This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

mqtts reported an error when creating a socket: Operation not supported on socket.

I want nRF9160 to do mqtts connection without certificate.

Modem FW:1.2.3

Here is my mqtt client_init:

static int client_init(struct mqtt_client *client)
{
	int err;

	mqtt_client_init(client);

	err = broker_init();
	if (err) {
		LOG_ERR("Failed to initialize broker connection");
		return err;
	}

	/* MQTT client configuration */
	client->broker = &broker;
	client->evt_cb = mqtt_evt_handler;
	client->client_id.utf8 = (uint8_t *)CONFIG_MQTT_CLIENT_ID;
	client->client_id.size = strlen(CONFIG_MQTT_CLIENT_ID);
	client->password = NULL;
	client->user_name = NULL;
	client->protocol_version = MQTT_VERSION_3_1_1;

	/* MQTT buffers configuration */
	client->rx_buf = rx_buffer;
	client->rx_buf_size = sizeof(rx_buffer);
	client->tx_buf = tx_buffer;
	client->tx_buf_size = sizeof(tx_buffer);

	/* MQTT transport configuration */
	struct mqtt_sec_config *tls_cfg = &(client->transport).tls.config;
	static sec_tag_t sec_tag_list[] = { CONFIG_MQTT_TLS_SEC_TAG };

	LOG_INF("TLS enabled");
	client->transport.type = MQTT_TRANSPORT_SECURE;

	tls_cfg->peer_verify = TLS_PEER_VERIFY_NONE;
	tls_cfg->cipher_count = 0;
	tls_cfg->cipher_list = NULL;
	tls_cfg->sec_tag_count = 0;
	tls_cfg->sec_tag_list = NULL;
	tls_cfg->hostname = CONFIG_MQTT_BROKER_HOSTNAME;

	tls_cfg->session_cache = IS_ENABLED(CONFIG_MQTT_TLS_SESSION_CACHING) ?
					    TLS_SESSION_CACHE_ENABLED :
					    TLS_SESSION_CACHE_DISABLED;

	return err;
}

When I use 9160DK, mqtts is connected normally. But when using the 9160 chip, there is an error in the connection. Here is my log:

[00:00:00.243,316] [0m<inf> main: Connecting to LTE network.[0m
[00:00:00.243,316] [0m<inf> main: This may take several minutes.[0m
[00:00:00.243,377] [0m<inf> flash_control: No apn found, use default apn[0m
[00:00:00.249,908] [0m<inf> main: Set to the default APN CMNBIOT2.[0m
[00:00:00.258,087] [0m<inf> lte_lc: Using legacy LTE PCO mode...[0m
[00:00:02.258,117] [0m<inf> main: CSCON : 1[0m
[18:48:50.833]收←◆[00:00:04.283,386] [0m<inf> main: Connected to LTE network.[0m

[00:00:04.286,163] [0m<inf> mqtt_engine: IPv4 Address found 47.106.164.80[0m
[00:00:04.286,193] [0m<inf> mqtt_engine: TLS enabled[0m
[00:00:04.286,468] [0m<dbg> net_mqtt_sock_tls.mqtt_client_tls_connect: (0x20015220): Created socket 1[0m
[00:00:04.660,552] [1;31m<err> mqtt_engine: mqtt_connect -45[0m
[00:00:04.660,583] [1;31m<err> mqtt_engine: ERROR: mqtt_disconnect -57[0m

-45 is EOPNOTSUPP, and typically indicates that you have written wrong certificates to the device. But I had peer_verify set to 0. Why is there a -45 error?

Top Replies

Parents

0 Heidi over 4 years ago

Hi!

So when running the application on the nRF9160 DK it is able to establish a connection, but when using your custom board it is not? In this case, could you provide the schematics from the board so your HW engineers can take a look?

You are correct, when Peer Verification is disabled the error -45 most likely does not mean there is something wrong with the certificates. -45 just means EOPNOTSUPP 45 /**< Operation not supported */ so it can come from other issues as well.

