nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

RE: nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Øyvind — Mon, 11 Jul 2022 06:43:40 GMT

[quote user="mincher"] [00:01:46.104,125] <err> mqtt_simple: mqtt_+CEREG: 2,"3A66","02DD5905",7,0,9 connect -115 [/quote]

From the CEREG response we can see that your device is rejected by the network (https://telecompedia.net/lte-release-causes/)

Cause #9 – UE identity cannot be derived by the network.

This EMM cause is sent to the UE when the network cannot derive the UE’s identity from the GUTI/S-TMSI/P-TMSI and RAI e.g. no matching identity/context in the network or failure to validate the UE’s identity due to integrity check failure of the received message.

We will need to see more via the modem trace.

Regarding the errno -12. Have you increased the memory in mqtt_simple? From nrf\samples\nrf9160\mqtt_simple\prj.conf

# Memory
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_HEAP_MEM_POOL_SIZE=2048

Kind regards,
Øyvind

RE: nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Richard W Mincher — Sat, 09 Jul 2022 00:42:47 GMT

After doing a lot more trial and error (comparing source code and configs) it appears that we can get the failing code to work if we build for a non-debug configuration. If I build for a debug configuration I get random failures. This is unfortunate.

Is this an indication of some issue? Stack? Heap? Optimization timing? I'm hoping we can resolve debugging -- I'm use to debugging with print and gpio lines, but having a debugger (either in VC or Ozone) is a big plus.

FYI, we are using SDK 2.0.0, and modem firmware 1.3.2 (the latest).

Thanks.

RE: nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Richard W Mincher — Fri, 08 Jul 2022 22:18:09 GMT

I'll take a look at the ticket you reference above and see if I can figure out how to get tracing to work with the feather board.

In the meantime, we seem to have enabled some modem debugging messages. Are these messages useful? You can see the -12 failures from the client in there.

LTE Link Connecting...+CEREG: 2,"8B3B","0A141511",7
+CSCON: 1
+CEREG: 5,"8B3B","0A141511",7,,,"00100011","00101000"
+CEDRXP: 4,"1001","1001","0001"
LTE Link Connected![00:01:27.160,888] <inf> mqtt_simple: The MQTT simple sample started
[00:01:28.102,325] <inf> mqtt_simple: IPv4 Address found 5.196.95.208
[00:01:28.109,222] <dbg> mqtt_simple: client_id_get: client_id = xyzzy.hello.world
[00:01:28.117,187] <inf> mqtt_simple: TLS enabled
+CSCON: 0
+CEREG: 5,"8B3B","0A150111",7,,,"00100011","00101000"
+CSCON: 1
+CSCON: 0
+CEREG: 2
+CEREG: 5,"8B3B","0A141511",7,,,"00100011","00101000"
+CEREG: 5,"8B3B","0A150111",7,,,"00100011","00101000"
+CSCON: 1
+CSCON: 0
+CEREG: 2
+CEREG: 2,"3A66","02DD5905",7
+CSCON: 1
[00:01:46.104,125] <err> mqtt_simple: mqtt_+CEREG: 2,"3A66","02DD5905",7,0,9
connect -115
[00:01:46.113,342] <inf> mqtt_simple: Reconnecting in 60 seconds...
+CSCON: 0
+CEREG: 2,"3A66","02DD5904",7
+CSCON: 1
+CEREG: 5,"3A66","02DD5904",7,,,"11100000","11100000"
+CEDRXP: 4,"1001","",""
+CSCON: 0
+CSCON: 1
+CSCON: 0
+CEREG: 5,"3A66","02DD5905",7,,,"11100000","11100000"
+CEREG: 5,"3A66","02DD5904",7,,,"11100000","11100000"
+CSCON: 1
+CSCON: 0
+CEREG: 5,"3A66","02DD5905",7,,,"11100000","11100000"
+CSCON: 1
+CSCON: 0
+CSCON: 1
[00:02:57.253,051] <err> mqtt_simple: mqtt_connect -12
[00:02:57.258,880] <inf> mqtt_simple: Reconnecting in 60 seconds...
+CSCON: 0
+CEREG: 5,"3A66","02DD5904",7,,,"11100000","11100000"
+CSCON: 1
+CSCON: 0
+CEREG: 5,"3A66","02DD5905",7,,,"11100000","11100000"
+CSCON: 1
+CSCON: 0
+CEREG: 5,"3A66","02DD5904",7,,,"11100000","11100000"
+CSCON: 1
[00:04:08.701,690] <err> mqtt_simple: mqtt_connect -12
[00:04:08.707,519] <inf> mqtt_simple: Reconnecting in 60 seconds...
+CSCON: 0

RE: nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Øyvind — Fri, 08 Jul 2022 08:45:02 GMT

Sorry to hear about this frustration.

