Unable to connect with cluster

Hello.

I’m working with free cluster: 9d52b5d026654fc4b6057be2b55bc5f1.s2.eu.hivemq.cloud

I m able to connect with cluster with mqtt.fx, comunicate etc. so everything works fine.
I have also my iot device with quectel’s modem and I can to open port, but when I try to connect there is problem, broker rejects connection.
Should I use CA certificate? if this is necessary? or it could be modem connection parameters wrong configuration?
Is there any place where I can download that certificate? or shuld I create it myself?

Hello @m.matejkowski,

Thank you for your interest in MQTT and HiveMQ!

What error do you observe with your device? In case issue due to the CA certificate then you can download CA certificate and retry.

In case the issue still persists then please do share error details with us to take a look.

Kind regards,
Sheetal from HiveMQ team

AT+QFDWL=“isrgrootx1.pem”

CONNECT
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

+QFDWL: 1939,4f64

OK

AT+QMTCFG=“ssl”,0,1,2

OK
AT+QSSLCFG=“cacert”,2,“isrgrootx1.pem”

OK
AT+QSSLCFG=“seclevel”,2,1

OK
AT+QSSLCFG=“sslversion”,2,4

OK
AT+QSSLCFG=“ignorelocaltime”,2,1

OK
AT+QSSLCFG=“sni”,2,1

OK
AT+QSSLCFG=“ciphersuite”,2,0XFFFF

OK
AT+QMTOPEN=0,“9d52b5d026654fc4b6057be2b55bc5f1.s2.eu.hivemq.cloud”,8883

OK
<0>
+QMTOPEN: 0,0
AT+QMTCONN=0,“BG96_UART”,“Johny”,“johny123”

OK
<0>
+QMTCONN: 0,0,5

+QMTSTAT: 0,4

additional info:
+QMTCONN: 0,0,5

so 5 is ret_code and it is Integer type. Returned code of the connection status.
0 Connection Accepted
1 Connection Refused: Unacceptable Protocol Version
2 Connection Refused: Identifier Rejected
3 Connection Refused: Server Unavailable
4 Connection Refused: Bad User Name or Password
5 Connection Refused: Not Authorized

Hello Michal,

First, please make sure that you are using the latest firmware version of the BG96 modem.

Unfortunately since I don’t have Quectel’s BG96 modem device to troubleshoot the issue from my side I just checked some official documents such as “Quectel BG96 MQTT Application Note” and “Quectel BG96 SSL Application Note”.

References: https://www.quectel.com/wp-content/uploads/2021/03/Quectel_BG96_MQTT_Application_Note_V1.2.pdf and https://www.quectel.com/wp-content/uploads/2021/03/Quectel_BG96_SSL_Application_Note_V1.1.pdf

There is a explicit note on the documentation:

If the MQTT connection is configured to SSL mode, [ctxindex] must exist. In addition, AT+QSSLCFG is needed to configure the SSL version, cipher suite, secure level, CA certificate, client certificate, client key and ignorance of RTC time, which is used in MQTT SSL handshake procedure.

Based on that I have created the AT commands below, you should be able to connect to HiveMQ Cloud by using these commands. If you still face connection issues I would suggest you to capture network packets dump while trying to connect to HiveMQ Cloud from this device for further analysis.

# Set the MQTT SSL mode and/or SSL context index
# +QMTCFG: "ssl",<client_idx>[,<SSL_enable>[,<ctxindex>]]
AT+QMTCFG="ssl",0,1,2


# Configure CA certificate. In HiveMQ Cloud you need to specify a trusted certificate parameter
# You can download this cert from https://letsencrypt.org/certs/isrgrootx1.pem
# +QSSLCFG: "cacert",<SSL_ctxID>,<cacertpath>
AT+QSSLCFG="cacert",2,"isrgrootx1.pem"


# Enable Server Name Indication feature. Required for HiveMQ Cloud Broker (Free and Pay As You Go)
# +QSSLCFG: "sni",<SSL_ctxID>,<SNI>
AT+QSSLCFG="sni",2,1


