I am not sure if this community is intended for my question.
I am using a SIM7080 modem to connect to my website using TLS with the command AT+CAOPEN and ISRG Root X1, I get an error 26: Certificate's common name does not match and time expired. Using a browser to communicate over HTTPS with my website works perfectly well. Also no problems in opening port 80 without TLS or port 443 with TLS encryption only and no certificate verification.
If I use google's root certificate and the same command to connect to google.com it works perfectly well. If I try to connect to lencr.com using the Let's Encrypt root I also get above error. If I deliberately use ISRG Root X1 to connect to google.com, I also get error 26. So this error means: there is something wrong with your certificate in general.
I suspect it has something to do with the combination of the SIM7080 TLS implementation, the Let's Encrypt certificate and probably the need to configure something in the modem that I missed.
Has anyone succeeded in using a CAOPEN command using TLS on a SIM7080 modem (or a similar SIM7000/SIM7070/SIM7090 modem)? Could you please share the full list of AT commands?
Has anyone suggestions in what I am missing in the SIM7080 - Let's Encrypt certificate combination in setting op an TLS authenticated connection?
Let's Encrypt do run lencr.org. However, the certificate chain it currently serves chains to "DST Root CA X3", not to "ISRG Root X1".
If you are using CASSLCFG to configure cacert with the root certificate "ISRG Root X1", try connecting to valid-isrgrootx1.letsencrypt.org instead, which serves a certificate chain that actually chains to that root.
@_az Thank you for your quick reply. You are right, it is lencr.org, and that is also the host i tried. But using a browser, clicking the padlock and viewing the certificate leads to the ISRG Root X1 root. Also here is stated that Let’s Encrypt Authority X3 is retired.
I tried the host you suggested, valid-isrgrootx1.letsencrypt.org](http://valid-isrgrootx1.letsencrypt.org, this also fails with error 26 using the ISRG Root X1.
I tried setting the SNI without success. I use my own modem client in cpp, but the modem commands I use are (after uploading and converting the right certificate):
AT+CSSLCFG="sni",0,"origin.letsencrypt.org"
AT+CACID=0
AT+CASSLCFG=0,"SSL",1
AT+CASSLCFG=0,"CACERT","root.cer"
AT+CASSLCFG=0,"CRINDEX",0
AT+CAOPEN=0,0,"TCP","valid-isrgrootx1.letsencrypt.org",443
This gives error 26
Yes I can connect if I do not use a certificate, effectively using TLS encryption without authenication. So the problem is in certificate verification, I am sure!
Looking with openssl at a connection to google.com and a connection to my own website, I see that Google's uses a different suite and a public key of 256 bits, and my own site uses ECDHE-RSA-AES128-GCM-SHA256 which should be supported (from the SIM7080 AT commands: QAPI_NET_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 should be the same (note ECDHE and ECDH)? but a public key length of 2048. Might this be the problem?
However, the same trick does not work with my own website. I have no virtual hosts (at least not at 443), but my Letś Encrypt server certificate has 4 Subject Alt Names. Any ideas?
Chances are that your website is currently using the "Old Default Chain". In this case, the root is "DST Root CA X3".
Sometime this month, new and renewed certificates will start using the "New Default Chain". In this case, there's technically two roots in the chain and trusting either should work, depending on how the TLS stack works on these modems.
I think it would be ideal if you trusted all 3 roots shown on the certificate hierarchy page. That's what common clients like browsers do. However, I'm not sure whether the cacert option provided by your modem's SSL commands allows trusting multiple roots at the same time.
But if you can only trust a single root at once, I guess "DST Root CA X3" is going to have to be it. (Or configure your website with the "Alternative Chain", but that might reduce compatibility with other kinds of devices.)
I got connection! Thank you so very much for your help. It is confusing that the "DST Root CA X3" can not be found at the Let's Encrypt chain of trust directly in the list of intermediate certificates and needs to be downloaded at download a copy from us.
. Not sure, seems like it should work.
!