CC3235MODASF: Where to put the Server Root CA cert when using atcmd mqtt

Wayne Johnson

Part Number: CC3235MODASF

I have an app that used the atcmd application. I am trying to connect to the Google MQTT server. I have the Google MQTT CA root cert installed on the CC3w235 as /erg/primary. I issue the commands:
AT+MqttCreate=...,[url|sec|skip_cert_verify],mqtt.2030.ltsapis.goog,443,TLSV1_2,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,,,/erg/primary,,v3_1_1,1,1
+mqttcreate:0
OK
AT+MqttSet=0,user,unused
OK
AT+MqttSet=0,password,...
OK
AT+MqttSet=0,keepalive,300
OK
AT+MqttSet=0,clean,0
OK
AT+MqttConnect=0

The connect command returns with an wrong_ca_cert error. I modify ATCmd to dump out the expected CA cert CN and it shows:
SL_SOCKET_ASYNC_EVENT: ERROR - WRONG ROOT CA. Install "GTS LTSR"

The problem I have is that I specified /erg/primary on the Create command, and that file in the install image does have a valid CA cert (from Google) with:
Issuer: C = US, O = Google Trust Services LLC, CN = GTS LTSR

What am I missing?

over 2 years ago

+1 Kobi Leibovitch over 2 years ago

TI__Guru 63006 points

The root ca you provided is not what the was requested by the server (if you have an air sniffer, you can check the TLS setup yourself).

What is the valid root CA that you've installed (in "/erg/primary")?

I read online that google may use 2 root CAs so you may need to install the "GTS LTSR" root-ca in addition and in case of failure of AT+MqttConnect with the "/erg/primary" , try again (from AT+MqttCreate) with this one.

+1 Wayne Johnson over 2 years ago in reply to Kobi Leibovitch

Prodigy 125 points

That was the issue. I had swapped the GCP primary and backup certs around. Add to that, I had not done a set time before the connect. This caused a -461 (SL_ERROR_BSD_ESECDATEERROR). I am now to the point where I get the +eventmqtt:operation,connack,4. Thanks.

Wi-Fi

Wi-Fi forum

CC3235MODASF: Where to put the Server Root CA cert when using atcmd mqtt