# SSL authentication mode
# 0 - No authentication
# 1 - Manage server authentication
# 2 - Manage server and client authentication if requested by the remote server
# +QSSLCFG: "seclevel",<SSL_ctxID>,<seclevel>
AT+QSSLCFG="seclevel",2,2


# SSL authentication version
# 0 - SSL3.0
# 1 - TLS1.0
# 2 - TLS1.1
# 3 - TLS1.2
# 4 - All
# +QSSLCFG: "sslversion",<SSL_ctxID>,<SSL_version>
AT+QSSLCFG="sslversion",2,3


# Supported SSL Cipher Suites. HiveMQ default cipher suites supported https://www.hivemq.com/docs/hivemq/4.12/user-guide/security.html#cipher-suites
# 0X0035 - TLS_RSA_WITH_AES_256_CBC_SHA
# 0X002F - TLS_RSA_WITH_AES_128_CBC_SHA
# 0X0005 - TLS_RSA_WITH_RC4_128_SHA
# 0X0004 - TLS_RSA_WITH_RC4_128_MD5
# 0X000A - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# 0X003D - TLS_RSA_WITH_AES_256_CBC_SHA256
# 0XC011 - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# 0XC012 - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# 0XC013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# 0XC014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# 0XC027 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# 0XC028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
# 0XC02F - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# 0XFFFF - Support all cipher suites above
# +QSSLCFG: "ciphersuite",<SSL_ctxID>,<cipher_suites>
AT+QSSLCFG="ciphersuite",2,0x0035


# Ignore the time of authentication
# +QSSLCFG: "ignorelocaltime",<SSL_ctxID>,<ignore_ltime>
AT+QSSLCFG="ignorelocaltime",2,1


# Start MQTT SSL connection
# +QMTOPEN: <client_idx>,<host_name>,<port>
# <client_idx> MQTT socket identifier. Range: 0-5
AT+QMTOPEN=0,"9d52b5d026654fc4b6057be2b55bc5f1.s2.eu.hivemq.cloud",8883


# Connect to MQTT server
# +QMTCONN: <client_idx>,<clientID>,<username>,<password>
# <client_idx> MQTT socket identifier. Range: 0-5
AT+QMTCONN=0,"BG96_UART","Johny","johny123"

Best regards,
Diego from HiveMQ Team

Diego.
Thanks for advice.
As you said: “Based on that I have created the AT commands below, you should be able to connect to HiveMQ Cloud by using these commands. If you still face connection issues I would suggest you to capture network packets dump while trying to connect to HiveMQ Cloud from this device for further analysis.”
How to do that? is there any tool for capturing these network packets?

Hello Michal,

You’re welcome! Normally I recommend Wireshark for Windows and tcpdump for Linux but in your case I believe it’s not a easy task to intercept these network packets since the modem module communicate directly with the mobile/cellular network. You can enable verbose logging by using the AT command (AT+CMEE=2) and see if you get any additional network error message information.

You can also give a try to connect to your HiveMQ public broker without SSL and see if you will be able to connect (sample below).

AT+QMTOPEN=0,"broker.hivemq.com",1883
AT+QMTCONN=0,"BG96_UART"

Best regards,
Diego from HiveMQ Team

Dear Diego thanks.

AT+QMTOPEN=0,“broker.hivemq.com”,1883

OK

+QMTOPEN: 0,0
AT+QMTCONN=0,“BG96_UART”

OK

+QMTCONN: 0,0,0

I’m able to connect without SSL as you can see above and also wondering if (in my case with SSL) the problem may be absence of these two commands:

AT+QSSLCFG=“clientcert”,<SSL_ctxID>[,<client_cert_path>]

AT+QSSLCFG=“clientkey”,<SSL_ctxID>[,<client_key_path>]

should I use any of these?

Hello Michal,

Maybe we forgot these, in their official documentation “Example of MQTT Operation with SSL” they mentioned CA certificate, CC certificate, CK certificate.

AT+QSSLCFG=“cacert”,2,“cacert.pem”
AT+QSSLCFG=“clientcert”,2,“client.pem”
AT+QSSLCFG=“clientkey”,2,“user_key.pem”

It seems we are close to understanding where the problem is. Can you please list all the files stored in UFS with the command below and share the results?

