Connect module to Azure IoT Hub

Hi I’m using a EC-21 (Revision: EC21EUXGAR08A02M1G) and I want to connect it to Azure IoT Hub using the MQTT protocol. I’ve found a forum thread where someone else wants to do something similar: BG95-M2 Problem with MQTT and TLS
A Quectel support (Stephen Li) seem to have achieved exactly what I want to do using the following AT-command sequence:
[2018-06-25_11:57:46:330]ati
[2018-06-25_11:57:46:330]Quectel
[2018-06-25_11:57:46:330]BG96
[2018-06-25_11:57:46:330]Revision: BG96MAR02A08M1G
[2018-06-25_11:57:46:330]OK
[2018-06-25_11:57:47:305]at+cgreg?;+creg?;+cereg?;+qnwinfo
[2018-06-25_11:57:47:305]+CGREG: 1,1
[2018-06-25_11:57:47:326]+CREG: 1,1
[2018-06-25_11:57:47:326]+CEREG: 2,4
[2018-06-25_11:57:47:326]+QNWINFO: “EDGE”,“46001”,“GSM 900”,120
[2018-06-25_11:57:47:326]OK
[2018-06-25_11:58:00:728]at+qflst=“UFS:*”
[2018-06-25_11:58:00:728]+QFLST: “cacert.pem”,1280
[2018-06-25_11:58:00:728]OK
[2018-06-25_11:58:12:032]AT+QSSLCFG=“cacert”,2,“UFS:cacert.pem”
[2018-06-25_11:58:12:032]OK
[2018-06-25_11:58:15:917]AT+QSSLCFG=“seclevel”,2,1
[2018-06-25_11:58:15:917]OK
[2018-06-25_11:58:16:796]AT+QSSLCFG=“sslversion”,2,4
[2018-06-25_11:58:16:812]OK
[2018-06-25_11:58:22:600]AT+QMTCFG=“ssl”,0,1,2
[2018-06-25_11:58:22:600]OK
[2018-06-25_11:58:25:766]at+qmtcfg=“version”,0,4
[2018-06-25_11:58:25:766]OK
[2018-06-25_11:58:34:704]AT+QMTOPEN=0,“mqtt-quectel.azure-devices.net”,8883
[2018-06-25_11:58:34:704]OK
[2018-06-25_11:58:40:820]+QMTOPEN: 0,0
[2018-06-25_11:58:43:938]AT+QMTCONN=0,“mydevice1”,“mqtt-quectel.azure-devices.net/mydevice1","SharedAccessSignature sr=mqtt-quectel.azure-devices.net%2Fdevices%2Fmydevice1&sig=83aqJBcsRIN9R2ZdzGxwjIGHZslTXUNZNeeq1qbmh9A%3D&se=1563244357”
[2018-06-25_11:58:43:938]OK
[2018-06-25_11:58:45:061]+QMTCONN: 0,0,0
[2018-06-25_11:58:46:032]AT+QMTPUB=0,1,1,0,“mydevice1/topic”
[2018-06-25_11:58:46:088]> 0123456789
[2018-06-25_11:58:47:221]OK
[2018-06-25_11:58:48:491]+QMTPUB: 0,1,0
[2018-06-25_11:58:52:088]AT+QMTCLOSE=0
[2018-06-25_11:58:52:088]OK
[2018-06-25_11:58:55:081]+QMTCLOSE: 0,0
But when I try something similar like this it just doesn’t work for some reason:
AT+QICSGP=1,1,“online.telia.se”
OK
AT+QIACT=1
OK
AT+CREG=1
OK
AT+CGREG=1
OK
AT+CEREG=1
OK
AT+CGATT=1
OK
at+cgreg?;+creg?;+cereg?;+cgdcont?;+qnwinfo
+CGREG: 1,1
+CREG: 1,1
+CEREG: 1,1
+CGDCONT: 1,“IP”,“online.telia.se”,“0.0.0.0”,0,0,0,0
+QNWINFO: “FDD LTE”,“24001”,“LTE BAND 3”,1300
OK
AT+QFUPL=“RAM:cacert.pem”,1280,10
CONNECT +QFUPL: 1280,4f54
OK
AT+QSSLCFG=“cacert”,1,“RAM:cacert.pem”
OK
AT+QSSLCFG=“seclevel”,1,2
OK
AT+QSSLCFG=“sslversion”,1,4
OK
AT+QMTCFG=“ssl”,0,1,2
OK
AT+QMTCFG=“version”,0,4
OK
AT+QMTOPEN=0,“olsbergs-iot-test.azure-devices.net”,8883
OK
+QMTOPEN: 0,-1

