Arduino MKR 1400 HTTPS certificate issue

Official Hardware MKR Family MKR GSM 1400
1

Hello, ive been wanting to make my arduino mkr1400 connect to InfluxDB and send data there via POST.
However it seems like the InfluxDB cloud only accepts requests via HTTPS.
I implemented commands from the SSLCertificateManagement_Example.ino into GSMSSLWebClient.ino like this after adding the keys into arduino_secrets.h:

// libraries
#include <MKRGSM.h>

#include "arduino_secrets.h"
// Please enter your sensitive data in the Secret tab or arduino_secrets.h
// PIN Number
const char PINNUMBER[]     = SECRET_PINNUMBER;
// APN data
const char GPRS_APN[]      = SECRET_GPRS_APN;
const char GPRS_LOGIN[]    = SECRET_GPRS_LOGIN;
const char GPRS_PASSWORD[] = SECRET_GPRS_PASSWORD;

// initialize the library instance
GSMSSLClient client;
GPRS gprs;
GSM gsmAccess(true);

// URL, path and port (for example: arduino.cc)
char server[] = "europe-west1-1.gcp.cloud2.influxdata.com";
int port = 443; // port 443 is the default for HTTPS

void setup() {
  // initialize serial communications and wait for port to open:
  Serial.begin(9600);
  while (!Serial) {
    ; // wait for serial port to connect. Needed for native USB port only
  }

  Serial.println("Starting Arduino web client.");
  // connection state
  bool connected = false;

  // After starting the modem with GSM.begin()
  // attach the shield to the GPRS network with the APN, login and password
  while (!connected) {
    if ((gsmAccess.begin(PINNUMBER) == GSM_READY) &&
        (gprs.attachGPRS(GPRS_APN, GPRS_LOGIN, GPRS_PASSWORD) == GPRS_READY)) {
      connected = true;
    } else {
      Serial.println("Not connected");
      delay(1000);
    }
  }
  client.eraseTrustedRoot();
  client.setUserRoots(SECRET_GSM_ROOT_CERTS, SECRET_GSM_ROOT_SIZE);

  client.setSignedCertificate(SECRET_CERT, "MKRGSM01", sizeof(SECRET_CERT));
  client.setPrivateKey(SECRET_KEY, "MKRGSMKEY01", sizeof(SECRET_KEY));
  client.useSignedCertificate("MKRGSM01");
  client.usePrivateKey("MKRGSMKEY01");
  client.setTrustedRoot("Let_s_Encrypt_Authority_X3");

  Serial.println("connecting...");

  // if you get a connection, report back via serial:
  if (client.connect(server, port)) {
    Serial.println("connected");
    // Make a HTTP request:
    client.println("GET /api/v2 HTTP/1.1");
    client.print("Host: europe-west1-1.gcp.cloud2.influxdata.com");
    client.println();
  } else {
    // if you didn't get a connection to the server:
    Serial.println("connection failed");
  }
}

void loop() {
  // if there are incoming bytes available
  // from the server, read them and print them:
  if (client.available()) {
    char c = client.read();
    Serial.print(c);
  }

  // if the server's disconnected, stop the client:
  if (!client.available() && !client.connected()) {
    Serial.println();
    Serial.println("disconnecting.");
    client.stop();

    // do nothing forevermore:
    for (;;)
      ;
  }
}

I looked at debug output from the modem and what looks suspicious to me is that the arduino sends "AT+USECMNG=2,0,"AddTrust_External_CA_Root"" command into the modem, however according to the documentation of the modem, the first parameter can only be 0,1 or 3.
Modem responds with "ERROR" as can be seen here:

17:29:52.168 -> Starting Arduino web client.
17:29:56.049 -> ⸮AT

17:29:56.234 -> OK
17:29:56.280 -> AT+IPR=921600

17:29:56.280 -> OK
17:29:56.374 -> AT

17:29:56.374 -> OK
17:29:56.374 -> AT+UPSV=3

17:29:56.374 -> OK
17:29:56.513 -> AT+CPIN?

17:29:56.513 -> ERROR
17:29:56.699 -> AT+CPIN?

17:29:56.699 -> ERROR
17:29:56.930 -> AT+CPIN?