AT+QFLST=“*”

Best regards,
Diego from HiveMQ Team

Diego thats all listed files :

AT+QFLST=“*”

+QFLST: “isrgrootx1.pem”,1939
+QFLST: “security/”,2

OK

I am using a Quectel modem and I had the same issue. You need need to make sure the modem reads the certificate correctly. I am using a BC66, and I had send it the certificate one line at time and a .5ml delay. Here is my output

b’at+qsslcfg=1,5,“cacert”\r\r\n’
b’>\r\n’
wrote 1452 bytes for cert
b’\r\n’
b’+QSSLCFG: 1,5,“cacert”,1452\r\n’
b’\r\n’
b’OK\r\n’
sending at+qsslcfg=1,5,“seclevel”,1

Make sure that the number of bytes that you send are what it reports back

Here is a link to my code which is using a Raspberry Pi Pico to send the instructions to the BC66

The one other thing to be aware of is HiveMQ is using SNI. The older version of the BC66 didn’t support it. In the new versions they do, I have not not looked at the BG96, but there may be a command like

QSSLCFG: ,,“sni”,<sni_enable>

Diego

I download cacert from HiveMQTT website:
AT+QSSLCFG=“cacert”,2,“isrgrootx1.pem”
+QFLST: “isrgrootx1.pem”,1939

but how to create these files:
AT+QSSLCFG=“clientcert”,2,“client.pem”
AT+QSSLCFG=“clientkey”,2,“user_key.pem”
?
or maybe it is not necessary to creating because it is possible to download clientcert and clientkey from HiveMQTT website as well?

are these two files (clientcert, clientkey) really needed?

Hello Michal,

Based on the documentation and on some samples that I saw in the internet these two files is needed for the MQTT TLS handshake on this device.

There are different options depending on your use case and capabilities but you can generate Client certificate and Client Key certificate for PEM-based clients by using the sample command below

openssl req -x509 -newkey rsa:2048 -keyout user_key.pem -out client.pem -nodes

I have created the sample certificates for testing purpose and updated the AT commands sequence, please give a new try by using the commands below.

# Remove "isrgrootx1.pem" file previous created on the device
AT+QFDEL="isrgrootx1.pem"


# Set the MQTT SSL mode and/or SSL context index
# +QMTCFG: "ssl",<client_idx>[,<SSL_enable>[,<ctxindex>]]
AT+QMTCFG="ssl",0,1,2


# Upload/Store CA certificate to UFS
# In HiveMQ Cloud you need to specify a trusted certificate parameter
# You can download this cert from https://letsencrypt.org/certs/isrgrootx1.pem
# +QFUPL: <filename>[,<file_size>[,<timeout>[,<ackmode>]]]
AT+QFUPL="cacert.pem",1938,100

<Input the cacert.pem data, make sure the bytes size match with key length>

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

# Upload/Store CC certificate and CK certificate to UFS
# Generate Client certificate and Client Key certificate for PEM-based clients
# openssl req -x509 -newkey rsa:2048 -keyout user_key.pem -out client.pem -nodes
# +QFUPL: <filename>[,<file_size>[,<timeout>[,<ackmode>]]]
AT+QFUPL="client.pem",1093,100

<Input the client.pem data, make sure the bytes size match with key length>

-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIUVYH1TOgwaUf3nNxJ8RMnqvR8yZ8wDQYJKoZIhvcNAQEL
BQAwDTELMAkGA1UEBhMCVVMwHhcNMjMwMzEyMTkyMzM2WhcNMjMwNDExMTkyMzM2
WjANMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJpTb41b3wF7CnPqPeVCaoiI6hJZaB5xvaSiAzhwsYlcjHMovdFDLIIhsL/a4Kdu
kzQxJ9CziClFxlgKl051AxQguvmiz94fsAZX/KFVB2xNvYgYgp5kUAr8+EUYtmyT
/C7IZ/rtRdqsbyzZ5HF+YY3/5Msoya/Hb2QmL7Ju5jnLfAEk/IPjTHo+VZ49XzWG
Je4301ieNemndyQlsyrXTpbhV4RrTEfBhJBhC/Xa5KCyhLx/V8QXMvbSnf5t8f62
+2C6mDmFstSpWeHf79igs53Wfe6EdiwheeMVNaa5Xdf6VzdVbJjiswNiVklizVvZ
bRFTfmTzWTeHG+3hw46DewcCAwEAAaNTMFEwHQYDVR0OBBYEFN+QIkE8bKy5xWBM
5Hj9nhX7w/3lMB8GA1UdIwQYMBaAFN+QIkE8bKy5xWBM5Hj9nhX7w/3lMA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHwEpFMtEVl74Xqq17lLK1DW
x5ngt1TLm7FAKgM+lITQzDrdxamqij47EcaFVshQPeFQE12W62PsVpy9HHGISSbl
n51Gev+09mgDNPeeMVx7LYY3wTT1tt8BG+jxKOU6zxZMnkEXmLlFqII8qUaXeTiz
GyuoE1xGGAjwhhdhzXzHz46LBDJzAReDMRqJMxBr7IpFSEE1plu3Cl9ryKRsoxgq
dPNOu/QzSwcLdT/EfHlRsl0V7E2zUO+VTjU3wZ/wJoQ56/84xC2oGgwNBOXJQSA6
4ZJEAtCKU9MzixMp95GKx+yBfqR91EYydipUrexiBbcwEIg5UCiIQVC3M+F7GSU=
-----END CERTIFICATE-----


AT+QFUPL="user_key.pem",1703,100

<Input the user_key.pem data, make sure the bytes size match with key length>

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCaU2+NW98Bewpz
6j3lQmqIiOoSWWgecb2kogM4cLGJXIxzKL3RQyyCIbC/2uCnbpM0MSfQs4gpRcZY
CpdOdQMUILr5os/eH7AGV/yhVQdsTb2IGIKeZFAK/PhFGLZsk/wuyGf67UXarG8s
2eRxfmGN/+TLKMmvx29kJi+ybuY5y3wBJPyD40x6PlWePV81hiXuN9NYnjXpp3ck
JbMq106W4VeEa0xHwYSQYQv12uSgsoS8f1fEFzL20p3+bfH+tvtgupg5hbLUqVnh
3+/YoLOd1n3uhHYsIXnjFTWmuV3X+lc3VWyY4rMDYlZJYs1b2W0RU35k81k3hxvt
4cOOg3sHAgMBAAECggEAQq6JlVVcgvnEtvhAPVbYzF0IctxB4mG4FTJR3OnItHcS
UtIITqrNSP9ArW1oQ8BCB7uznfhs/ZRiEvmkjih+J4zK7YGderdLajpLdPRWDER9
ABjDG6hxc4YBym1WqYy52wcJ8sDiPY3jTchqbmWyxlYK6IObvgGZDnd3hYxomxC2
jTTvLX4FCL2f063S1eyhSJ4Nm7EEIn/lW056AjAhhiH8DekdWyivo+IjOBIMG9MV
C6jvj5RBzAJWbamQ2t0eCEdJyVuS95dfRmkXMtAn2nkpI0DmfrmKFYc2/5J/HsBy
KDxprxHWN/S5GKRN6vHtcStHJsNMqdTIhL7XaUcY2QKBgQDX6AVtZmLVpXV/9TKW
xIjVoxv+xAt+WapXXhpG0IXS4xvrjv/5z3o7tHbPA3ZBPQXMtpEUv+dLgHF+uQno
T1djaL02+M5W2A/rmKZIyhdz94IBmbWZB8UuHDSlPisDglwJqu/hPXrJD0cvdLx9
zVXlEj1MbkrsOdn2p2P/WgGK+QKBgQC2+/DwY9j0k1Xi0NhscKabFiI+ExCD2NXp
tLvesGiC9rlRy/6taKI9yLOlov5uVS1ASmcHnwOEZVnF3daTB/k8OURnn/rrXqAR
UAQGNRFBLk9tNSKGhVTcrxgH6QBYamfy28nQ6ww7rh3BPIml1wu/Z2IYUyCmQqVI
KEL5w3i1/wKBgB/lhTe+UoehpBQ9UzX23whAypf+unv2HzY9DsC7eanIJ43LWIG9
Zx9+77ZxmnzU2RB/QDvChhcfaKUCDTam0hA7nwiKBWHLFb8GlDpYsNJPFIPMA4oS
Hc1MGXL4Fj60eYhsGng6LvOZMDkQk/A576Ch6zBpcuQnP84yuJE26NdxAoGAPp1z
0y63nOmV6CmDBYh+2m72hLtNWXCnsnNQHmHLQZVf0Oe3XGuDqRS2tKVT3zlyZJ+R
JgB52aI82AKTXHjMBpmqGLObz1Lv/zycQ+uA3gcU0s/t4o5ZfbLEzGAk6BxxOZ+Q
LddgtkNclzU5/O/ba0HbRWucrof7uvdcA8+pzM0CgYAGWe4EekXob0Ei8+of40PS
mnVjEOoeBZIw14SMU5N9ZySMvluxHdl70cAbdcBzGMJVY6xdUCU7Rigzz9SHASWg
bYJrSqEd4B22MD/3aIE7nUzwYMDgQTTa+tps88FyKypgi4isrbuNDFDLotuIH4PZ
LZD8cokwUAAWhYgtX8cRLw==
-----END PRIVATE KEY-----

