[SIM7000G] MQTTS Connection to HiveMQ Cloud Fails with ERROR on AT+SMCONN

MQTT
1

Hello everyone,

I am working with a SIM7000G module and trying to establish a secure MQTT connection (MQTTS) to HiveMQ Cloud. I have followed the official SIMCom MQTT(S) Application Note, but I am encountering an “ERROR” response when executing AT+SMCONN.

Environment:

  • Broker: HiveMQ Cloud

  • Authentication: One-way SSL (Server Authentication)

  • TLS Version: 1.2 (Required by HiveMQ Cloud)

  • Certificate: ISRG Root X1 CA (Stored as root.crt and converted via AT+CSSLCFG)

AT Command Sequence & Logs:

// 1. Network Connection Status
AT+CNACT?
+CNACT: 1,“**********
OK

// 2. Certificate Conversion
AT+CSSLCFG=“convert”,2,“root.crt”
OK

// 3. MQTT Configuration
AT+SMCONF=“url”,“***************************************.s1.eu.hivemq.cloud”,8883
OK
AT+SMCONF=“username”,“*********”
OK
AT+SMCONF=“password”,“***********”
OK
AT+SMCONF=“clientid”,“QuoCar_TEST_SSL_SIM7000”
OK

// 4. SSL Activation & Connection Attempt
AT+SMSSL=1,“root.crt”,“”
OK
AT+SMCONN
ERROR

Issue: Despite all previous commands returning OK, the final AT+SMCONN returns ERROR after a short delay. I have confirmed that the root.crt contains the correct Root CA data and is successfully stored in the module’s flash memory.

Questions:

  1. Is there a specific SSL context configuration (like AT+CSSLCFG="sslversion") that I must define before AT+SMSSL for HiveMQ Cloud?

  2. Does the AT+SMSSL=1,"root.crt","" command correctly map the root certificate for server validation in this firmware version?

  3. Are there any known issues with SIM7000 firmware regarding HiveMQ’s TLS 1.2 handshake?

Any insights or troubleshooting tips would be greatly appreciated. Thank you!

2

Hi @jsh110218,
thanks for being here. The HiveMQ Community is always open to new users and your curiosity is very welcome.

1. TLS version 1.2

on SIM7000 you must set the SSL version, even if the broker supports auto-negotiation.

HiveMQ Cloud rejects TLS 1.0 / 1.1, and SIM7000 often defaults to TLS 1.0 unless overridden.

Required command

AT+CSSLCFG="sslversion",2,3

Where:

  • 2 = SSL context used by MQTT
  • 3 = TLS 1.2

2. Cipher suites

SIM7000 supports very few modern ciphers, and HiveMQ Cloud rejects weak ones unless a compatible overlap exists.

Set cipher suite explicitly:

AT+CSSLCFG="ciphersuite",2,0X0035

0x0035 = TLS_RSA_WITH_AES_256_CBC_SHA

If that fails, try:

AT+CSSLCFG="ciphersuite",2,0X002F

(TLS_RSA_WITH_AES_128_CBC_SHA)

To see the full list of cypher suites use command against your HiveMQ Cloud broker:

nmap -Pn --script ssl-enum-ciphers -p 8883 2ed61f54b0c04f2db1eb8d16be859880.s1.eu.hivemq.cloud

3. SNI must be enabled (this is a common failure)

HiveMQ Cloud requires SNI.

AT+CSSLCFG="enableSNI",2,1

Without this, TLS handshake fails silently → AT+SMCONN ERROR

4. Root CA mapping

Your command is correct assuming conversion was successful:

AT+SMSSL=1,"root.crt",""

Important confirmations:

You can verify storage:

AT+CFSGFIS?

5. Time synchronization is required for TLS validation

If the module RTC is invalid, TLS cert validation fails.

Check time:

AT+CCLK?

If wrong:

AT+CNTP="pool.ntp.org",0
AT+CNTP

Wait for:

+CNTP: 1

6. Command sequence

AT+CNACT=1,"your_apn"
AT+CSSLCFG="sslversion",2,3
AT+CSSLCFG="ciphersuite",2,0X0035
AT+CSSLCFG="enableSNI",2,1
AT+CSSLCFG="convert",2,"root.crt"

AT+SMCONF="url","xxxxxx.s1.eu.hivemq.cloud",8883
AT+SMCONF="clientid","QuoCar_TEST_SSL_SIM7000"
AT+SMCONF="username","xxxx"
AT+SMCONF="password","xxxx"
AT+SMCONF="keepalive",60

AT+SMSSL=1,"root.crt",""
AT+SMCONN

7. Firmware

Older SIM7000 firmware cannot complete TLS 1.2 handshakes reliably.

Check version:

AT+CGMR

:check_mark: Recommended minimum:

  • SIM7000 R13+
  • Preferably LE20B04SIM7000G

Best,
Dasha from HiveMQ Team

3

Subject: SIM7000G MQTTS Connection Error with HiveMQ (AT+SMCONN ERROR)

Hello,

I am having trouble connecting my SIM7000G module to HiveMQ using MQTTS (SSL/TLS) on port 8883. Despite following the standard procedure, I keep receiving an “ERROR” on the connection attempt.

Device Information:

  • Hardware: T-SIM7000G

  • Firmware Revision: 1529B10SIM7000G

Procedures & Issues:

  1. MQTT Connection Failure: I configured the URL, Username, Password, and SSL settings using AT+SMCONF and AT+SMSSL. However, when I execute AT+SMCONN, it returns ERROR after a few seconds.

  2. NTP Synchronization Error: I tried to synchronize the time for SSL verification using AT+CNTP. Although AT+CCLK? shows a time, AT+CNTP returns +CNTP: 61, which indicates a network error.

    • AT+CCLK?+CCLK: "26/01/05,10:12:00+36"

    • AT+CNTP+CNTP: 61

  3. SNI Configuration Issue: I attempted to enable SNI using AT+CSSLCFG="enableSNI",2,1, but it returns ERROR. This command does not appear to be supported in my current AT command manual (V1.06). Interestingly, AT+CSSLCFG="sni",2,"..." returns OK, but I am not sure if it is functioning correctly without an “enable” command.

AT Logs:

10:09:40.539 -> AT+CNACT?

10:09:40.539 -> +CNACT: 1,"**.***.***.***"
10:09:40.539 -> 
10:09:40.539 -> OK
10:10:09.082 -> AT+CSSLCFG="sslversion",2,3

10:10:09.082 -> OK
10:10:12.168 -> AT+CSSLCFG="ciphersuite",2,0,0X0035

10:10:12.168 -> OK
10:10:25.836 -> AT+CSSLCFG="sni",2,"******************.s1.eu.hivemq.cloud"

10:10:25.836 -> OK
10:10:29.806 -> AT+CSSLCFG="convert",2,"root.crt"

10:10:29.840 -> OK
10:10:38.328 -> AT+SMCONF="URL","******************.s1.eu.hivemq.cloud",8883

10:10:38.328 -> OK
10:10:43.786 -> AT+SMCONF="USERNAME","*********"

10:10:43.786 -> OK
10:10:52.143 -> AT+SMCONF="PASSWORD","**********"

10:10:52.143 -> OK
10:10:57.352 -> AT+SMCONF="clientid","QuoCar_TEST_SSL_SIM7000"

10:10:57.352 -> OK
10:11:00.445 -> AT+SMSSL=1,"root.crt",""

10:11:00.445 -> OK
10:11:03.253 -> AT+SMCONN

10:11:09.864 -> ERROR
10:12:00.617 -> AT+CCLK?

10:12:00.617 -> +CCLK: "26/01/05,10:12:00+36"

10:11:03.253 -> AT+SMCONN
10:11:09.864 -> ERROR
...
10:12:36.232 -> AT+CNTP
10:12:36.266 -> +CNTP: 61
...
10:13:13.542 -> AT+CSSLCFG="enableSNI",2,1
10:13:13.542 -> ERROR

10:19:51.262 -> AT+CFSRFILE=3,"root.crt",0,1938,0
10:19:52.575 -> +CFSRFILE: 1938
10:19:52.742 -> -----BEGIN CERTIFICATE-----
10:19:52.742 -> MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
10:19:52.742 -> TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
10:19:52.742 -> cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
10:19:52.742 -> WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
10:19:52.742 -> ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
10:19:52.776 -> MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
10:19:52.776 -> h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
10:19:52.776 -> 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
10:19:52.776 -> A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
10:19:52.776 -> T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
10:19:52.809 -> B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
10:19:52.809 -> B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
10:19:52.809 -> KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
10:19:52.809 -> OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
10:19:52.809 -> jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
10:19:52.809 -> qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
10:19:52.809 -> rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
10:19:52.843 -> HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
10:19:52.843 -> hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
10:19:52.843 -> ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
10:19:52.843 -> 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
10:19:52.843 -> NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
10:19:52.843 -> ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
10:19:52.876 -> TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
10:19:52.876 -> jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
10:19:52.876 -> oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
10:19:52.876 -> 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
10:19:52.876 -> mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
10:19:52.876 -> emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
10:19:52.876 -> -----END CERTIFICATE-----

Could you please advise if this is a firmware limitation or if I am missing a specific SSL configuration step for HiveMQ?