I know that I don’t have the same module as in the example, but that shouldn’t change the way to set up the SSL connection? The only thing that I can’t verify is done the same way as in the example is the uploading of the certificate. I have arranged mine in this way:
const char baltimore2[] =
/* Baltimore CyberTrust Root --Used Globally–*/
// This cert should be used when connecting to Azure IoT on the Azure Cloud available globally. When in doubt, use this cert.
“-----BEGIN CERTIFICATE-----\r\n” “MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\r\n” “RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\r\n” “VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX\r\n” “DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y\r\n” “ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy\r\n”
“VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr\r\n”
“mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr\r\n”
“IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK\r\n”
“mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu\r\n”
“XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy\r\n”
“dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye\r\n” “jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1\r\n” “BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3\r\n” “DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92\r\n”
“9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx\r\n”
“jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0\r\n”
“Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz\r\n”
“ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\r\n”
“R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\r\n”
“-----END CERTIFICATE-----”;

And then I end I from over UART. I can verify, using QFOPEN and QFREAD that the certificate looks the same in the modules RAM, but it might be faulty from the beginning. Should I use \r\n after every line or not? Is there something else that I’ve forgotten about? Have the SSL- or MQTT-procedures changed since the forum post was written last year?

Hello Rutger, thanks for your question
SSL and MQTT have not been changed. If you do the long transmission of the certificate in your way, you can add \n\ after the CA certificate to try it. You can refer to the following picture , thank you。

70b167d6212596d773e9a616f8d37d4740×581 38.4 KB

Thank you very much for your reply.

Unfortunately this does not seem to work out for me. I can connect to public broker like hivemq without using SSL, but as soon as I enable it using AT+QMTCFG=“ssl”,X,1,X nothing works for me even if I’m using certificates that works fine when I’m using MQTT.fx on my computer.

Is there something that is fundamentally different from EC21 to BG95? Do I have to go through some extra/other steps for the connection to work?

Hello Rutger, thanks for your feedback
You can refer to this Microsoft Cloud connection example to set up your connection steps.Microsoft cloud process and instructions .pdf (14.5 KB) For specific explanations on how EC21 uses SSL to connect to MQTT, you can refer to the MQTT application guide document, thank you. Quectel_LTE_Standard_MQTT_Application_Note_V1.2.pdf (685.3 KB)

I’m sorry but the pdf you link to is just a variation of the one I qouted above and does not give me any new insights. I have also of course already studied the MQTT application note as well as the SSL, FILE and general AT-command manuals. I still can’t understand what I’m doing wrong. I’m using the EC21 module mounted on a EVB kit, does that have anything to do with anything?

Hello Ruger, if the certificate still cannot be connected to Microsoft Cloud after mqtt.fx is verified, it is recommended that you capture the abnormal log file and send it to support@quectel.com. Please note your company name and email address when sending the email, we will have a special People follow up and analyze this issue, thank you.

Okey, I’ll do that. Thank you for your time.

Hi again Duncan, could you please poke the special people and tell them to give me an answer please?

Hello Rutger, I consulted my colleague and they said that they have replied to your email. Please check the email, thank you.

hello guys,
i am facing kind of similar problem like Rutger described. i have been able to connect to azure iot hub and publish and subscribe to topics while using self-signed X509 certs. i used Quectel’s bg96 module to connect to my azure iot hub.
Now i have set up device provisioning service and i am trying to connect to my device global endpoint. i am using the same ssl configuration as before but i am unable to open mqtt connection.
when i use mqttbox to connect to azure dps global endpoint using X509 certs it works fine but when using bg96 when i open connection using

AT+QMTOPEN=1,“global.azure-devices-provisioning.net”,8883

i get this error mqtt network open fail

+QMTOPEN: 1,-1

hi, bilal_farooq:
I suggest to use the mqtt.fx tool and using SSL to verify your CA certificate. This error is usually due to CA certificate issues!

image1366×728 47.1 KB

thanks for reply instead of mqtt.fx i used mqttbox tool to connect to azure dps without any errors and subscribe to topic.

here the screenshot

Capture11356×722 45.8 KB

here is the complete output. i used this same configuration to connect to azure iot hub but its not working with azure dps.