# Configure CA certificate, CC certificate and CK certificate
# +QSSLCFG: "cacert",<SSL_ctxID>,<cacertpath>
# +QSSLCFG: "clientcert",<SSL_ctxID>,<client_cert_path>
# +QSSLCFG: "clientkey",<SSL_ctxID>,<client_key_path>
AT+QSSLCFG="cacert",2,"cacert.pem"
AT+QSSLCFG="clientcert",2,"client.pem"
AT+QSSLCFG="clientkey",2,"user_key.pem"


# Enable Server Name Indication (SNI) extension. Required for HiveMQ Cloud Broker (Free and Pay As You Go)
# Whether to enable server name indication feature, currently, the only server names supported are DNS hostnames.
# 0 - Disable server name indication
# 1 - Enable server name indication
# +QSSLCFG: "sni",<SSL_ctxID>,<SNI>
AT+QSSLCFG="sni",2,1


# SSL authentication mode
# 0 - No authentication
# 1 - Manage server authentication
# 2 - Manage server and client authentication if requested by the remote server
# +QSSLCFG: "seclevel",<SSL_ctxID>,<seclevel>
AT+QSSLCFG="seclevel",2,2


# SSL authentication version
# 0 - SSL3.0
# 1 - TLS1.0
# 2 - TLS1.1
# 3 - TLS1.2
# 4 - All
# +QSSLCFG: "sslversion",<SSL_ctxID>,<SSL_version>
AT+QSSLCFG="sslversion",2,3


# Supported SSL Cipher Suites. HiveMQ default cipher suites supported https://www.hivemq.com/docs/hivemq/4.12/user-guide/security.html#cipher-suites
# 0X0035 - TLS_RSA_WITH_AES_256_CBC_SHA
# 0X002F - TLS_RSA_WITH_AES_128_CBC_SHA
# 0X0005 - TLS_RSA_WITH_RC4_128_SHA
# 0X0004 - TLS_RSA_WITH_RC4_128_MD5
# 0X000A - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# 0X003D - TLS_RSA_WITH_AES_256_CBC_SHA256
# 0XC011 - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# 0XC012 - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# 0XC013 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# 0XC014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# 0XC027 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# 0XC028 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
# 0XC02F - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# 0XFFFF - Support all cipher suites above
# +QSSLCFG: "ciphersuite",<SSL_ctxID>,<cipher_suites>
AT+QSSLCFG="ciphersuite",2,0xFFFF


# Ignore the time of authentication
# +QSSLCFG: "ignorelocaltime",<SSL_ctxID>,<ignore_ltime>
AT+QSSLCFG="ignorelocaltime",2,1


# Start MQTT SSL connection
# +QMTOPEN: <client_idx>,<host_name>,<port>
# <client_idx> MQTT socket identifier. Range: 0-5
AT+QMTOPEN=0,"9d52b5d026654fc4b6057be2b55bc5f1.s2.eu.hivemq.cloud",8883


