HTTPS with Let's Encrypt and GSM modules - can't get it to work.

[Stromlo]

Hi,

I am designing a product for a client, and need to connect to their HTTPS site and POST data to said site. I have tried both Fibocom G510 and Simcom SIM900 modules (GPRS - still going strong in South Africa) but connecting to a HTTPS site, if it is using Let's Encrypt, doesn't seem to work.

The Fibocom module, when I am lucky enough to get an error code at all, tells me 'SSL Protocol Error'; and the Simcom module tells me 'Network Error'.

If needed I can post the three sites I have access to to test, but even https://www.letsencrypt.com gives me the above errors using a basic HTTPS POST / GET. Sites such as https://www.example.com and https://www.google.com and various others that use a different CA works fine.

I have not loaded any certificates to the modules themselves, but the fact that non- Let's Encrypt sites do work confuses me as to the problem.

I have reached out to Fibocom, but they say I need to load certificates (I have tried loading the Let's Encrypt root certificate, but did not help). They also doesn't seem to want to do any debugging / testing on their side so support is very difficult there. Unfortunately I need the Fibocom module to work, the Simcom module is just used for testing to try and figure out the problem.

Any ideas? I can post the AT commands I use to replicate, but for now I am hoping it's a stupid mistake on my part - and one of you can point me to my error.

Edit: Typo

[gmb42]

The only part that Let's Encrypt, or any other CA, provide in TLS is the certificate which holds info on the remote host and the public key.  If your client has issues making the TLS connection on to the server with an LE cert, then it's likely it has issues with the cert.

A TLS client has is meant to verify the server's certificate, and amongst other checks the cert has to come from a certificate chain that is trusted by the client.  The client has a list of trusted root certificates produced by the CA's and this is checked by the client for a match with the root certificate belonging to the servers cert chain.

When the server sends the certificate to the client it's optional to include the full chain.  If it doesn't, the client is expected to use the info in the servers certificate to retrieve the rest of the chain and hopefully find a trusted root certificate.

The client must have some method to update its list of root certificates as they do change, and its likely your module doesn't have the LE root certificate installed.

There are a number of TLS test sites (most have SSL in their name despite SSL being deprecated for over 4 years, possibly due to ... marketing??) that will show you the certificate chain among other tests, e.g. SSL Checker.  Point one of these tests sites to your server and it will let you know if the server is correctly configured.

Apart from being unable to verify the certificate, a client may fail to make a TLS connection for other reasons such as the protocol support and cipher suite offered by the server being unusable for the client, but the fact the client works with other CA certs make these reasons unlikely as they are not directly set by the certificate in use.

Edit:  Depending on how the LE cert has been issued, it may have a large RSA key, e.g. 4096 that an older client can't handle.  Again, check the server with an external tool to get the info and make sure it's supported by your client.