SIM7000E unable to connect - TLS issues?

HiveMQ Cloud
1

I’ve been trying to connect to HiveMQ with the SIM7000E for quite some time. I’ve looked through threads about similar SIMCOM devices and still haven’t been able to solve the issue.

  • SNI added
  • Let’s Encrypt root CA downloaded and uploaded to the customer directory
  • SSL-less broker.hivemq.com communication works ok

Not sure about steps below:

  • Should I convert the CA using AT+CSSLCFG=“convert”,2,“isrgrootx1.pem”? Some sources say it’s not necessary
  • Do I need to download additional keys/certificates, like a client certificate? SIM7000 mqtts example uses more keys
  • Is SSL version 1.3 okay?

Steps done:

//SSL config:
AT+CSSLCFG=“convert”,2,“isrgrootx1.pem” ← when executed, returns OK so i guess file is present and has a proper format
AT+CSSLCFG=“sslversion”,1,3
AT+CSSLCFG=“sni”,1,“[id here].s1.eu.hivemq.cloud”
AT+SHSSL=1,“”

//MQ setup:
AT+SMCONF=“URL”,“[id here].s1.eu.hivemq.cloud”,“8883”
AT+SMCONF=“CLIENTID”,“21”
AT+SMCONF=“USERNAME”,“[id]”
AT+SMCONF=“PASSWORD”,“[pass]”

//conn
AT+CNACT=1,“iot.1nce.net
AT+SMCONN << no error, ends with a weird module reset

SIMCOM example below:

//Example of MQTTS Function
AT+CNACT=1,"cmnet" //Open wireless connection //parameter CMNET is

AT+CNACT? //Get local IP

AT+CFSINIT //Init FS AT command

AT+CFSWFILE=3,"ca.crt",0,2110,1000 //After download, sent certificate file through the
serial port.
//2110 is certificate size.
DOWNLOAD
OK
//Send CA file success
AT+CFSWFILE=3,"myclient.crt",0,2110,1000 //Send cert file success
DOWNLOAD
OK
AT+CFSTERM //Free data buffer
OK
AT+SMCONF="URL",117.131.85.139,6001 //Set up server URL
OK
AT+SMCONF="KEEPTIME",60 //Set MQTT time to connect server
OK
AT+CSSLCFG=convert,2,ca.crt //rootCA.pem is CA certificate
OK
AT+CSSLCFG=convert,1,myclient.crt,myclient.
key
//cert.pem is certificate, key.pem is key of cert.pem
OK
AT+SMSSL=1,ca.crt,myclient.crt //Set CA certificate and cert //certificate name
OK
AT+SMCONN
OK
AT+SMSUB="update",1 //Subscription packet
OK
AT+SMPUB="update","5",1,1
>hello //Get data on server
OK
+SMSUB: "update","hello"
AT+SMUNSUB="update" //Unsubscription packet
OK
AT+SMDISC //Disconnect MQTT
OK
AT+CNACT=0 //Disconnect wireless
OK
+APP PDP: DEACTIVE
2

Hello @anszeju

Welcome to the HiveMQ Community! Check the answers for your question below.

Kind regards,
Diego from HiveMQ Team

3

Hi Diego, thanks for your response.
Unfortunately no champagne yet.
While searching for a solution i came across a datasheet of a modem from another family - SIM7600. Found that configuration of “verify server only (only CA)” and “verify server and client (CA+client key+client cert)” is listed separately and there’s a special command to select a proper auth mode.
Unfortunately, the SIM7000 datasheet does not mention anything about such separete auth modes. Perhaps SIM7000 needs client key and cert anyway?
Noobie question: if I use OpenSSL to generate a client key and then sign it by myself, will such a pair “work” with Let’s encrypt CA certificate?

4

@anszeju

Oh no, no champagne yet? I’ll keep the glasses ready :sweat_smile:

Based on my experience SIM7000E and SIM7600 are completely different devices in terms of hardware, MQTT, and TLS implementation. I would recommend you not follow SIM7600 datasheet.

There is no need for a client key and client certificate in HiveMQ Cloud Serverless offer. Make sure you are using the latest firmware version available for your device.

Kind regards,
Diego from HiveMQ Team

5

I am also struggling with hiveMQ cloud and SIM7000 (SIM7000G in my case).

I also do not exactly know what to do with certificates and would really appreciate help if someone got it working, preferably with an example code snippet.
I am already borderline to getting crazy as I have spent like a week already and overall trying for half a year or longer.

It would be really great to get some help.

6

Hello Lademeister,

Thank you for your feedback!