-> ATI


<- Quectel
<- BG96
<- Revision: BG96MAR02A07M1G
<- 
<- OK
Quectel
BG96
Revision: BG96MAR02A07M1G

AT+CPIN?


-> AT+CPIN?


<- +CPIN: READY


-> AT+QICSGP=2,1,"ZONG","","",3


<- OK


-> AT+QIACT=2


<- OK


-> AT+QICSGP=2,1,"ZONG","","",3


<- OK


-> AT+CGPADDR=2


<- +CGPADDR: 2,100.110.43.143

 
<- OK


APN OK: The IP address is 100.110.43.143


-> AT+QSSLCFG="sslversion",0,3


<- OK


-> AT+QSSLCFG="ciphersuite",0,0XFFFF


<- OK


-> AT+QSSLCFG="negotiatetime",0,300


<- OK


-> AT+QFUPL="ca_cert.pem",1282


Send Data len :1282


+QFUPL: 1282,5155


<- OK


-> AT+QFUPL="client_cert.pem",1188


Send Data len :1188


+QFUPL: 1188,707e


<- OK


-> AT+QFUPL="client_key.pem",1732


Send Data len :1732


+QFUPL: 1732,595e


<- OK


-> AT+QSSLCFG="seclevel",0,2


<- OK


-> AT+QSSLCFG="cacert",0,"ca_cert.pem"


<- OK


-> AT+QSSLCFG="clientcert",0,"client_cert.pem"


<- OK


-> AT+QSSLCFG="clientkey",0,"client_key.pem"


<- OK


-> AT+QSSLCFG="ignorelocaltime",0,1


<- OK


AT+QSSLCFG="ignorelocaltime",0


+QSSLCFG: "ignorelocaltime",0,1


OK


SSL OK: The ssl were successfully initialized.


-> AT+QMTCFG="version",1,4


<- OK


-> AT+QMTCFG="pdpcid",1,2


<- OK


-> AT+QMTCFG="keepalive",1,150


<- OK


-> AT+QMTCFG="session",1,1


<- OK


Config the MQTT Parameter Success!


AT+QMTCFG="ssl",1,1,0


OK




AT+QMTOPEN=1,"global.azure-devices-provisioning.net",8883

OK


+QMTOPEN: 1,-1

hi, bilal_farooq:
For your SSL and MQTT configuration, please strictly follow our guidance and examples. such as, your PDP Contextid is set to 2, which is inconsistent with the reference manual.These may cause your connection to fail later.
Quectel_BG96_SSL_Application_Note_V1.1.pdf (487.3 KB)
Quectel_BG96_MQTT_Application_Note_V1.1.pdf (628.2 KB)

i have tried using the exact same configuration as described in the application note. anyways heres the output of device with
ssl_context = 2;
pdp_context = 1;
mqtt_context = 0;

complete output

-> ATI


<- Quectel
<- BG96
<- Revision: BG96MAR02A07M1G
<- 
<- OK
Quectel
BG96
Revision: BG96MAR02A07M1G
AT+CPIN?
-> AT+CPIN?