17:29:56.930 -> +CPIN: READY
17:29:56.930 -> 
17:29:56.930 -> OK
17:29:57.115 -> AT+CMGF=1

17:29:57.115 -> OK
17:29:57.300 -> AT+UDCONF=1,1

17:29:57.300 -> OK
17:29:57.532 -> AT+CTZU=1

17:29:57.532 -> OK
17:29:57.720 -> AT+UDTMFD=1,2

17:29:57.720 -> OK
17:29:57.905 -> AT+CREG?

17:29:57.905 -> +CREG: 0,0
17:29:57.905 -> 
17:29:57.905 -> OK
17:29:58.138 -> AT+CREG?

17:30:03.976 -> +CREG: 0,1
17:30:03.976 -> 
17:30:03.976 -> OK
17:30:04.208 -> AT+UCALLSTAT=1

17:30:04.208 -> OK
17:30:04.302 -> AT+CGATT=1

17:30:04.302 -> OK
17:30:04.488 -> AT+UPSD=0,1,"internet"

17:30:04.488 -> OK
17:30:04.718 -> AT+UPSD=0,6,3

17:30:04.718 -> OK
17:30:04.905 -> AT+UPSD=0,2,""

17:30:04.905 -> OK
17:30:05.091 -> AT+UPSD=0,3,""

17:30:05.138 -> OK
17:30:05.323 -> AT+UPSD=0,7,"0.0.0.0"

17:30:05.323 -> OK
17:30:05.507 -> AT+UPSDA=0,3

17:30:06.110 -> OK
17:30:06.297 -> AT+UPSND=0,8

17:30:06.342 -> +UPSND: 0,8,1
17:30:06.342 -> 
17:30:06.342 -> OK
17:30:06.342 -> AT+USECMNG=2,0,"AddTrust_External_CA_Root"

17:30:06.342 -> ERROR
17:30:06.390 -> AT+USECMNG=2,0,"Baltimore_CyberTrust_Root"

17:30:06.390 -> ERROR
17:30:06.390 -> AT+USECMNG=2,0,"COMODO_RSA_Certification_Authority"

17:30:06.390 -> ERROR
17:30:06.437 -> AT+USECMNG=2,0,"DST_Root_CA_X3"

17:30:06.437 -> OK
17:30:06.484 -> AT+USECMNG=2,0,"DigiCert_High_Assurance_EV_Root_CA"

17:30:06.484 -> ERROR
17:30:06.484 -> AT+USECMNG=2,0,"Entrust_Root_Certification_Authority"

17:30:06.484 -> ERROR
17:30:06.531 -> AT+USECMNG=2,0,"Equifax_Secure_Certificate_Authority"

17:30:06.531 -> ERROR
17:30:06.531 -> AT+USECMNG=2,0,"GeoTrust_Global_CA"

17:30:06.531 -> ERROR
17:30:06.578 -> AT+USECMNG=2,0,"GeoTrust_Primary_Certification_Authority_G3"

17:30:06.578 -> ERROR
17:30:06.578 -> AT+USECMNG=2,0,"GlobalSign"

17:30:06.578 -> ERROR
17:30:06.625 -> AT+USECMNG=2,0,"Go_Daddy_Root_Certificate_Authority_G2"

17:30:06.625 -> ERROR
17:30:06.625 -> AT+USECMNG=2,0,"VeriSign_Class_3_Public_Primary_Certification_Authority_G5"

17:30:06.625 -> ERROR
17:30:06.672 -> AT+USECMNG=2,0,"AmazonRootCA1"

17:30:06.672 -> ERROR
17:30:06.672 -> AT+USECMNG=2,0,"Starfield_Services_Root_Certificate_Authority_G2"

17:30:06.718 -> ERROR
17:30:06.718 -> AT+USECMNG=0,1,"MKRGSM01",0

17:30:06.718 -> ERROR
17:30:06.764 -> AT+USECMNG=0,2,"MKRGSMKEY01",0

17:30:06.764 -> ERROR
17:30:06.764 -> AT+USECPRF=0,5,"MKRGSM01"

17:30:06.764 -> OK
17:30:06.810 -> AT+USECPRF=0,6,"MKRGSMKEY01"

