• State Not Answered
  • Replies 23 replies
  • Subscribers 75 subscribers
  • Views 4249 views
  • Users 0 members are here
Attachments (6) Download All
Nordic Case Info
  • Case ID: 273710
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

HTTPS client connect fails with Error 45 with 1nce sim card in France

Saketaram

Hi,

I used 3HK sim card on NB-IoT in Hong Kong, and I could run GET and POST instructions to any cloud with the right certificate.

Recently, I moved to France, and I switched to 1nce MVNO and now the connection fails with error 45. The certificate hasn't changed.

We also tried to connect to google, using google certificate. That also fails. TLS socket setup with TLS_HOSTNAME option with host google.com didn't help either.

ncs 1.5.1
modem fw 1.2.3


Attached is the build files and the modem trace.

Could you help on this urgent matter, please?

Saketaram

https_client.7z

  • 0 in reply to Heidi

    Hi Heidi, 

    Here is the code snippet:

    static int modem_cert_provision(void)
{
int err;
bool exists;
uint8_t unused;

err = modem_key_mgmt_exists(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, &exists, &unused);
if (err)
{
printk("Failed to check for certificates. Error : %d\r\n", err);
return err;
}

if (exists)
{
printk("Certificate ");
/* Let's compare the existing credential */
err = modem_key_mgmt_cmp(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, sta_cert, sizeof(sta_cert) - 1);
printk("%s\r\n", err ? "mismatch" : "match");
if (!err)
{
return 0;
}
}

/* Provision certificate to the modem */
err = modem_key_mgmt_write(TLS_SEC_TAG, MODEM_KEY_MGMT_CRED_TYPE_CA_CHAIN, sta_cert, sizeof(sta_cert) - 1);
if (err)
{
printk("Failed to provision certificate. Error : %d\r\n", err);
return err;
}

return 0;
}

  • 0 in reply to Saketaram

    Hi Heidi,

    I wondering

    1/ How do the modem_key_mgmt_exists and modem_key_mgmt_cmp api perform?

    2/ Why does the https_client sample delete and write certificate again?
    What is the point of doing this on every reboot? Root certificate do not change often. That's a waste of resources.

    3/ What does this comment mean? Does this log show a way out of this issue?
    /* For the sake of simplicity we delete what is provisioned
    * with our security tag and reprovision our certificate.
    */

  • 0 in reply to Saketaram

    Hi again, 

    I'm not able to connect to example.com with the certificate located in the application you provided either. However, when using the certificate located in https_client NCS v1.5.1 called "DigiCertGlobalRootCA.pem", I am able to connect, so could you try that?

    To debug the modem_key_mgmt_cmp issue, please add the following code snippet after line 19 (printk mismatch, match) and show me the output. I'm not able to reproduce it, the function fails when the certificate doesn't exist in the modem.

    enum at_cmd_state state = AT_CMD_OK;
char at_response[CONFIG_AT_CMD_RESPONSE_MAX_LEN];
at_cmd_write(MODEM_KEY_MGMT_OP_LS, at_response, len, &state);
printk("Result from %s is %s\n", MODEM_KEY_MGMT_OP_LS, at_response);
if (state != AT_CMD_OK) {
	printk("Error from at_cmd_write: %d\n", state);
}

    1) How do the modem_key_mgmt_exists and modem_key_mgmt_cmp API perform?

    You can take a look at the implementation in modem_key_mgmt.c

    Regarding question 2 and 3, I can ask the developer why they chose to implement it like this. But, yes, if you just make sure to provision the certificate every time it might help the issue. However, try with the correct certificate first.

    Best regards,

    Heidi

Related
Terms of service