<- +CPIN: READYAT+QICSGP=1,1,"ZONG","","",3
-> AT+QICSGP=1,1,"ZONG","","",3


<- OKAT+CGPADDR=1
-> AT+CGPADDR=1


<- +CGPADDR: 1,0.0.0.0
<- 
<- OK
-> AT+QIACT=1


<- ERROR

-> AT+QICSGP=1,1,"ZONG","","",3


<- OK
-> AT+CGPADDR=1


<- +CGPADDR: 1,0.0.0.0
<- 
<- OK
-> AT+QIACT=1


<- OK
-> AT+QICSGP=1,1,"ZONG","","",3


<- OK
-> AT+CGPADDR=1


<- +CGPADDR: 1,10.159.198.146
<- 
<- OK
APN OK: The IP address is 10.159.198.146


-> AT+QSSLCFG="sslversion",2,3


<- OK
-> AT+QSSLCFG="ciphersuite",2,0XFFFF


<- OK
-> AT+QSSLCFG="negotiatetime",2,300


<- OK
-> AT+QFUPL="ca_cert.pem",1282


<- +CME ERROR: 407
<- AT+QFDEL="ca_cert.pem"
-> AT+QFDEL="ca_cert.pem"


<- OK
-> AT+QFUPL="ca_cert.pem",1282


<- CONNECT

Send Data len :1282
+QFUPL: 1282,5155
<- 
<- OK
-> AT+QFUPL="client_cert.pem",1188


<- +CME ERROR: 407
<- AT+QFDEL="client_cert.pem"
-> AT+QFDEL="client_cert.pem"


<- OK
-> AT+QFUPL="client_cert.pem",1188


Send Data len :1188
+QFUPL: 1188,707e
<- 
<- OK
-> AT+QFUPL="client_key.pem",1732


<- +CME ERROR: 407
<- AT+QFDEL="client_key.pem"
-> AT+QFDEL="client_key.pem"


<- OK
-> AT+QFUPL="client_key.pem",1732

Send Data len :1732
+QFUPL: 1732,595e
<- 
<- OK
-> AT+QSSLCFG="seclevel",2,2


<- OK
-> AT+QSSLCFG="cacert",2,"ca_cert.pem"


<- OK
-> AT+QSSLCFG="clientcert",2,"client_cert.pem"


<- OK
-> AT+QSSLCFG="clientkey",2,"client_key.pem"


<- OK
-> AT+QSSLCFG="ignorelocaltime",2,1


<- OK


SSL OK: The ssl were successfully initialized.


-> AT+QMTCFG="version",0,4


<- OK
-> AT+QMTCFG="pdpcid",0,1


<- OK
-> AT+QMTCFG="keepalive",0,150


<- OK
-> AT+QMTCFG="session",0,1


<- OK
Config the MQTT Parameter Success!

-> AT+QMTCFG="ssl",0,1,2


<- OK
Enable the SSL Success!
AT+QMTOPEN=0,"global.azure-devices-provisioning.net",8883


OK

+QMTOPEN: 0,-1
AT+QMTOPEN?

OK

hi, bilal_farooq:
It occurred to me that one of the reasons in the forum for the MQTT connection failure was that the SSL certificate was uploaded due to the text string newline character, and the character length of the CA certificate containing the newline character was not consistent with the real CA, resulting in the MQTT connection failure.Therefore, I suggest that you check your uploaded CA certificate for similar problems.

No, the problem is not with the certs i have already verified that using mqttbox and also by connecting to my iot-hub directly using the same certs. this problem is only occurring when i try to connect to dps global endpoint.

hi, bilal_farooq:
I am also very confused about your question，I suggest you continue to investigate:
1、Change the domain name（“global.azure-devices-provisioning.net”） to the corresponding IP address and try again！
2、AT+QIDNSCFG=contextID,pridnsaddr,secdnsaddr //The DNS server address is configured
such as AT+QIDNSCFG=1,8.8.8.8,4.4.4.4
3、Check whether the CA certificate has been used by other devices and whether a new CA certificate can be generated, try again!

yes this problem is very confusing i have stuck on this for a while now.
i have tried changing hostname to ip that did not work and DNS is properly configured i have check that as well.
i am using baltimore root CA and client cert is a self signed one. i am using same certificates to connect to my iot-hub device as well as my dps. but unfortunately when i try connecting to it using mqttbox it works but with my code i can only connect to iot-hub and not to dps. i don’t know what else to try can you please test it yourself by trying to connect a bg-96 to azure-dps?

@herbert.pan-Q have you tried connecting to global endpoint or any other suggestion you have?