CC3220SF: Unable to connect to MQTT with security

Hi,

error -456 means that there is a problem with the ROOT-CA certificate you provided (SL_ERROR_BSD_ESECBADCAFILE).

It is either the format of the certificate is wrong or the path to certificate file is wrong.

Are you set with the catalog from TI or the root dummy catalog?

How do you set it on the file system (via Uniflash I guess)? what is the filename and how do you set the root CA? which API?

Can you also share the root CA?

Shlomi

Hi,
    I have uploaded the Root CA in the google drive link. I have tried both the Root CA (UserTrust RSA Certification Authority) and Intermediate Certificate Authority (Sectigo RSA Domain Validation Secure Server CA) for the website sarad.de of our server, which we are testing the MQTT connections on.
The same certificate (Sectigo RSA Domain certificate) works with mosquitto on the PC, as in the left window of the image attached, but not with the device.
I have flashed it via Uniflash and the file name was tls_Sectigo_CA.crt for the Root CA (as in the image below), set in the root directory.


We tried 2 ways to write the certifficate:
1. newline in the certficate was added manually by appending '\n' after 64 characters in the certificate body
2. Copied the certificate onto Notepad++ and  added the EOL conversion as CR LF and uploaded the same onto the device

Could you please also send an example working Root CA certificate of the correct format to upload. Thanks!

Hi,

The main issue here I believe is the fact that this root CA is not included in the root CA catalog, although I would expect to get FS_ERR_ROOT_CA_IS_UNKOWN error.

Just to verify, can you try to bypass the root CA verification?

you can do it by using SL_SO_SECURE_DISABLE_CERTIFICATE_STORE option.

Also, can you please answer my question above? --> How do you set it on the file system (via Uniflash I guess)? what is the filename and how do you set the root CA? which API?

Shlomi

Hi Shlomi,
    The root CA is included in the root CA catalog, because as I mentioned before, the same certificates work with mosquitto on the PC (as attached in the picture in the left window of my above reply)
i have bypassed the root CA verification also. We are using a Wurth Calypso board which is using the cc3220sf chip.
So to answer your question, we are uploading it directly via SimpleLink API over a serial interface tool using AT commands (this method works with other files perfectly, and we are able to read the certificates after writing onto the flash). The file name is set simple as "rootCA.crt", and we also tried with "rootCA.pem"
Any leads on what other issue it could be?

Shashank

Hi,

How can you be sure that the root CA you are using is in the catalog of the Simplelink device?

Can you please attach the root CA you are using?

Shlomi

Hi,

    We checked the memory for files saved and the file name is the same as the one we created. Also, we were able to read the contents of the rootCA after writing onto it, and verified it is the same as expected. So we are sure that the rootCA is the same one in the simple link device.

The root CA is attached in the google drive link

drive.google.com/.../17LXdU81A0fuFMyidB7ZtNzlSu2CdvjWH

The fact that this root CA is working on your PC doesn't say much, it is just saying that this root CA is part of the catalog on your PC.

The catalog in Simplelink device is hardcoded and does not include this specific root CA.

If you look in the SDK under <simplelink_cc32xx_sdk root>\tools\cc32xx_tools\certificate-catalog\readme.html, there is a list of all supported certificates and this one is not on the list.

Oh ok, thanks for the clarification! Is there any way to add it onto the list?

it has been a while since this list was updated.

Let me check internally for the process.

Shlomi

Sure, please let me know. 

Best Regards,

Shashank

sure, it will take a while though so I appreciate your patience.

Shlomi

Hi,
    Are there any updates with this? Thanks!

Hi,

Still didn't get any feedback.

Sorry for the delay.

Shlomi

Sure, please let me know soon. I can share the logs if needed to speed up the process

sure, if I see that it takes too long, I will try to create a "debug" catalog where I would add this specific one to the catalog and send you for test.

Ok, thank you

Hi, we have an update. We are currently using a self signed certificate for as as RootCA. The certificate is issued to (for example)"hq.test.com" (CN=hq.test.com). However, the MQTT server address is the URL "test.com". The MQTT connect command returns error -456 (SL_ERROR_BSD_ESECBADCAFILE). We assume the reason for this is the fact that the domain verification feature is enabled. However, setting the "DISABLE_DOMAIN_VERIFICATION" flag does not solve the issue. Is there a workaround for this problem?

Hi,

Can you attach the root CA certificate you created?

Shlomi

It's in the gdrive link

drive.google.com/.../17LXdU81A0fuFMyidB7ZtNzlSu2CdvjWH

Hi,

If you create your own certificate, you cannot add it to the certificate store so most likely it fails because it is not on the catalog.

You can bypass the catalog just to make sure this is the issue by using the SL_SO_SECURE_DISABLE_CERTIFICATE_STORE option.

Shlomi