Bg95-m5 mqtt aws : +qmtopen: 0,-1

Hello,

I am developping a product using the BG95-M5 and I would like to use MQTT with amazon aws.

Here are the AT commands i send as well as the modem answers :

AT+QMTCFG=“SSL”,0,1,2
OK

AT+QMTCFG=“version”,0,4
OK

AT+QFDEL="*"
OK

AT+QFUPL=“cacert.pem”,1189,100
CONNECT
<AWS_CA_cert.pem>
+QFUPL: 1189,2d13
OK

AT+QFUPL=“client.pem”,1221,100
CONNECT
<private_key.pem>
+QFUPL: 1221,21c
OK

AT+QFUPL=“user_key.pem”,1680,100
CONNECT
<certificate.pem>
+QFUPL: 1680,57
OK

AT+QSSLCFG=“cacert”,2,“cacert.pem”
OK

AT+QSSLCFG=“clientcert”,2,“client.pem”
OK

AT+QSSLCFG=“clientkey”,2,“user_key.pem”
OK

AT+QSSLCFG=“seclevel”,2,2
OK

AT+QSSLCFG=“sslversion”,2,4
OK

AT+QSSLCFG=“ciphersuite”,2,0XFFFF
OK

AT+QSSLCFG=“ignorelocaltime”,2,1
OK

AT+CPIN?
+CPIN: READY
OK

AT+CMEE=2
OK

AT+COPS?
+COPS: 0,0,“Orange F”,0
OK

AT+CREG?
+CREG: 0,5
OK

AT+QICSGP=1,1,“Orange F”,"","",1
OK

AT+QIACT=1
OK

AT+QIACT?
+QIACT: 1,1,1,“10.160.151.51”
OK

AT+QMTOPEN=0,"********-ats.iot.us-east-1.amazonaws.com",8883
+QMTOPEN: 0,-1
ERROR

I have tried with different ending lines for my certificates with the following : \n, \r and \r\n and none works for me. Can you give details abou the exact format for the certificates ? Or else do you have an idea why I cannot open the MQTT connection ?

Thank you by advance
Augustin

try this ca-root
https://opensource.apple.com/source/Heimdal/Heimdal-172.29/lib/hx509/data/sf-class2-root.pem.auto.html

Thank you for your answer.

I replaced the CA certificate by this one and i still get the same error. I tried it with all lines ending (\r\n, \n and \r)
+QMTOPEN: 0,-1

I precise that i am able to do mqtt with my personnal broker and no encryption so my problem does not come from network configuration

#define CA_CERT
“-----BEGIN CERTIFICATE-----\n”
“MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl\n”
“MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp\n”
“U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw\n”
“NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE\n”
“ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp\n”
“ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3\n”
“DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf\n”
“8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN\n”
“+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0\n”
“X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa\n”
“K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA\n”
“1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G\n”
“A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR\n”
“zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0\n”
“YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD\n”
“bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w\n”
“DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3\n”
“L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D\n”
“eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl\n”
“xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp\n”
“VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY\n”
“WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=\n”
“-----END CERTIFICATE-----\n”

#define PRIVATE_KEY
“-----BEGIN RSA PRIVATE KEY-----\n”
“MIIEpAIBAAKCAQEAzUqoZ62yOtst3nGuD+e3R3c/9P3sFHePhzoPoORYysZPFotO\n”
“YmvWJ8uusgrOX1JdNa5LzaI0b2xkVqNmRb5G5d39lw4jwZagL7iOrbfhXjy08x5K\n”
“Dul57dFfTnZWN3QnYyBZsEUbi4VJZZz0Qo+H0Z7Mj6sd9W0q7RmUmRILP6io49P1\n”
“2f02ytR+PTEPpF27yenC2bZaaMsNlijXgqoVma8VPfFmJ2nxHAH793SPWq/ZpVIG\n”
“lyQR6Qqhh5VZrdw0AHqC2nytjxKEG1caAjPX+jbxWvtQedXUyOPz7dSNyaK3BmxG\n”
“Bc/qNFMT2WhVYQQdRyKGmsDT55PZM36ANwcKFwIDAQABAoIBAH31h9yNW6T3JG6u\n”
“y4DgyLilt21He1mXfk4XVs1+LejEwnPvp3mF9tFWDOsa7ELaU2yDc+lI0+ll1S6/\n”
“dRnnxLJ3gYf0WgYGuGRvVcPK5hGfJ9tfw0rhADnl1BddTksaDqyohb88t8jkUANz\n”
“yP8p98irKZIhCPG0OLlfj6hXxOUaKTTj0mVgPe6MVFEeotjjVvp7c9T6rXOTdSe9\n”
“tHuwGNAFYK1WV4OmbJx2HBYKu3R0CMlj5HdqpYAlO7fAoozL0hHLDofXtNAn+Bps\n”
“RBOFbwsLPw516C5n5QKaZ7qVTCrsAjFZM9nGHWkLcYFUoktrCFRHTyx+ypRa6ufa\n”
“Fu84wGkCgYEA/eCFFa36eN1os9mAc9zGiImAyvh33btReHfZD6AI+R2CzdKugahw\n”
“RhtFrJavPyz7z23ET2ymlMvJaWD2OOjmA25KjE9ElVKMMWwvz5rMtgsWi/PTdfJm\n”
“UeUVo4VneaVhm31BOLgFYTIS/vAEYJSuckFnurk6K4KIvbZcLEHK/eMCgYEAzwIh\n”
“UNZO7UabRa24CC8Eq+2crkGARluVk8yeYRCsh4kdW6c9O9fh9tI+ULBDU69sGq8p\n”
“V+3EPuCkTP6egI5FlG5GCiwQrQ8E2PZQn+ZfFpLHoodetx+XrKM9zpplW5jNnrnu\n”
“snLp+Ky7LeHYacL8lZqQ6k0K0vqONzjuQiYrOT0CgYEA6CInDg+qemFYnzo9LbOt\n”
“BKNV1EEkuOXSNKjBHHxkOAQ32iLN1VhCcJf3OTv+uXFUPfJMEaNzHZLIc0ZpXNf3\n”
“mSN7npfMSgzUi0w020rb64hv8T/dFnex/yfMhVwxpRUHDrmUrVv1701t+RVVq0nH\n”
“yEjto9pByg7tISphVUZDaakCgYBZmsJxC1L+wiFT9+5BHJkZErFPfGraCaqlX1zv\n”
“BxinUmKy2aFX1gqpnDf9FU8PWk+g/VEYDoNz9CkqasyROQRFS7ZlkM1nG6ktgPFF\n”
“RaLDUqW3ZIFLIxG0WLTYSVy2WV4n5rO76qH8Ukhzg975aL2MxGsWAGM/D9WfcbUw\n”
“TPVIwQKBgQCP6ZBH1aUZirS+UbbyZxqBnYyjjVQN609VM+g/UzfS/j3UNM1WO0Zo\n”
“TgZAn8ODvsrBLIk+nlAQMyKsn6ey8ohVwIlAeGt9d+FzXTeMHUEAifxqUedfTmTn\n”
“UyetVXlwALzv1nqzlkQGhRWHoB/S33fusV9GdOdIYnblBYvyBbOSSQ==\n”
“-----END RSA PRIVATE KEY-----\n” \

