Problem to connect to EMQX Public Broker via SSL (BG95)

Aek22 · February 27, 2025, 10:40am

I try to connect my BG95 Modul with the public emqx boker. I tried it without ssl first und that worked. Now I want to use ssl. I tried it with the following commands:

ati

Quectel
BG95-M3
Revision: BG95M3LAR02A04
OK

at+cgreg?;+creg?;+cereg?;+qnwinfo

+CGREG: 0,5

+CREG: 0,5

+CEREG: 0,4

+QNWINFO: “EDGE”,“26202”,“GSM 900”,2

OK

AT+QFUPL=“emqx.pem”,1338,100

at+qflst=“UFS:*”

+QFLST: “emqx.pem”,1338
+QFLST: “security/”,2

OK

AT+CGDCONT?

+CGDCONT: 3,“IP”,“[vodafone-APN]”,“0.0.0.0”,0,0,0

OK

AT+CGACT=1,3

OK

AT+CGACT?

+CGACT: 1,0
+CGACT: 2,0
+CGACT: 3,1

OK

AT+QSSLCFG=“cacert”,2,“UFS:emqx.pem”

OK

AT+QSSLCFG=“seclevel”,2,1

OK

AT+QSSLCFG=“sslversion”,2,4

OK

AT+QMTCFG=“ssl”,0,1,2

OK

AT+QMTCFG=“pdpcid”,0,3

OK

AT+QMTCFG=“version”,0,4

OK

AT+QMTOPEN=0,“broker.emqx.io”,8883

+QMTOPEN: 0,-1

Does anyone can see what might be the problem here

derLalla · February 27, 2025, 1:23pm

Hey, I am having the same issue.
What their support told me was to use “SNI”, but that didn’t help.

This is my approach:

I want to connect to the emqx broker with the Quectel Bg950 via AT commands.
I receive a correct connection via AT+QMTOPEN, but AT+QMTCONN fails.
Doing a different approach with mosquitto is working (of course using with the certificate).

This is my reponse log:
Received: AT OK
Module is ready.

Sent: AT+QFLST
Received:
AT+QFLST
+QFLST: “cacert.pem”,1339
+QFLST: “security/”,0
OK

File ‘cacert.pem’ exists with size 1339 bytes.

Sent:
AT+QSSLCFG=“cacert”,2,“cacert.pem”
Received:
AT+QSSLCFG=“cacert”,2,“cacert.pem”
OK

Sent:
AT+QSSLCFG=“seclevel”,2,1
Received:
AT+QSSLCFG=“seclevel”,2,1
OK

Sent:
AT+QSSLCFG=“sslversion”,2,4
Received: AT+QSSLCFG=“sslversion”,2,4
OK

Sent: AT+QSSLCFG=“ciphersuite”,2,0XFFFF
Received:
AT+QSSLCFG=“ciphersuite”,2,0XFFFF
OK

Sent: AT+QSSLCFG=“session”,2,1
Received:
AT+QSSLCFG=“session”,2,1
OK

Sent: AT+QSSLCFG=“ignorelocaltime”,2,1
Received:
AT+QSSLCFG=“ignorelocaltime”,2,1
OK

Sent: AT+QSSLCFG=“sni”,2,1
Received:
AT+QSSLCFG=“sni”,2,1
OK

SSL configuration for context 2 completed successfully.

Sent: AT+QICFG=“tcp/keepalive”,1,120,25,10
Received:
AT+QICFG=“tcp/keepalive”,1,120,25,10
OK
TCP configuration completed successfully.

Sent: AT+QMTCFG=“ssl”,1,1,2
Received:
AT+QMTCFG=“ssl”,1,1,2
OK

Sent: AT+QMTCFG=“version”,1,4
Received:
AT+QMTCFG=“version”,1,4
OK

Sent: AT+QMTCFG=“keepalive”,1,300
Received:
AT+QMTCFG=“keepalive”,1,300
OK

Sent: AT+QMTCFG=“session”,1,1
Received:
AT+QMTCFG=“session”,1,1
OK
MQTT configuration for client ID 1 completed successfully.

Sent: AT+QMTOPEN=1,“xxxxxxxx.ala.eu-central-1.emqxsl com”,8883
Received:
AT+QMTOPEN=1,“xxxxxxxx.ala.eu-central-1.emqxsl com”,8883
OK
+QMTOPEN: 1,0
MQTT connection started.

Sent: AT+QMTCONN=1,“bg_battery”,“battery”,“battery”
Received:
AT+QMTCONN=1,“bg_battery”,“battery”,“battery”
OK
+QMTCONN: 1,0,5
+QMTSTAT: 1,4
Failed to connect MQTT client.

derLalla · February 28, 2025, 9:35am

So my setup is working when using EMQX Dedicated instead of Serverless.
It seems that the SNI makes some problems for the BG950?

Aek22 · February 28, 2025, 12:42pm

I figured it out for my specific case. But I changed from EMQX to the broker of my SIM-Card Provider (Vodafone)

First of all, I used the wrong Root Certificate. I found the right one with the openssl command (openssl s_client -connect [boker-URL]:8883 -showcerts)

But I also needed to set the parameter AT+QSSLCFG=“ignorelocaltime”,2,0 to “Does not ignore validity check for certificate” and had o enable Server Name Identification (AT+QSSLCFG=“sni”,2,1).

Now I can connect to the vodafone mqtt boker.

derLalla · March 4, 2025, 8:41pm

This is awesome! Changing the ignorelocaltime to false (0) did solve the issue. Also what seems to be necessary to add some padding size when uploading the certificate. I used strlen(certificate) + 15 as the filesize.