I would also like a modem trace from when the connection fails. To take a modem trace, enable "CONFIG_NRF_MODEM_LIB_TRACE_ENABLED" in your application and flash it to the board. Then open the Trace Collector application in nRF Connect for Desktop and "Start Capture" while the application is running. The trace file size should increase if everything is working properly.

Best regards,

Heidi
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 xinjiang over 4 years ago in reply to Heidi

I reproduced this phenomenon on another DK board. Attached is the captured modem info.0535.trace-2021-04-13T01-58-55.612Z.bin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 xinjiang over 3 years ago in reply to Heidi

This is the modem information I re-crawled. Can you analyze what went wrong?1348.trace-2021-04-28T02-21-08.402Z.bin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Heidi over 3 years ago in reply to xinjiang

Hi!

From the modem trace and the return of %CMNG it looks like there is a Root CA stored in sec_tag 24 and sec_tag 16842753 but the TLS connection is trying to be establishing using sec_tag 1, where there is no root certificate.

Try using the correct sec_tag in your application, and the modem should be able to find the root certificate.

Best regards,

Heidi
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel
0 xinjiang over 3 years ago in reply to Heidi

I wrote the root certificate in sec_tag 1 of the problematic DK, and the mqtt connection succeeded. I really appreciate your help.

But I still have a question. Normal DK does not have a root certificate stored in seg 1. Why can this normal DK connect successfully?

Like this

Unfortunately, my custom board still reported -45 error after writing the root certificate in sec_tag 1. After setting peer_verify to 0, will the sec_tag used by each board be different?

I don't know where to write the root certificate of the custom board to ensure a successful connection. Can you help me analyze the modem info of the custom board?trace-2021-05-06T03-31-54.133Z.bin

trace-2021-05-07T11-27-12.676Z.bin
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Heidi over 3 years ago in reply to xinjiang

Hi!

xinjiang said:
Why can this normal DK connect successfully?

My guess is there's some subtle difference in the set-up or app running on this DK. What's the return of %CMNG in the "normal" DK?

From the trace, I can see that the TLS connection is trying to open using the root certificate in sec_tag 1. Try to run %CMNG to see if the certificate actually gets written.

In the meantime, I'll have our modem experts take a look at the trace as well.

Best regards,

Heidi
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 xinjiang over 3 years ago in reply to Heidi

Hi!

This is the certificate stored in the "normal" DK and trace. It can connect to tls normally.trace-2021-05-12T01-59-10.472Z.bin

*** Booting Zephyr OS build v2.4.99-ncs1  ***
The AT host sample started

AT+CGMR
mfw_nrf9160_1.3.0
OK

AT%CMNG=1
%CMNG: 0,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 0,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 0,6,"0606060606060606060606060606060606060606060606060606060606060606"
%CMNG: 6123,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 16842753,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842753,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 16842754,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842754,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842754,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 35724859,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724859,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 35724861,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724861,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 35724862,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724862,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 4294967293,10,"0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A"
%CMNG: 4294967292,11,"0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"
OK

AT%CMNG=1,1
OK

This is the certificate stored in the custom board. I have a certificate written in sec_tag 1 and I am currently in trouble.

[10:05:37.543]收←◆*** Booting Zephyr OS build v2.4
[10:05:37.574]收←◆.99-ncs1  ***
The AT host sample started

[10:05:58.792]发→◇AT%CMNG=1
□
[10:05:58.804]收←◆%CMNG: 0,6,"0606060606060606060606060606060606060606060606060606060606060606"
%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 1,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 1,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 24,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842753,2,"0202020202020202020202020202020202020202020202020202020202020202"
OK

[10:06:23.139]发→◇AT%CMNG=1,1
□
[10:06:23.160]收←◆%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 1,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 1,2,"0202020202020202020202020202020202020202020202020202020202020202"
OK

[10:06:51.981]发→◇AT%CMNG=2,1,0
□
[10:06:52.004]收←◆%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000","-----BEGIN CERTIFICATE-----MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUAA4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDIU5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUsN+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vvo/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpyrqXRfboQnoZsG4q5WTP468SQvvG5-----END CERTIFICATE-----"
OK

[10:06:56.235]发→◇AT%CMNG=2,1,1
□
[10:06:56.250]收←◆ERROR

[10:07:12.214]发→◇AT%CMNG=2,1,2
□
[10:07:12.233]收←◆ERROR

Reply

0 xinjiang over 3 years ago in reply to Heidi

Hi!