#define CERTIFICAT
“-----BEGIN CERTIFICATE-----\n”
“MIIDWTCCAkGgAwIBAgIUNrZvGuf2dPS/vU+4i0YbcpaeMOUwDQYJKoZIhvcNAQEL\n”
“BQAwTTFLMEkGA1UECwxCQW1hem9uIFdlYiBTZXJ2aWNlcyBPPUFtYXpvbi5jb20g\n”
“SW5jLiBMPVNlYXR0bGUgU1Q9V2FzaGluZ3RvbiBDPVVTMB4XDTIwMDkyODE2MDQw\n”
“NVoXDTQ5MTIzMTIzNTk1OVowHjEcMBoGA1UEAwwTQVdTIElvVCBDZXJ0aWZpY2F0\n”
“ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1KqGetsjrbLd5xrg/n\n”
“t0d3P/T97BR3j4c6D6DkWMrGTxaLTmJr1ifLrrIKzl9SXTWuS82iNG9sZFajZkW+\n”
“RuXd/ZcOI8GWoC+4jq234V48tPMeSg7pee3RX052Vjd0J2MgWbBFG4uFSWWc9EKP\n”
“h9GezI+rHfVtKu0ZlJkSCz+oqOPT9dn9NsrUfj0xD6Rdu8npwtm2WmjLDZYo14Kq\n”
“FZmvFT3xZidp8RwB+/d0j1qv2aVSBpckEekKoYeVWa3cNAB6gtp8rY8ShBtXGgIz\n”
“1/o28Vr7UHnV1Mjj8+3UjcmitwZsRgXP6jRTE9loVWEEHUcihprA0+eT2TN+gDcH\n”
“ChcCAwEAAaNgMF4wHwYDVR0jBBgwFoAUK9heqm0mWjUqROEb/BZkeCa8d04wHQYD\n”
“VR0OBBYEFKFVTLz/NHsnigqqVo2rIXNY5E0qMAwGA1UdEwEB/wQCMAAwDgYDVR0P\n”
“AQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQCLceafnpkQlqh6QDuGgYP+Xq0t\n”
“AzlwHlofoyc1Lk6qpNi7w4DA+vND4nlW63uqq030iB+qYGcuS/fcDGyRtqoqAflg\n”
“qFVWmnkmnLwI0BgwS9NTYKNiIHI7YIsnGFdm0o64WreurRSp2BWfjEO7qavqa6MZ\n”
“ViHC+3uS3XHCMVW3lKgwXDqb1KvTSjbNgk6/2N2/cropAbtviI1UUrOT2XxVSnop\n”
“OkprOlXmLYRB21R8LjJs/oi4VZORJONJCuxy5lCphOQV0BcBZSjDbXydj27IHkNY\n”
“1cKjs+hSsJCFP02e4zcKLyWh0lHeRw6WoUo/+I250hyTXT82jl8JVd3rNnMW\n”
“-----END CERTIFICATE-----\n” \

Here is the definition of my ceritificates. I checked that they are correctly loaded to the modem and that their length is also correct.

AWS generate keys with 0x10 ( \n )
The module parse certificates with \n and \r\n without problems
Qualcomm chipset/sdk SSL work:

  1. only with ca_root
  2. all 3 certs (ca, cert, key )
    Can not work only with client cert+key, without ca ( I not have info about new firmwares )
1 Like

I found out the answer. We have to send the certificates to the modem before to send the command
AT+QMTCFG=“SSL”,0,1,2
else it does not manage to link them properly with the AT+QSSLCFG command.

Thank you for your answer,
Augustin