SIM7000E unable to connect - TLS issues?

HiveMQ Cloud
1

I’ve been trying to connect to HiveMQ with the SIM7000E for quite some time. I’ve looked through threads about similar SIMCOM devices and still haven’t been able to solve the issue.

  • SNI added
  • Let’s Encrypt root CA downloaded and uploaded to the customer directory
  • SSL-less broker.hivemq.com communication works ok

Not sure about steps below:

  • Should I convert the CA using AT+CSSLCFG=“convert”,2,“isrgrootx1.pem”? Some sources say it’s not necessary
  • Do I need to download additional keys/certificates, like a client certificate? SIM7000 mqtts example uses more keys
  • Is SSL version 1.3 okay?

Steps done:

//SSL config:
AT+CSSLCFG=“convert”,2,“isrgrootx1.pem” ← when executed, returns OK so i guess file is present and has a proper format
AT+CSSLCFG=“sslversion”,1,3
AT+CSSLCFG=“sni”,1,“[id here].s1.eu.hivemq.cloud”
AT+SHSSL=1,“”

//MQ setup:
AT+SMCONF=“URL”,“[id here].s1.eu.hivemq.cloud”,“8883”
AT+SMCONF=“CLIENTID”,“21”
AT+SMCONF=“USERNAME”,“[id]”
AT+SMCONF=“PASSWORD”,“[pass]”

//conn
AT+CNACT=1,“iot.1nce.net
AT+SMCONN << no error, ends with a weird module reset

SIMCOM example below:

//Example of MQTTS Function
AT+CNACT=1,"cmnet" //Open wireless connection //parameter CMNET is

AT+CNACT? //Get local IP

AT+CFSINIT //Init FS AT command

AT+CFSWFILE=3,"ca.crt",0,2110,1000 //After download, sent certificate file through the
serial port.
//2110 is certificate size.
DOWNLOAD
OK
//Send CA file success
AT+CFSWFILE=3,"myclient.crt",0,2110,1000 //Send cert file success
DOWNLOAD
OK
AT+CFSTERM //Free data buffer
OK
AT+SMCONF="URL",117.131.85.139,6001 //Set up server URL
OK
AT+SMCONF="KEEPTIME",60 //Set MQTT time to connect server
OK
AT+CSSLCFG=convert,2,ca.crt //rootCA.pem is CA certificate
OK
AT+CSSLCFG=convert,1,myclient.crt,myclient.
key
//cert.pem is certificate, key.pem is key of cert.pem
OK
AT+SMSSL=1,ca.crt,myclient.crt //Set CA certificate and cert //certificate name
OK
AT+SMCONN
OK
AT+SMSUB="update",1 //Subscription packet
OK
AT+SMPUB="update","5",1,1
>hello //Get data on server
OK
+SMSUB: "update","hello"
AT+SMUNSUB="update" //Unsubscription packet
OK
AT+SMDISC //Disconnect MQTT
OK
AT+CNACT=0 //Disconnect wireless
OK
+APP PDP: DEACTIVE
2

Hello @anszeju

Welcome to the HiveMQ Community! Check the answers for your question below.

Kind regards,
Diego from HiveMQ Team

3

Hi Diego, thanks for your response.
Unfortunately no champagne yet.
While searching for a solution i came across a datasheet of a modem from another family - SIM7600. Found that configuration of “verify server only (only CA)” and “verify server and client (CA+client key+client cert)” is listed separately and there’s a special command to select a proper auth mode.
Unfortunately, the SIM7000 datasheet does not mention anything about such separete auth modes. Perhaps SIM7000 needs client key and cert anyway?
Noobie question: if I use OpenSSL to generate a client key and then sign it by myself, will such a pair “work” with Let’s encrypt CA certificate?

4

@anszeju

Oh no, no champagne yet? I’ll keep the glasses ready :sweat_smile:

Based on my experience SIM7000E and SIM7600 are completely different devices in terms of hardware, MQTT, and TLS implementation. I would recommend you not follow SIM7600 datasheet.

There is no need for a client key and client certificate in HiveMQ Cloud Serverless offer. Make sure you are using the latest firmware version available for your device.

Kind regards,
Diego from HiveMQ Team