This is the certificate stored in the "normal" DK and trace. It can connect to tls normally.trace-2021-05-12T01-59-10.472Z.bin

*** Booting Zephyr OS build v2.4.99-ncs1  ***
The AT host sample started

AT+CGMR
mfw_nrf9160_1.3.0
OK

AT%CMNG=1
%CMNG: 0,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 0,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 0,6,"0606060606060606060606060606060606060606060606060606060606060606"
%CMNG: 6123,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 16842753,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842753,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 16842754,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842754,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842754,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 35724859,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724859,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 35724861,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724861,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 35724862,3,"0303030303030303030303030303030303030303030303030303030303030303"
%CMNG: 35724862,4,"0404040404040404040404040404040404040404040404040404040404040404"
%CMNG: 4294967293,10,"0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A"
%CMNG: 4294967292,11,"0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"
OK

AT%CMNG=1,1
OK

This is the certificate stored in the custom board. I have a certificate written in sec_tag 1 and I am currently in trouble.

[10:05:37.543]收←◆*** Booting Zephyr OS build v2.4
[10:05:37.574]收←◆.99-ncs1  ***
The AT host sample started

[10:05:58.792]发→◇AT%CMNG=1
□
[10:05:58.804]收←◆%CMNG: 0,6,"0606060606060606060606060606060606060606060606060606060606060606"
%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 1,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 1,2,"0202020202020202020202020202020202020202020202020202020202020202"
%CMNG: 24,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 16842753,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 16842753,2,"0202020202020202020202020202020202020202020202020202020202020202"
OK

[10:06:23.139]发→◇AT%CMNG=1,1
□
[10:06:23.160]收←◆%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000"
%CMNG: 1,1,"0101010101010101010101010101010101010101010101010101010101010101"
%CMNG: 1,2,"0202020202020202020202020202020202020202020202020202020202020202"
OK

[10:06:51.981]发→◇AT%CMNG=2,1,0
□
[10:06:52.004]收←◆%CMNG: 1,0,"0000000000000000000000000000000000000000000000000000000000000000","-----BEGIN CERTIFICATE-----MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsFADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXjca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qwIFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQmjgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUAA4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDIU5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUsN+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vvo/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpyrqXRfboQnoZsG4q5WTP468SQvvG5-----END CERTIFICATE-----"
OK

[10:06:56.235]发→◇AT%CMNG=2,1,1
□
[10:06:56.250]收←◆ERROR

[10:07:12.214]发→◇AT%CMNG=2,1,2
□
[10:07:12.233]收←◆ERROR

Children

0 Heidi over 3 years ago in reply to xinjiang

Hi!

So after looking at the modem trace, we can see that the modem returns error code 102 which means "Certification parse error".

In this case, you are using the certificate in sec_tag = 1 to open the TLS session, but it looks like certificate type 1 (i.e client certificate) is tried to load instead of root CA.

You need to make sure that the correct type of certificates are stored in the modem filesystem.

And make sure that the certificate is valid and stored in the correct format in the modem. I.e check that there isn't a client certificated stored with type "Root CA Certificate".

Best regards,

Heidi
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 xinjiang over 3 years ago in reply to Heidi

Which modem trace? "normal" DK trace?

"Normal" DK does not store certificates in sec_tag 1, why can it do TLS connection?

I.e check that there isn't a client certificated stored with type "Root CA Certificate".

Do you mean to store Root CA in certificate type 1 and sec_tag 1?

I followed this method, but it didn’t solve the problem .
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Heidi over 3 years ago in reply to xinjiang

The modem trace from the custom board.

Your certificates aren't stored with the correct type. The root CA needs to be stored as type 0. Right now, a client certificate is stored as a root CA which is why the TLS connection is failing.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel
0 xinjiang over 3 years ago in reply to Heidi

Yes, you are right! I changed a CA certificate and successfully connected. Thanks.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Heidi over 3 years ago in reply to xinjiang

That's good to hear!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel