Unable to connect using a SIM7080 modem and Let's Encrypt certificate

I am not sure if this community is intended for my question.
I am using a SIM7080 modem to connect to my website using TLS with the command AT+CAOPEN and ISRG Root X1, I get an error 26: Certificate's common name does not match and time expired. Using a browser to communicate over HTTPS with my website works perfectly well. Also no problems in opening port 80 without TLS or port 443 with TLS encryption only and no certificate verification.

If I use google's root certificate and the same command to connect to google.com it works perfectly well. If I try to connect to lencr.com using the Let's Encrypt root I also get above error. If I deliberately use ISRG Root X1 to connect to google.com, I also get error 26. So this error means: there is something wrong with your certificate in general.

I suspect it has something to do with the combination of the SIM7080 TLS implementation, the Let's Encrypt certificate and probably the need to configure something in the modem that I missed.

Has anyone succeeded in using a CAOPEN command using TLS on a SIM7080 modem (or a similar SIM7000/SIM7070/SIM7090 modem)? Could you please share the full list of AT commands?

Has anyone suggestions in what I am missing in the SIM7080 - Let's Encrypt certificate combination in setting op an TLS authenticated connection?

Thanks a lot! Jeroen

1 Like

I don't think that Let's Encrypt run lencr.com.

Let's Encrypt do run lencr.org. However, the certificate chain it currently serves chains to "DST Root CA X3", not to "ISRG Root X1".

If you are using CASSLCFG to configure cacert with the root certificate "ISRG Root X1", try connecting to valid-isrgrootx1.letsencrypt.org instead, which serves a certificate chain that actually chains to that root.

1 Like

@_az Thank you for your quick reply. You are right, it is lencr.org, and that is also the host i tried. But using a browser, clicking the padlock and viewing the certificate leads to the ISRG Root X1 root. Also here is stated that Let’s Encrypt Authority X3 is retired.
I tried the host you suggested, valid-isrgrootx1.letsencrypt.org](http://valid-isrgrootx1.letsencrypt.org, this also fails with error 26 using the ISRG Root X1.

Any other suggestions?

Unfortunately that browser interface tends to be inaccurate.

If you check using e.g. openssl s_client, you'll see that the "ISRG Root X1" issuer is nowhere to be seen in the certificate chain on that domain.

:frowning: . Not sure, seems like it should work.

Just for a sanity check: can you connect if you don't configure cacert at all?

1 Like

I also tried this root on this host. This again leads to error 26...

Actually .. thinking about this part again:

Can you show your full commands? How are you passing in the SNI name of the host you're connecting to?

If you just connect to the IP without SNI, you'll probably receive the certificate for *.netlify.com or origin.letsencrypt.org (non-ISRG root).

According to https://raw.githubusercontent.com/botletics/SIM7000-LTE-Shield/master/SIM7000%20Documentation/Technical%20Documents/SIM7000%20Series_AT%20Command%20Manual_V1.06.pdf, there is a way to configure the SNI name:


maybe give that a shot?


@_az Thnx again!

I tried setting the SNI without success. I use my own modem client in cpp, but the modem commands I use are (after uploading and converting the right certificate):
This gives error 26

Yes I can connect if I do not use a certificate, effectively using TLS encryption without authenication. So the problem is in certificate verification, I am sure!

1 Like

Looking with openssl at a connection to google.com and a connection to my own website, I see that Google's uses a different suite and a public key of 256 bits, and my own site uses ECDHE-RSA-AES128-GCM-SHA256 which should be supported (from the SIM7080 AT commands: QAPI_NET_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 should be the same (note ECDHE and ECDH)? but a public key length of 2048. Might this be the problem?

You should set this to the host you want to connect to, i.e the same as:


That works, nice!

However, the same trick does not work with my own website. I have no virtual hosts (at least not at 443), but my Letś Encrypt server certificate has 4 Subject Alt Names. Any ideas?

1 Like

I tried all Sub Alt Names, using the same host for both AT+CSSLCFG="sni" and AT+CAOPEN without success...

@_az Is there any way, e.g. with OpenSSL, to figure out what name (Common Name or Alt Sub Name) is used in the SSL handhake?

Yay :partying_face: !

Like I alluded to earlier, it is unlikely that your own website is using "ISRG Root X1". (Despite what your browser UI says).

Let's Encrypt currently sends clients a chain that uses the "DST Root CA X3" root and ACME clients will use this by default.

Unless you have gone out of your way to override this and use an alternate certificate chain, you're not using "ISRG Root X1".

To make things more complicated, this is actually in the process of changing. If you look at the below diagram from this blog post:

Chances are that your website is currently using the "Old Default Chain". In this case, the root is "DST Root CA X3".

Sometime this month, new and renewed certificates will start using the "New Default Chain". In this case, there's technically two roots in the chain and trusting either should work, depending on how the TLS stack works on these modems.

I think it would be ideal if you trusted all 3 roots shown on the certificate hierarchy page. That's what common clients like browsers do. However, I'm not sure whether the cacert option provided by your modem's SSL commands allows trusting multiple roots at the same time.

But if you can only trust a single root at once, I guess "DST Root CA X3" is going to have to be it. (Or configure your website with the "Alternative Chain", but that might reduce compatibility with other kinds of devices.)


I got connection! Thank you so very much for your help. It is confusing that the "DST Root CA X3" can not be found at the Let's Encrypt chain of trust directly in the list of intermediate certificates and needs to be downloaded at download a copy from us.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.