This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nrf9160 https certificate

kamacode over 5 years ago

I am using the https fota, aws sample OK.

testd the aws certificate via Linux PC this way:

openssl s_client -connect kamacodeetrog.s3.us-east-2.amazonaws.com:443

now I want to move the app_update.bin to my server

https://esr.etrogsystems.com/static/mqtt_updateapp_update.bin

so, I tested the server and got the certificate:

openssl s_client -connect esr.etrogsystems.com:443

so in the http fota example I used server name as:

esr.etrogsystems.com

and file name as: static/mqtt_update/app_update.bin

however I get certificate error.

what am I missing ?

Parents

0 kamacode over 5 years ago

1. this is the error I get :

[00:01:36.791,229] <wrn> download_client: No security tag provided for TLS/DTLS.

2. I replaced the certificate of course
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 5 years ago in reply to kamacode

How did you provision the certificate on the device? What security tag did you add it to?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 kamacode over 5 years ago in reply to Øyvind

I copied the cert file under "cert" directory, and of course set the certificate new correct file name in the code. that is all I did
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Øyvind over 5 years ago in reply to kamacode

What sample did you use, HTTPS Client or AWS FOTA? Can you please provide full output from your device?

Under AWS Fota documentation you will find the CLOUD_CERT_SEC_TAG where the certificate is stored. You need to configure this in your prj.conf along with CONFIG_PROVISION_CERTIFICATES

The KConfig states:

config PROVISION_CERTIFICATES
	depends on !USE_NRF_CLOUD
	bool "Provision certificates from the certificates.h file"
	select MODEM_KEY_MGMT
	default n
	help
	  If enabled, the sample provisions server certificates into
	  the modem by storing the certificates defined in the
	  certificates.h file in the modem under the given security tag.
	  Use this option only once to provision the device.
	  The certificates are stored in the application binary and are
	  therefore shown in the modem trace information. This is a
	  security risk. After provisioning the certificates, turn off
	  this option and compile and program the sample again.
	  Also, do not share the binary that includes the compiled
	  certificates with anyone.

config CLOUD_CERT_SEC_TAG
	depends on !USE_NRF_CLOUD
	int "Security tag for TLS credentials"
	default 12345678

CONFIG_PROVISION_CERTIFICATES=y
CONFIG_CLOUD_CERT_SEC_TAG=nn

Reply

0 Øyvind over 5 years ago in reply to kamacode

What sample did you use, HTTPS Client or AWS FOTA? Can you please provide full output from your device?

config PROVISION_CERTIFICATES
	depends on !USE_NRF_CLOUD
	bool "Provision certificates from the certificates.h file"
	select MODEM_KEY_MGMT
	default n
	help
	  If enabled, the sample provisions server certificates into
	  the modem by storing the certificates defined in the
	  certificates.h file in the modem under the given security tag.
	  Use this option only once to provision the device.
	  The certificates are stored in the application binary and are
	  therefore shown in the modem trace information. This is a
	  security risk. After provisioning the certificates, turn off
	  this option and compile and program the sample again.
	  Also, do not share the binary that includes the compiled
	  certificates with anyone.

config CLOUD_CERT_SEC_TAG
	depends on !USE_NRF_CLOUD
	int "Security tag for TLS credentials"
	default 12345678

CONFIG_PROVISION_CERTIFICATES=y
CONFIG_CLOUD_CERT_SEC_TAG=nn

Children

0 kamacode over 5 years ago in reply to Øyvind

I did the following steps:

1. used example "http_application_update"

2. tested with AWS bucket, worked well

3. did the following to get my server cert:

openssl s_client -connect esr.etrogsystems.com:443

took the certificate data:

"-----BEGIN CERTIFICATE-----\n"

.......

"-----ENDCERTIFICATE-----\n"

replaced the contant of the file

modified the folling prj parameters:

CONFIG_DOWNLOAD_HOST="esr.etrogsystems.com"
CONFIG_DOWNLOAD_FILE="static/mqtt_update/app_update.bin"

in the project configuration I do not have "CLOUD_CERT_SEC_TAG"
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Øyvind over 5 years ago in reply to kamacode
Thank you for clarifying what sample you were using.

I suggest making this ticket private in order for you to share your certificate. Also, please share full output from application.

In the following function, you see that SEC_TAG is used:
static void update_start(void) { int err; char *apn = NULL; err = fota_download_start(CONFIG_DOWNLOAD_HOST, CONFIG_DOWNLOAD_FILE, SEC_TAG, apn, 0); if (err != 0) { update_sample_done(); printk("fota_download_start() failed, err %d\n", err); } }

This is defines as follows in update.h:
#define TLS_SEC_TAG 42 #ifndef CONFIG_USE_HTTPS #define SEC_TAG (-1) #else #define SEC_TAG (TLS_SEC_TAG) #endif

Have you verified that your certificates have been provisioned correctly to the modem? Please see modem key management documentation.

Kind regards,
Øyvind
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 kamacode over 5 years ago in reply to Øyvind

Hello

1. using the AT commands I can see the certificate deployed OK.

2. with AWS this is very surprising behaviur, even if I change the certificate , the FOTA still works OK.

3. with my server it doesn't work.

also from the code messages are very clear:

certificate deployeed OK : "Provisioning certificate"

TLS varification failes: "download_client: No security tag provided for TLS/DTLS."

please advice
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel