SIM7080 can't connect to HiveMQ Cloud

Hi there,

I’ve set up a free serverless plan to test things out, but my SIM7080 module won’t connect to HiveMQ Cloud.
I’ve already read the other related topics and I understand that I need the following to connect to HiveMQ Cloud:

• isrgrootx1.pem server certificate
• Have the SNI option available in my module

Here are the AT commands I’m trying, but I always end up with an error when attempting the connection:

1) Importing the certficate into the module

AT+CFSINIT 
// open file system buffer

AT+CFSWFILE=3,isrgrootx1.pem,0,1939,10000
// here I upload the file and I'm getting an OK

AT+CSSLCFG="CONVERT",2,isrgrootx1.pem 
// this is to import the downloaded certificate into the SSL configuration. the "2" is for root CA - I tried with option "1" (for .crt certficates), but I'm always getting an error so I assume I should treat the download server certificate as root CA, is that correct?

AT+CFSTERM // close file system buffer

2) Setting up the connection parameters

AT+CNACT=0,1 // activate APP network
AT+SMCONF="CLIENTID","SIM7080"
AT+SMCONF="URL","[ID].s2.eu.hivemq.cloud",8883
AT+SMCONF="USERNAME","[username]"
AT+SMCONF="PASSWORD","[password]"

3) setting up SSL and connecting

AT+CSSLCFG="sslversion",1,3
// TLS 1.2

AT+CSSLCFG="SNI",1,"[ID].s2.eu.hivemq.cloud"
// The SNI option is available for the SIM7080 but I found examples of some other Simcom modules that only need to "enable" SNI". For my module I need to enter a server name, so I input the exact same URL as my cluster's including my ID, is that ok?

AT+SMSSL=1,"isrgrootx1.pem",""
// first quotes are for the root CA - second quotes are for the .crt certificate and it should technically come with a private key, so I leave it empty since I couldn't convert the server certificate as such earlier... is that OK too?

AT+SMCONN
// here I'm always getting +CME ERROR: operation not allowed

What am I doing wrong exactly? or are any commands missing?
Your help will be greatly appreciated, thank you!

Hi @antagonys

hearty welcome to the HiveMQ Community! Your interest in MQTT and the HiveMQ broker is much appreciated. We’re always happy to see new users like you.

Thank you for providing detailed information about your setup. Before delving into the SSL-related issues, let’s try to confirm if the module is able to establish a connection without SSL. This will help us isolate whether the problem lies in the SSL configuration or if there might be other issues.

Could you please attempt to establish a connection from your device without SSL by using the public HiveMQ broker? You can use the hostname “broker.hivemq.com”, port 1883, topic “test”

If the connection without SSL works successfully, it would indicate that the issue might be related to the SSL configuration. If you encounter any errors or issues during this non-SSL connection attempt, please provide the details.

Additionally, take a look at another user’s successful connection example to the SIM7600. While it’s not the exact model as yours, the example might offer useful insights. You can find the example Cert issue when connecting to Cloud Hive instance - #28 by droidblast

Feel free to update us on the results of the non-SSL connection attempt, and we’ll proceed from there to troubleshoot any SSL configuration issues. Your participation in the community is highly valued, and we’re here to assist you every step of the way.

Warm regards,
Dasha from HiveMQ Team

Hi Dasha,

Thank you for your reply!
I am able to connect to “broker.hivemq.com”, port 1883 without issue.

So the problem must indeed be related to the SSL configuration.

One other thing.
Here is the MQTTS documentation for the SIM7080 module
As you can see at points 5.2 and 5.3.2 (MQTTS examples), they’re using 3 files for the TLS connection:

• the root CA (in our case that’s isrgrootx1.pem)
• the client certificate
• the client’s private key

I read that you’re doing a one way handshake and so HiveMQ doesn’t require the last 2 files, but maybe my module does.
I just found this topic where Diego suggested to add those files to the modules and use them for the TLS handshake anyway. The topic was not resolved and the module is from a different brand than mine, but maybe it applies too. If so, how can I generate those 2 files? I tried to follow Diego’s process, installed openssl, but I’m getting to a series of questions and I never get the certficates at the end…

Thanks again for your assistance!

Update: I managed to get the 2 files client.pem and user_key.pem.

After downloading them into the module, I converted them with:
AT+CSSLCFG=“CONVERT”,1,“client.pem”,“user_key.pem”
Then the root CA like before:
AT+CSSLCFG=“CONVERT”,2,“isrgrootx1.pem”
and then ran
AT+SMSSL=1,“isrgrootx1.pem”, “client.pem”

I left out user_key.pem in the last command because they say user_key.pem is somehow combined with client.pem after the convert command, so no need to add it there. Anyway, I can only add 2 certs in this command, and in the doc they say it should be the CA root cert and the client cert.

But after AT+SHCONN I’m still getting the same error.

To recap:

• I added isrgrootx1.pem as well as client.pem and user_key.pem in the SSL config, but it didn’t change the outcome. Did I do this correctly though?
• For the hostname of the SNI, I entered the URL of my cluster, is it correct? Or should I enter something else?
• I set the SSL version to TLS 1.2, is it correct?
• I enabled ignorertctime, is it correct?
• I left the ciphersuite set by default, but should I select a cipher among a specific list?
• for the clientId I just entered random characters. Is there a rule like the ID has to be unique or set to a specific format?
• for the URL, I set the one from my dashboard in the field “Cluster” with port 8883, is that correct? Or should I enter the one in the field TLS URI (the address that ends with /mqtt?)
• Then the username and password and that’s it, is there anything missing?

Besides this issue, the SIM7080 is a quite nice and low cost module with LTE-M/NB-Iot and GPS.
Solving this will certainly help a lot of other people too, so thanks again for your help.

Hello @antagonys ,

Thank you for the follow-up - based on the details provided here and within the documentation, it looks like we may be able to utilize just the root certificate (isrgrootx1.pem) rather than having to generate client certificates and client keys from the root certificate.

It looks like the implementation is as follows :

AT+CSSLCFG="convert",2,"isrgrootx1.pem"
OK
AT+SHSSL=1,"isrgrootx1.pem"
OK

There are a few additional caveats here that may be causing trouble along the way - namely that the certificate must first be uploaded to the module once for implementation. Additionally, the modem clock could be causing certificate authentication to fail, as it may wrongfully read certificates as expired. This can be validated using the command AT+CCLK?. This will provide the current modem date/time.

Additionally, SNI (Server name indicator) is required for TLS connectivity to the HiveMQ Cloud. I do believe the SIM7080 has support for SNI, and can be configured with AT+CSSLCFG=. This will need to be utilized as well for successful connectivity.

Now, as for your bulleted questions :

• I added isrgrootx1.pem as well as client.pem and user_key.pem in the SSL config, but it didn’t change the outcome. Did I do this correctly though?

Based on the provided details above, I believe only the root certificate should be required, though this may differ depending on device configuration.

• For the hostname of the SNI, I entered the URL of my cluster, is it correct? Or should I enter something else?

Based upon the SIM7080 AT Command documentation, the host name of the server to connect to should be input here - in this case, your cloud broker address, correct.

• I set the SSL version to TLS 1.2, is it correct?

TLS 1.2 and 1.3 are both supported.

• I enabled ignorertctime, is it correct?

If the command AT+CSSLCFG="ignorertctime",1,1 is used, it will prevent the connecting client from validating the expiry date of the broker certificate. This can allow devices to connect when their local clock is incorrect, in some cases, but prevents this additional layer of security.

• I left the ciphersuite set by default, but should I select a cipher among a specific list?

All supported cipher suites can be validated here, within our documentation.

• for the clientId I just entered random characters. Is there a rule like the ID has to be unique or set to a specific format?

The client ID is defined by the MQTT protocol standard - specifics about client IDs can be found within the protocol specification here.

• for the URL, I set the one from my dashboard in the field “Cluster” with port 8883, is that correct? Or should I enter the one in the field TLS URI (the address that ends with /mqtt?)

Typically, the cluster URL with the port is enough to establish connectivity, though this is dependent on the library in use - I would refer to the MQTT library utilized for this connection attempt to validate the exact requirements for the URL field.

• Then the username and password and that’s it, is there anything missing?

No, the username, password, host, port, and TLS certificates should be all that is required! One additional item that may be worth checking : utilizing the built-in web client to validate the functionality of created credentials - this will allow us to be sure that the credentials used when testing TLS are known and functional as expected.

Best,
Aaron from the HiveMQ Team

Hi Aaron,

Thanks very much for your detailed reply.
I tried all your suggestions, but unfortunately I’m still unable to log in.

Regarding AT+SHSSL with just the root certificate:
After checking the manual, this command seems to be designed for the HTTPS method. They say the one for MQTTS is AT+SMSSL, and it’s supposed to carry both the root and client certficates (the module throws an error when I’m trying to remove the last pair of quotes - I can leave it empty though)

I also tested my username and password in the web client, they work fine.

Here is my full set of commands, do you see anything else I could be trying?

1) downloading and converting the root certificate

AT+CFSINIT
// OK

AT+CFSWFILE=3,"isrgrootx1.pem",0,1939,10000
// downloading the root certificate into the module
// OK

AT+CSSLCFG="CONVERT",2,"isrgrootx1.pem"
// converting the root certificate
//OK

AT+CFSTERM
// OK

2) setting up the connection parameters

AT+SMCONF="CLIENTID","[23 random alphanumerical characters]"
// OK

AT+SMCONF="URL","[Cluster ID].s2.eu.hivemq.cloud",8883
// OK

AT+SMCONF="USERNAME","[my username, tested in the web client]"
// OK

AT+SMCONF="PASSWORD","[my password, tested in the web client]"
//OK

3) Setting up SSL and connecting

AT+CCLK="23/12/08,01:00:00+08"
// set clock
// OK

AT+CNACT=0,1
// start APP network
// OK

AT+CSSLCFG="sslversion",1,3
// TLS 1.2
// OK

AT+CSSLCFG="SNI",1,"[Cluster ID].s2.eu.hivemq.cloud"
// set SNI
// OK

AT+CSSLCFG="CIPHERSUITE",1,0,"0xC02C"
// set cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
// OK

AT+SHSSL=1,"isrgrootx1.pem"
// OK
// here I also tried AT+SHMSSL=1,"isrgrootx1.pem","" (with empty client certficate - when I try to remove the last pair of quotes it throws an error)
// and also AT+SHMSSL=1,"isrgrootx1.pem","client.pem" (with the extra client certficate, after conversion together with user_key.pem)

AT+SMCONN
// +CME ERROR: Operation not allowed

Hello @antagonys

I’m not very familiar with SIM7080 device but I have some suggestions to share.

1. Remove the line “AT+CSSLCFG="CONVERT",2,"isrgrootx1.pem” it’s not needed since the certificate is already in PEM format.

2. The error “+CME ERROR: Operation not allowed” is very generic, it could be related to the device itself or a network issue. Change this line “AT+CSSLCFG="CIPHERSUITE",1,0,"0xC02C” to “AT+CSSLCFG="CIPHERSUITE",1,0,"0xC02F” and see if you get a different error message.

Kind regards,
Diego from HiveMQ Team