17:30:06.810 -> OK
17:30:06.810 -> AT+USECPRF=0,3,"Let_s_Encrypt_Authority_X3"

17:30:06.810 -> OK
17:30:06.810 -> connecting...
17:30:06.856 -> AT+USECMNG=0,0,"DST_Root_CA_X3",846
>
17:30:07.041 -> +USECMNG: 0,0,"DST_Root_CA_X3","410352dc0ff7501b16f0028eba6f45c5"
17:30:07.041 -> 
17:30:07.041 -> OK
17:30:07.041 -> AT+USECMNG=0,0,"Let_s_Encrypt_Authority_X3",1174
>
17:30:07.227 -> +USECMNG: 0,0,"Let_s_Encrypt_Authority_X3","b15409274f54ad8f023d3b85a5ecec5d"
17:30:07.227 -> 
17:30:07.227 -> OK
17:30:07.366 -> AT+USOCR=6

17:30:07.366 -> +USOCR: 0
17:30:07.366 -> 
17:30:07.366 -> OK
17:30:07.549 -> AT+USOSEC=0,1,0

17:30:07.549 -> OK
17:30:07.779 -> AT+USECPRF=0,0,1

17:30:07.779 -> OK
17:30:07.965 -> AT+USOCO=0,"europe-west1-1.gcp.cloud2.influxdata.com",443

17:30:09.874 -> ERROR
17:30:09.967 -> 
17:30:09.967 -> +UUSOCL: 0
17:30:10.107 -> AT+USOCL=0

17:30:10.107 -> ERROR
17:30:10.107 -> connection failed
17:30:10.107 -> 
17:30:10.107 -> disconnecting.

Did anyone encounter similar problem?
Is there any way how to fix this?

2

2 means Remove an imported certificate or private key. it likely comes from client.eraseTrustedRoot(). Shouldn't that be client.eraseAllCertificates();?

3

Yes, you are correct.

Also, after removing the whole

  client.eraseTrustedRoot();
  client.setUserRoots(SECRET_GSM_ROOT_CERTS, SECRET_GSM_ROOT_SIZE);

  client.setSignedCertificate(SECRET_CERT, "MKRGSM01", sizeof(SECRET_CERT));
  client.setPrivateKey(SECRET_KEY, "MKRGSMKEY01", sizeof(SECRET_KEY));
  client.useSignedCertificate("MKRGSM01");
  client.usePrivateKey("MKRGSMKEY01");
  client.setTrustedRoot("Let_s_Encrypt_Authority_X3");

The output from the module all run with OK results, sadly the connection still doesnt work(i tried writing the link without "https://", that doesnt work either):

