HTTPS POST not working in SLM

RE: HTTPS POST not working in SLM

TC — Thu, 10 Feb 2022 14:40:54 GMT

Just works by upgrade mfw FW from 1.2.3 to 1.3.1.

Thanks!!

RE: HTTPS POST not working in SLM

Håkon Alseth — Thu, 10 Feb 2022 12:18:08 GMT

Hi,

[quote user="Tommy C. Liu"]For issue the ISRG root x1 instead of the default digicert, did yiu mean use https://letsencrypt.org/certs/isrgrootx1.pem as CA cert?
Yes, I try but still same.[/quote]

Yes, this is the one I used with https_client and SLM.

[quote user="Tommy C. Liu"]You also mention "Could it be that you're connecting locally to that server?"
Is that mean the local operator for LTE-M network may has conneting issue, just like firewall something else?[/quote]

I was more thinking about the openssl command that you issued, and got a different result than me.

[quote user="Tommy C. Liu"]1. What's your SLM version and mfw version?[/quote]

mfw v1.3.1 and ncs v1.9.0-rc1

[quote user="Tommy C. Liu"]2. How to check the current mfw ver?[/quote]

You can issue AT+CGMR to query the modem fw version.

[quote user="Tommy C. Liu"]3. which network operator you are cnnect to?[/quote]

Telenor is my local network operator.

Kind regards,

Håkon

RE: HTTPS POST not working in SLM

TC — Thu, 10 Feb 2022 12:06:30 GMT

That was more clear it's not about CA issue.
I'll try to let trace collector works first and check wha't going on.

Just want to sync few information with your side:
1. What's your SLM version and mfw version?
2. How to check the current mfw ver?
3. which network operator you are cnnect to?

Thanks.

RE: HTTPS POST not working in SLM

Håkon Alseth — Thu, 10 Feb 2022 11:29:54 GMT

Hi,

With https_client, changed the hostname to match your wanted host.

And issued the X1 root CA:

https://letsencrypt.org/certs/isrgrootx1.pem

this is the output:

*** Booting Zephyr OS build v2.7.99-ncs1-rc1  ***
HTTPS client sample started
Certificate mismatch
Provisioning certificate
Waiting for network.. OK
Connecting to gateway.dev.jawbonehealth.com
Sent 79 bytes
Received 267 bytes

>        HTTP/1.1 401 Unauthorized

Finished, closing socket.

Similar with SLM (reused sec_tag 42, which has X1 CA):

AT#XHTTPCCON=1,"gateway.dev.jawbonehealth.com",443,42

#XHTTPCCON: 1

OK

AT#XHTTPCREQ="GET","/get?foo1=bar1&foo2=bar2",""

OK

#XHTTPCREQ: 0

#XHTTPCRSP:0,1

#XHTTPCRSP:0,1

Kind regards,

Håkon

RE: HTTPS POST not working in SLM

TC — Thu, 10 Feb 2022 10:39:24 GMT

For issue the ISRG root x1 instead of the default digicert, did yiu mean use https://letsencrypt.org/certs/isrgrootx1.pem as CA cert?
Yes, I try but still same.

You also mention "Could it be that you're connecting locally to that server?"
Is that mean the local operator for LTE-M network may has conneting issue, just like firewall something else?

Thanks

RE: HTTPS POST not working in SLM

TC — Thu, 10 Feb 2022 09:44:58 GMT

Hi
I just found the different openssl version may cause the different result, I can get the similar result with yours in another computer.
So, looks like server return 3 CA certs, and, I can pick either one for CA certificate in sec_tag, right?
If it is, would you mind to try in your side for AT#XHTTPCCON=1,"gateway.dev.jawbonehealth.com",443,sec_tag?
I believe I already try those CA certs but still not connected.

Thanks

RE: HTTPS POST not working in SLM

Håkon Alseth — Thu, 10 Feb 2022 09:27:53 GMT

Hi,

Could it be that you're connecting locally to that server?

Here's what I get when I run the exact same command:

openssl s_client -showcerts -connect gateway.dev.jawbonehealth.com:443 
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = gateway.dev.jawbonehealth.com
verify return:1
---
Certificate chain
 0 s:CN = gateway.dev.jawbonehealth.com
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFPzCCBCegAwIBAgISBO1MWjgNpXaRpyo3l6wOly7JMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAxMDMxNDE4MDRaFw0yMjA0MDMxNDE4MDNaMCgxJjAkBgNVBAMT
HWdhdGV3YXkuZGV2Lmphd2JvbmVoZWFsdGguY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA0O4zwyRhnnhXJ2Lqnhw2ft/6h/cxG7e6e9pC9Dc1I2q7
4pWwuMDv/FREC7oZSRjMwTpO6NV6mGflAqGe8qirECd+R4Mts5eiu9BbSnuaXq6R
PLGyMVlnea0ERrVpIC/319h690plfqza2AhGtmkE1bUrfn4hJH8xH6FaTC7WDxw7
vQbjpn17LbvxRk06aZuMmKJqrZKQwHhsOs7ZPUFF2pnVgmZSeRtVmhU02eNnBPIL
bnoOeNW1FmTsnPx2ZxcKTtBsCKJ1kzVmqVlInzKMerFkl/0Nkncoig9qgcq2fE7V
Mb8/Vi6nN0wZ5wfhdEoqrpuOu08wwXcp0xzTVsQXGwIDAQABo4ICVzCCAlMwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBSiRJQ5P91QYAh5/389QkYvldycFTAfBgNVHSME
GDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB
BQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov
L3IzLmkubGVuY3Iub3JnLzAoBgNVHREEITAfgh1nYXRld2F5LmRldi5qYXdib25l
aGVhbHRoLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisG
AQQB1nkCBAIEgfQEgfEA7wB1AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBE
XCpzAAABfiCE2iQAAAQDAEYwRAIgIXeUAKAF1dmXa0pcp1GJPgoZ6JyeL+ZWJYiA
ZUvoVEACID2z4Uz94ZlMk5B/B17d5pP3iCJJ84MgMWGhjjeBw1pBAHYARqVV63X6
kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF+IITaSAAABAMARzBFAiAAtKfH
/vkKX349mIa52rJ8kCysymCUM/hv+MQaFQW76QIhAOw7uHryLbu8QftkEISBXdvd
PGEk/oy9gG6zfbRA8sw9MA0GCSqGSIb3DQEBCwUAA4IBAQAU2iCt5bnwIiZqMLZ3
QUDI4bqsnHwrX0j5scYACwaS7mg3r4Sl9XJJLIlMqvvsNskbljK17KtNb++iT8KY
d4M1hn4vHZQIpl8UvrvrABearikPms1SgVerS/ckPPE6XGha5anB6yrow7DFRAxe
77d5od0sRW2q77/sPgqnbLtyFKMnw2SsrzGWaNCu7agccLo3+0FZMH8adN4TwXBp
3rWy4TSRt1ilE57PHKhcsffr6GqV5skcrsqelIQIi9sPHEU4n+YUw/dUMuaj/mrs
VW5ti8EeuVvxGGz3SsLLUjZa4abSFBfoYktlrT3b8tEopLXe0ZYiMokZv6MrJCkD
e6Lu
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = gateway.dev.jawbonehealth.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4603 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: E3EE2D025F3D2BBBEFC906ECC4C8845B9F5F5A6E35169678823EB3B7E37CDF97
    Session-ID-ctx: 
    Resumption PSK: 47FC953FC2901D28B1FCB680495CF9104C991004EC4FE53B99B7362141A8E7257448481B33BC16007F567CD971802F29
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - d6 c4 8f 9a e7 b0 38 45-2a 44 9f 95 f5 41 da 18   ......8E*D...A..
    0010 - b5 16 4f 00 8d 59 93 76-04 44 87 9d e2 31 bc cb   ..O..Y.v.D...1..

    Start Time: 1644484574
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 7EE212D109C7E6CDE3912EF11AAC41DBF8889390369EA0C188C8976430409E7F
    Session-ID-ctx: 
    Resumption PSK: CD270E207A219AD3F6FBD8E5E02A16D4FDB6F5D348DB2CFCD1BF026D7852F6B7750F96FBF7259F5C14FBB06F6E182245
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 55 8e b6 2f 6d 59 91 54-03 af 67 18 15 74 0c 98   U../mY.T..g..t..
    0010 - ae 85 d7 d4 ff dc a3 0f-b1 c1 08 87 23 ce ba fd   ............#...

    Start Time: 1644484574
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

If you are having issues with SLM + modem tracing, you can try to use https_client instead and issue the ISRG root x1 instead of the default digicert.

Kind regards,

Håkon

RE: HTTPS POST not working in SLM

TC — Thu, 10 Feb 2022 06:47:28 GMT

Is it possible to run LTE TraceCollector v2 preview with LTE Link Monitor?
If not, how can I send the AT command to nRF9160.
I still can not see any trace, and the filesize in side panel not growth.

Here are steps for using trace collector:
1. program nrf9160_dk_board_controller_fw.hex to nRF52 in nRF9160DK.
2. program SLM (with CONFIG_NRF_MODEM_LIB_TRACE_ENABLED=y) to nRF91 in nRF9160DK.
3. connect nrf9160 DK in TraceCollector, then start tracing with LIVE

No trace shows in Wireshark...

I try to use openssl to get the CA cert, but AT#XHTTPCCON still not connected after update the seg_tag.
Just wonder what's the "Kubernetes Ingress Controller Fake Certificate" means in the following?

openssl s_client -showcerts -connect gateway.dev.jawbonehealth.com:443 
CONNECTED(00000005)
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = Acme Co, CN = Kubernetes Ingress Controller Fake Certificate
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
   i:/O=Acme Co/CN=Kubernetes Ingress Controller Fake Certificate
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQfStz7642v8lUvvWCwhUJ/jANBgkqhkiG9w0BAQsFADBL
.....

RE: HTTPS POST not working in SLM

Håkon Alseth — Wed, 09 Feb 2022 15:46:54 GMT

Hi,

[quote user="Tommy C. Liu"]Is there any other tool can verify if this is a CA issue?[/quote]

I usually use openssl to see what the CA root of a specific domain is:

openssl s_client -showcerts -connect some.domain:443

To have a deeper look at what is happening on the nRF side, a modem trace or a live pcap capture using the LTE TraceCollector v2 preview can help aid the debugging process.

[quote user="Tommy C. Liu"]For create the https connection, only the CA certificate need to be update in certificate manger, right?[/quote]

That is correct.

Kind regards,

Håkon

RE: HTTPS POST not working in SLM

TC — Wed, 09 Feb 2022 15:19:18 GMT

Hi
Is there any other tool can verify if this is a CA issue?
For create the https connection, only the CA certificate need to be update in certificate manger, right?

Thanks

RE: HTTPS POST not working in SLM

Håkon Alseth — Wed, 09 Feb 2022 08:52:02 GMT

Hi,

That domain uses let's encrypt. Are you issuing ISRG Root X1 from here?

https://letsencrypt.org/certificates/

Kind regards,

Håkon

RE: HTTPS POST not working in SLM

TC — Wed, 09 Feb 2022 07:56:12 GMT

I apply our CA to certificate manager, but still CANNOT create connection.

AT#XHTTPCCON=1,"gateway.dev.jawbonehealth.com",443,5568
#XHTTPCCON: 0
ERROR

Both the example.com and goole.com were connected with it's CA.

AT#XHTTPCCON=1,"example.com",443,1234
%CESQ: 20,1,3,0
#XHTTPCCON: 1
OK

AT#XHTTPCCON=1,"google.com",443,1235
#XHTTPCCON: 1
OK

Is there any log option can debug further?

RE: HTTPS POST not working in SLM

Håkon Alseth — Tue, 08 Feb 2022 12:28:45 GMT

Hi,

When you're issuing this:

[quote user=""]AT#XHTTPCCON=1,"...",443[/quote]

It assumes that it is a http connection to a https service.

Once you send something that isn't considered https, the server closes the connection, and therefore you get the error on the next command.

If you want to run https connection, you will have to provide a sec_tag to the initial connection. You shall place your CA root for your domain in this sec_tag.

Kind regards,

Håkon