I’d like to offer a couple of additional notes here that may be of benefit when attempting to connect.

Reviewing some of the configuration details for the SIM7000 series, there are a few caveats to note :

  • The certificate (isrgrootx1.pem) must be uploaded to the module successfully before calling AT+CSSLCFG="convert" to convert it.
  • I would ask you to provide any current error codes that are being generated on connection attempt, as this may assist us in identifying exactly where the connection is failing when attempting negotation.
  • When attempting TLS connectivity, it is important to note that the local clock of the SIM7000 system is used in determining certificate validity, and it would be beneficial to ensure that the system clock is set appropriately with AT+CCLK? first, as an invalid clock configuration here may prevent validation.
  • TLS-SNI is required to connectivity to HiveMQ Cloud
  • If unexpected disconnects, or failures without error codes being received are occurring, a network trace of this device may be beneficial to understand which packets are being sent or received prior to connection termination.

Best,
Aaron from the HiveMQ Team

7

Hi Aaron. Thanks a lot.
I don’t get it, no matter how many hours I put in it. I am at +20 hrs now to my last post.
I checked modem time according to your suggestion, which is ok and exactly matches current time).

Below I copied an output from my device, I just don’t see what is wrong with the upload and conversion. I only can see that it does not work after successfully uploading it.

What I want to achieve is using HiveMQ over LTE with SIM card, and it is ridiculous that it is impossible to get a working example code where we all just have to enter our credentials.
I mean I just invested like 50 hours, to be exactly where I was before - only that I have a feeling that there can be about 20 culprits and I may have any combination of them.

What I can say is that I would give a f… if not using any certificates but only password and username would be working - I do not want to have high security that would justify the work of certificates.
what I am doing is a birthday present for a colleague and I want to activate it without need of wifi.
It should be simpler…
Please advise, and preferably in a way that others can also use it.

I know that the issue is me not understanding how it works, but no matter how much information I consume I can still not comprehend what is going on.

The first, more general issue:
Why do I have code that is working over WiFi (including a ca cert and all that is registered wit pubsubclient and that works with my hiveMQ account) but that does not work when connected over LTE?
I so far understood that the .pem needs to be uploaded to sim7000 so that sim7000 can handle ssl with hiveMQ, essentially using totally different certificate as my code that authenticates over wifi connection (uses .ar certificate).
Then I found conflicting information about if the .pem needs to be converted or not,
Nevertheless uploading seems successful but reading it back from or converting on sim7000 fails - which would suggest that the upload was not successful.
I assume that uploading it to “/customer/” is correct:
Using the command
AT+CFSWFILE=3,“isrgrootx1.pem”,0,1939,9000
and the following information from AT commands for sim7000:
Directory of AP filesystem:
0= “/custapp/”
1= “/fota/”
2= “/datax/”
3= “/customer/”
…which should upload the file “isrgrootx1.pem” to /customer/ (index 3) and overwrite it in case it exists (mode 0), providing its filesize (1939 bytes) and a 9000ms timeout.

Simple question:
Arduino IDE, a Sim7000 and a microcontroller like ESP8266 or ESP32.
Software/Library: pubsubclient for MQTT (already working perfectly over WiFi with HiveMQ and certs/authentification using an .ar file)
What the heck do we have to do to get the authentication from your servers also when using LTE internet connection over SIM7000?

I also tried not using pubsubclient with sim7000 but the builtin AT commands for MQTT, but again that only works for the public hiveMQ but not for my private account that needs certification.

So I got MQTT working with public and private hiveMQ over WiFi but over LTE and sim7000 only public (without certificate) works so far.

here’s some output from my device:

[…]
—> AT+CPMS=“SM”,“SM”,“SM”
<— +CPMS: 0,20,0,20,0,20
Modem is OK
Found SIM7000
—> AT+GSN
<— 111112222233333
Module IMEI: 111112222233333
—> AT+CFUN=1
<— OK
—> AT+CGDCONT=1,“IP”,“hologram”
<— OK
—> AT+CNMP=38
<— OK
—> AT+CMNB=1
<— OK
waiting 6s:
Sending to modem: WAIT=6

disabling GPRS first…
—> AT+CIPSHUT
<— SHUT OK
—> AT+SAPBR=0,1
<— OK
—> AT+CGATT=0
<— +APP PDP: DEACTIVE
Failed to turn off
now enabling GPRS…
turning GPRS on automatically on boot…
—> AT+CIPSHUT
<— OK
—> AT+CGATT=1
<— OK
—> AT+SAPBR=3,1,“CONTYPE”,“GPRS”
<— OK
—> AT+SAPBR=3,1,“APN”,“hologram”
<— OK
—> AT+CSTT=“hologram”
<— OK
—> AT+SAPBR=1,1
<— OK
—> AT+CIICR
<— OK
—> AT+CNACT=1,“hologram”
<— OK
<— +APP PDP: ACTIVE
GPRS turned on successfully
—> AT+CGNSPWR?
<— +CGNSPWR: 1
Turned on GPS.

+CCLK: “25/01/03,04:18:24+04”

OK

Current time retrieved from SIM7000:
25/01/03,04:18:24+04
OK
File system session activated successfully.
—> AT+CGREG?
<— +CGREG: 0,5
Network status 5: Registered roaming
Connected to cell network!
—> AT+CNACT?
<— +CNACT: 1,“100.82.143.15”
Data already enabled!
CNACT? - STATUS RESPONSE:
OK
+CNACT: 1,“100.82.143.15”
OK
Got valid IP address:
OK
+CNACT: 1,“100.82.143.15”
OK
Signal quality raw response:
+CSQ: 20,99
OK
RSSI: -73 dBm
Signal quality: 65% - Good

[…]

Certificate file found on SPIFFS: /isrgrootx1.pem
Certificate content of /isrgrootx1.pem:
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
Certificate size: 1939 bytes
AT+CFSWFILE=3,“isrgrootx1.pem”,0,1939,9000

DOWNLOAD
DOWNLOAD prompt received.
Uploaded 512/1939 bytes
Uploaded 1024/1939 bytes
Uploaded 1536/1939 bytes
Uploaded 1939/1939 bytes

OK
Successfully uploaded /isrgrootx1.pem from SPIFFS to SIM7000 internal memory as isrgrootx1.pem.

Converting certificate: isrgrootx1.pem…
as QUAPI_NET_SSL_CERTIFICATE_E (ssltype=1)
AT+CSSLCFG=“convert”,1,“isrgrootx1.pem”

ERROR

Timeout waiting for: OK
Partial response received:

ERROR

Failed to convert certificate: isrgrootx1.pem on SIM7000.
AT+CSSLCFG=“sslversion”,0,3

OK
SSL version set to TLS 1.2.
AT+CSSLCFG=“cipher suite”,0,0

ERROR

Timeout waiting for: OK
Partial response received:

ERROR

Failed to set cipher suite.
Reading contents of isrgrootx1.pem…
AT+CFSRFILE=3,“isrgrootx1.pem”,0,1939

ERROR
Failed to read contents of isrgrootx1.pem.
File content verification failed.
Activating client certificate: isrgrootx1.pem…
AT+CSSLCFG=“clientcert”,1,“isrgrootx1.pem”

ERROR

Timeout waiting for: OK
Partial response received:
ERROR

Failed to activate client certificate: isrgrootx1.pem.
Certificate activation failed.
AT+CSSLCFG=“sni”,1,“2bdc1234567899876543211234567890a1.s1.eu.hivemq.cloud”

OK
==== Successfully set SSL SNI ====
AT+CFSTERM\r\n

OK
File system session terminated successfully.

Waiting for 30 seconds

Setting up global MQTT client:

MQTT Connection Parameters

Client ID: Vince3-00CA7758
Server: 2bdc1234567899876543211234567890a1.s1.eu.hivemq.cloud
Port: 8883
User: testuser
Password: abcdef_donttell
################################
MQTT: Trying to connect as clientID ‘Vince3-00CA7758’ to MQTT server 2bdc1234567899876543211234567890a1.s1.eu.hivemq.cloud at Port 8883 with user ‘testuser’ and password ‘abcdef_donttell’
MQTT: Trying to connect as clientID ‘Vince3-00CA7758’ to MQTT server 2bdc1234567899876543211234567890a1.s1.eu.hivemq.cloud at Port 8883 with user ‘testuser’ and password ‘abcdef_donttell’
MQTT: Trying to connect as clientID ‘Vince3-00CA7758’ to MQTT server 2bdc1234567899876543211234567890a1.s1.eu.hivemq.cloud at Port 8883 with user ‘testuser’ and password ‘abcdef_donttell’
MQTT: Trying to connect as clientID ‘Vince3-00CA7758’ to MQTT server 2bdc1234567899876543211234567890a1.s1.eu.hivemq.cloud at Port 8883 with user ‘testuser’ and password ‘abcdef_donttell’
MQTT: Trying to connect as clientID ‘Vince3-00CA7758’ to MQTT server 2bdc1234567899876543211234567890a1.s1.eu.hivemq.cloud at Port 8883 with user ‘testuser’ and password ‘abcdef_donttell’
MQTT: Failed to connect after maximum tries.

8

@Lademeister

I’m not familiar with SIM7000G device but based on the output logs the built-in AT command for MQTT (AT+CSSLCFG=“convert”,1,“isrgrootx1.pem”) failed because you used 1 for the second parameter. On many SIM7000 modules, 1 means “Client certificate” not “CA certificate.” The goal here is to load the Let’s Encrypt Root CA certificate, I think you have to switch to 2 for CA certificate:

AT+CSSLCFG="convert",2,"isrgrootx1.pem"

2025-01-03 at 14.22.43@2x
2025-01-03 at 14.22.43@2x1334×454 76.7 KB

Kind regards,
Diego from HiveMQ Team

9

good catch, I’ll try it! From theory, it makes perfect sense. Thanks a lot.

10

Hi Diego, it’s still not working.
here is some output, converting seems to work now (thanks to your hint) but that is all.
Still no luck and no connection to hiveMQ :-((

mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
Certificate size: 1939 bytes
AT+CFSWFILE=3,“isrgrootx1.pem”,0,1939,9000
DOWNLOAD prompt received.
Uploaded 512/1939 bytes
Uploaded 1024/1939 bytes
Uploaded 1536/1939 bytes
Uploaded 1939/1939 bytes
Successfully uploaded /isrgrootx1.pem from SPIFFS to SIM7000 internal memory as isrgrootx1.pem.
trying to convert certificate: isrgrootx1.pem…
as QAPI_NET_SSL_CA_LIST_E (ssltype=2), using the command
AT+CSSLCFG=“convert”,2,“isrgrootx1.pem”
Successfully converted certificate: isrgrootx1.pem.
Activating CA certificate: isrgrootx1.pem on context 0…
AT+CSSLCFG=“cacert”,0,“isrgrootx1.pem”
Timeout - expected: ‘OK’, but received:
ERROR
Failed to activate CA certificate: isrgrootx1.pem on SIM7000.
activating of certificate failed.
Setting SSL version to TLS 1.2 for context 0…
SSL version set to TLS 1.2 for context 0.
AT+CSSLCFG=“cipher suite”,1,0
Timeout - expected: ‘OK’, but received:
ERROR
Failed to set cipher suite.
Reading contents of isrgrootx1.pem…
AT+CFSRFILE=3,“isrgrootx1.pem”,0,1939
ERROR
Failed to read contents of isrgrootx1.pem.
File content verification failed.
Reading contents of /customer/isrgrootx1.pem…
AT+CFSRFILE=3,“/customer/isrgrootx1.pem”,0,1939
ERROR
Failed to read contents of /customer/isrgrootx1.pem.
File content verification failed.
AT+CSSLCFG=“sni”,0,“2bdc6111222333444555666777888a1.s1.eu.hivemq.cloud”
Successfully set SSL SNI!
File system session terminated successfully.
Setting up global MQTT client:

MQTT Connection Parameters

Client ID: Vince300CA7758
Server: 2bdc6111222333444555666777888a1.s1.eu.hivemq.cloud
Port: 8883
User: myusername
Password: abc_donttell
################################
MQTT: Trying to connect as clientID ‘Vince300CA7758’ to MQTT server 2bdc6111222333444555666777888a1.s1.eu.hivemq.cloud at Port 8883 with user ‘myusername’ and password ‘abc_donttell’
MQTT: Trying to connect as clientID ‘Vince300CA7758’ to MQTT server 2bdc6111222333444555666777888a1.s1.eu.hivemq.cloud at Port 8883 with user ‘myusername’ and password ‘abc_donttell’
MQTT: Trying to connect as clientID ‘Vince300CA7758’ to MQTT server 2bdc6111222333444555666777888a1.s1.eu.hivemq.cloud at Port 8883 with user ‘myusername’ and password ‘abc_donttell’
MQTT: Trying to connect as clientID ‘Vince300CA7758’ to MQTT server 2bdc6111222333444555666777888a1.s1.eu.hivemq.cloud at Port 8883 with user ‘myusername’ and password ‘abc_donttell’
MQTT: Trying to connect as clientID ‘Vince300CA7758’ to MQTT server 2bdc6111222333444555666777888a1.s1.eu.hivemq.cloud at Port 8883 with user ‘myusername’ and password ‘abc_donttell’
MQTT: Failed to connect after maximum tries.