19:18:17.664 -> connecting...
19:18:17.710 -> AT+USECMNG=0,0,"AddTrust_External_CA_Root",1082
>
19:18:17.898 -> +USECMNG: 0,0,"AddTrust_External_CA_Root","1d3554048578b03f42424dbf20730a3f"
19:18:17.898 -> 
19:18:17.898 -> OK
19:18:17.898 -> AT+USECMNG=0,0,"Baltimore_CyberTrust_Root",891
>
19:18:18.085 -> +USECMNG: 0,0,"Baltimore_CyberTrust_Root","acb694a59c17e0d791529bb19706a6e4"
19:18:18.132 -> 
19:18:18.132 -> OK
19:18:18.132 -> AT+USECMNG=0,0,"COMODO_RSA_Certification_Authority",1500
>
19:18:18.317 -> +USECMNG: 0,0,"COMODO_RSA_Certification_Authority","1b31b0714036cc143691adc43efdec18"
19:18:18.317 -> 
19:18:18.317 -> OK
19:18:18.364 -> AT+USECMNG=0,0,"DST_Root_CA_X3",846
>
19:18:18.553 -> +USECMNG: 0,0,"DST_Root_CA_X3","410352dc0ff7501b16f0028eba6f45c5"
19:18:18.553 -> 
19:18:18.553 -> OK
19:18:18.553 -> AT+USECMNG=0,0,"DigiCert_High_Assurance_EV_Root_CA",969
>
19:18:18.787 -> +USECMNG: 0,0,"DigiCert_High_Assurance_EV_Root_CA","d474de575c39b2d39c8583c5c065498a"
19:18:18.787 -> 
19:18:18.787 -> OK
19:18:18.787 -> AT+USECMNG=0,0,"Entrust_Root_Certification_Authority",1173
>
19:18:18.974 -> +USECMNG: 0,0,"Entrust_Root_Certification_Authority","d6a5c3ed5ddd3e00c13d87921f1d3fe4"
19:18:18.974 -> 
19:18:18.974 -> OK
19:18:19.021 -> AT+USECMNG=0,0,"Equifax_Secure_Certificate_Authority",804
>
19:18:19.211 -> +USECMNG: 0,0,"Equifax_Secure_Certificate_Authority","67cb9dc013248a829bb2171ed11becd4"
19:18:19.211 -> 
19:18:19.211 -> OK
19:18:19.211 -> AT+USECMNG=0,0,"GeoTrust_Global_CA",856
>
19:18:19.397 -> +USECMNG: 0,0,"GeoTrust_Global_CA","f775ab29fb514eb7775eff053c998ef5"
19:18:19.443 -> 
19:18:19.443 -> OK
19:18:19.443 -> AT+USECMNG=0,0,"GeoTrust_Primary_Certification_Authority_G3",1026
>
19:18:19.631 -> +USECMNG: 0,0,"GeoTrust_Primary_Certification_Authority_G3","b5e83436c910445848706d2e83d4b805"
19:18:19.631 -> 
19:18:19.631 -> OK
19:18:19.678 -> AT+USECMNG=0,0,"GlobalSign",958
>
19:18:19.866 -> +USECMNG: 0,0,"GlobalSign","9414777e3e5efd8f30bd41b0cfe7d030"
19:18:19.866 -> 
19:18:19.866 -> OK
19:18:19.866 -> AT+USECMNG=0,0,"Go_Daddy_Root_Certificate_Authority_G2",969
>
19:18:20.050 -> +USECMNG: 0,0,"Go_Daddy_Root_Certificate_Authority_G2","803abc22c1e6fb8d9b3b274a321b9a01"
19:18:20.050 -> 
19:18:20.050 -> OK
19:18:20.097 -> AT+USECMNG=0,0,"VeriSign_Class_3_Public_Primary_Certification_Authority_G5",1239
>
19:18:20.281 -> +USECMNG: 0,0,"VeriSign_Class_3_Public_Primary_Certification_Authority_G5","cb17e431673ee209fe455793f30afa1c"
19:18:20.281 -> 
19:18:20.281 -> OK
19:18:20.281 -> AT+USECMNG=2,0,"AmazonRootCA1"

19:18:20.328 -> ERROR
19:18:20.328 -> AT+USECMNG=0,0,"Starfield_Services_Root_Certificate_Authority_G2",1011
>
19:18:20.514 -> +USECMNG: 0,0,"Starfield_Services_Root_Certificate_Authority_G2","173574af7b611cebf4f93ce2ee40f9a2"
19:18:20.514 -> 
19:18:20.514 -> OK
19:18:20.652 -> AT+USOCR=6

19:18:20.652 -> +USOCR: 0
19:18:20.652 -> 
19:18:20.652 -> OK
19:18:20.841 -> AT+USOSEC=0,1,0

19:18:20.841 -> OK
19:18:21.028 -> AT+USECPRF=0,0,1

19:18:21.028 -> OK
19:18:21.262 -> AT+USOCO=0,"https://europe-west1-1.gcp.cloud2.influxdata.com",443

19:18:21.873 -> ERROR
19:18:21.965 -> 
19:18:21.965 -> +UUSOCL: 0
19:18:22.059 -> AT+USOCL=0

19:18:22.059 -> ERROR
19:18:22.059 -> connection failed
19:18:22.059 -> 
19:18:22.059 -> disconnecting.
4

if your server requires HTTPS, then you need to connect using HTTPS. if you remove the part that instruct to use HTTPS it won't work...

are you sure your SECRET_CERT, SECRET_KEY are correct?

5

But it loads the certs correctly according to the output no?

I am not sure, how do i find that out?

6

but do those certs match what's required?

7

I think i understand the issue now. I didnt make or create any SECRET_CERT and SECRET_KEY.
I am not sure how to obtain them but at least i know the direction where to look now.

8

Yes they need to match with the server side

9

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.