# Connect to MQTT server
# +QMTCONN: <client_idx>,<clientID>,<username>,<password>
# <client_idx> MQTT socket identifier. Range: 0-5
AT+QMTCONN=0,"BG96_UART","Johny","johny123"

Best regards,
Diego from HiveMQ Team

Diego. Tahnks you for advices.
AT+QFLST=“*”

+QFLST: “cacert.pem”,1938
+QFLST: “client.pem”,1093
+QFLST: “security/”,2
+QFLST: “user_key.pem”,1703

OK
AT+QMTCFG=“ssl”,0,1,2

OK
AT+QSSLCFG=“seclevel”,2,2

OK
AT+QSSLCFG=“sslversion”,2,4

OK
AT+QSSLCFG=“ignorelocaltime”,2,1

OK
AT+QSSLCFG=“sni”,2,1

OK
AT+QSSLCFG=“ciphersuite”,2,0xFFFF

OK
AT+QSSLCFG=“cacert”,2,“cacert.pem”

OK
AT+QSSLCFG=“clientcert”,2,“client.pem”

OK
AT+QSSLCFG=“clientkey”,2,“user_key.pem”

OK
AT+QMTOPEN=0,“9d52b5d026654fc4b6057be2b55bc5f1.s2.eu.hivemq.cloud”,8883

OK
<0>
+QMTOPEN: 0,-1

I have created files, but still nothing. I try to update firmware in my BG96 modem and then we will see the results.

Best Regards

Hello Michal,

As I mentioned in my first post, update the firmware to the latest version would be great to get rid of any SSL/TLS bug implementation on this device.

The last response error code changed +QMTOPEN: 0,-1

I have made some tests using Paho Python MQTT client and I’m able to connect to my HiveMQ Cloud instance, so I’m discarding the possibility of something wrong with these certificates files.

In theory you should be able to connect just by upload the trusted CA certificate (cacert.pem) to the modem module.

You can also give a try by querying the DNS server configured on this device and check if you are able to convert HiveMQ Cloud domain name to IP address.

AT+QIDNSGIP=1,“9d52b5d026654fc4b6057be2b55bc5f1.s2.eu.hivemq.cloud”

Other than that I’m running out of ideas. You can also reach out to Quectel support and try to get some help Technical Support | Quectel

Best regards,
Diego from HiveMQ Team

Dear Diego.

Does cacert.pem, client.pem and user_key.pem are responsible for correct opening or for correct connecting to the broker?
I have now the newest firmware BG96 version and I’ m able to open but can not connect.

AT+QMTOPEN=0,“9d52b5d026654fc4b6057be2b55bc5f1.s2.eu.hivemq.cloud”,8883

OK

+QMTOPEN: 0,0
AT+QMTCONN=0,“BG96_UART”

OK

+QMTCONN: 0,0,5

AT+QIDNSGIP=1,“9d52b5d026654fc4b6057be2b55bc5f1.s2.eu.hivemq.cloud”
OK
+QIURC: “dnsgip”,0,1,600
+QIURC: “dnsgip”,“20.79.70.109”
Diego I can dnsgip.

Additionaly:

Why the cacert.pem has 1785 bytes in this case?

if the amazon server, from MQTT Aplication note for BG96 example, requires specific certificate?
I m trying to connect with Hivemqtt. Whether the certificate should be this length(1785 bytes)?
Should I create another CA certificate for connection with Hivemqtt?

Hello Michal,

Unfortunately, we are unable to provide you with any specific information regarding AWS certificate as we have no knowledge of the products offered by them.

The certificate size seems ok, the trusted CA certificate (cacert.pem) bytes/length of the last AT commands sequence I shared is correct.

How are you uploading those certificates? Are you connecting to this modem module via UART directly on the terminal emulator?

Please share the results of the following command

AT+QFDWL=“cacert.pem”

Dear Diego

I’m connecting with modem via UART directly (QCOM).

Here is

AT+QFDWL=“cacert.pem”

CONNECT
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreG
+QFDWL: 1938,1312

OK

@m.matejkowski

It seems you are missing some parts of the CA certificate.

Best regards,
Diego from HiveMQ Team