[quote user="mincher"]Any suggestions on how to debug this? How to get more information from the system as to what's going on?[/quote]

Yes, we will need to see a modem trace captured with the Trace Collector v2. Make sure to follow instructions and reset device after starting the trace collector. What modem FW and nRF Connect SDK version are you working on?

[quote user="mincher"]rrors -12, -111, -116, and -104 after some period of trying to connect to the server.[/quote]

When do you get the errors? From nrfxlib\nrf_modem\include\nrf_errno.h

#define NRF_ENOMEM 12 /**< Not enough space */

#define NRF_ECONNRESET 104 /**< Connection reset */

#define NRF_ECONNREFUSED 111 /**< Connection refused */

#define NRF_ETIMEDOUT 116 /**< Connection timed out */

Are you able to share more information on you configuration? I found this support ticket regarding ENOMEM and ECONNRESET when connecting to MQTT.

RE: nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Richard W Mincher — Fri, 08 Jul 2022 06:39:03 GMT

Another oddity. We modified the MQTT sample to configure it for TLS as described 9 hours ago.

We took the code that connected to port 8884 and the proj.cnf file and merged it into our working code (with GPS, I2C, SPI Flash, etc.) and we can not connect to test.mosquitto.org on port 8884. We seem to get random errors. Errors -12, -111, -116, and -104 after some period of trying to connect to the server.

Any suggestions on how to debug this? How to get more information from the system as to what's going on?

Back to frustrated...

RE: nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Richard W Mincher — Thu, 07 Jul 2022 21:42:46 GMT

We were able to configure the CA, device public cert (signed by mosquito), and device private key (generated locally by openssl) using the Certificate Manager in the LTE Link Monitor and get it to connect to mosquitto's port 8884.

We tried using what we thought was the correct interface (modem_key_mgmt_write) to programmatically set the above information but that did not work. No error was returned. Is that expected to be in PEM format or does it need to be the un-base64'd binary of the key/cert?

I read the comments about using the link manager to pre-program the security information, but did want to understand how to do it programmatically.

We also tried connecting to port 8887 which has an intentionally expired certificate and using the verify_peer set to 2 (required) it doesn't fail, which I would expect. How can I turn on logging in the modem or TLS so I can see why the expired certificate is not being flagged.

Thank you.

RE: nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Øyvind — Wed, 06 Jul 2022 11:59:52 GMT

Hello,

Have a look at the TLS/DTLS configuration chapter in the modem library documentation. You can also provision certificates in the Certificate Manager found in the LTE Link Monitor. Both issue AT command CMNG to provision certs.

The AWS IoT uses Root CA, Client certificate and private key as described in the AWS IoT library documentation. When provisioning certificates to your board it is important to use correct sec_tag and then refer to this in the MQTT sample with CONFIG_MQTT_TLS_SEC_TAG

Let me know how that works for you

Kind regards
Øyvind

RE: nrf9160 mqtt simple example configured to talk to test.mosquitto.org using mutual TLS on port 8884?

Richard W Mincher — Wed, 06 Jul 2022 07:53:38 GMT

Decided to look at the aws_iot code as a reference to what needed to be done. Took the certificate provisioning code and put in the private key I generated and the CA file referenced on test.mosquitto.org (mosquitto.org.crt (PEM format)). Not sure what to use for the server certificate. And not sure what to do with the signed certificate I got back from mosquito via https://test.mosquitto.org/ssl/ Also set the port to 8884.

When I try to connect I get a -111 error (connection refused).

The certificates are in proper PEM format.

Any suggestions on how to get this working?

Thanks.