9.0-7787b2649840 *** *** Using Zephyr OS v3.7.99-1f8f3dc29142 *** HTTPS client sample started Bringing network interface up [00:00:00.595,123] <dbg> net_sock_svc: socket_service_thread: (net_socket_service): Service WEST_TOPDIR/zephyr/subsys/net/lib/dns/resolve.c:38 has 1 pollable sockets [00:00:00.595,153] <dbg> net_sock_svc: socket_service_thread: (net_socket_service): Monitoring 1 socket entries Provisioning certificate Failed to register CA certificate: -5

I also provide zip with modified examples from both SDK versions:
6521.https_client.zip
I included up-to-date pem files:

DigiCertGlobalG3.pem
fullchain.pem (DigiCertGlobalG3 + DigiCert Global G3 TLS ECC SHA384 2020 CA1).

Both pem files you can positively verify using python script (certs/test.py).

For 'https_client_2_6_2' I use NRF SDK 2.6.2 and toolchain 2.6.2.
For 'https_client_2_9_0' I use NRF SDK 2.9.0 and toolchain 2.9.0.

0 Elfving 1 month ago in reply to Hardware CI

It fails in a somewhat similar way for me as well.

I've forwarded this to the relevant R&D team, and will update you when I hear from them.

Regards,

Elfving
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Hardware CI 29 days ago in reply to Elfving

Thank you Elfving,
This is a blocker for me at the moment, so I’d be grateful for any guidance.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Elfving 29 days ago in reply to Hardware CI

Understood.

I'm a bit unclear about whether or not this solves it all for me, but could you try this fix? I've heard claims that this should be the problem.

Regards,

Elfving
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Hardware CI 28 days ago in reply to Elfving

Yes, I've already replaced the certificate with the proper one (DigiCertGlobalG3.pem)
I included this information in my original post.

"What I figured out already is that SSL certificate for 'example.com' has changed from Digi Cert Global G2 to DigiCert Global G3. However It still doesn't connect properly."
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel