nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Decided to look at the aws_iot code as a reference to what needed to be done.  Took the certificate provisioning code and put in the private key I generated and the CA file referenced on test.mosquitto.org (mosquitto.org.crt (PEM format)).  Not sure what to use for the server certificate.  And not sure what to do with the signed certificate I got back from mosquito via https://test.mosquitto.org/ssl/  Also set the port to 8884.

When I try to connect I get a -111 error (connection refused).

The certificates are in proper PEM format.

Any suggestions on how to get this working?

Thanks.

Hello, 

Have a look at the TLS/DTLS configuration chapter in the modem library documentation. You can also provision certificates in the Certificate Manager found in the LTE Link Monitor. Both issue AT command CMNG to provision certs.

The AWS IoT uses Root CA, Client certificate and private key as described in the AWS IoT library documentation. When provisioning certificates to your board it is important to use correct sec_tag and then refer to this in the MQTT sample with CONFIG_MQTT_TLS_SEC_TAG

We were able to configure the CA, device public cert (signed by mosquito), and device private key (generated locally by openssl) using the Certificate Manager in the LTE Link Monitor and get it to connect to mosquitto's port 8884.

We tried using what we thought was the correct interface (modem_key_mgmt_write) to programmatically set the above information but that did not work.  No error was returned.  Is that expected to be in PEM format or does it need to be the un-base64'd binary of the key/cert?

I read the comments about using the link manager to pre-program the security information, but did want to understand how to do it programmatically.

We also tried connecting to port 8887 which has an intentionally expired certificate and using the verify_peer set to 2 (required) it doesn't fail, which I would expect.  How can I turn on logging in the modem or TLS so I can see why the expired certificate is not being flagged.

Thank you.

Another oddity.  We modified the MQTT sample to configure it for TLS as described 9 hours ago.

We took the code that connected to port 8884 and the proj.cnf file and merged it into our working code (with GPS, I2C, SPI Flash, etc.) and we can not connect to test.mosquitto.org on port 8884.  We seem to get random errors.   Errors -12, -111, -116, and -104 after some period of trying to connect to the server.

Any suggestions on how to debug this?  How to get more information from the system as to what's going on?

Back to frustrated...

Sorry to hear about this frustration. 

Richard W Mincher said:

Any suggestions on how to debug this?  How to get more information from the system as to what's going on?

Yes, we will need to see a modem trace captured with the Trace Collector v2. Make sure to follow instructions and reset device after starting the trace collector. What modem FW and nRF Connect SDK version are you working on?

Richard W Mincher said:

rrors -12, -111, -116, and -104 after some period of trying to connect to the server.

When do you get the errors? From nrfxlib\nrf_modem\include\nrf_errno.h