DTLS connections fails

Hello,

I am trying to connect to the LWM2M server via DTLS and my modem.

I have uploaded the root CA that I have created and established proof of possession through the help of the forum. The device certificates have been signed with the root CA successfully.

My first tests with my modem are failing with SSL Connection Error and I was wondering how you forumers have tested connectivity with your devices. Did you first check to see if your PC can connect and if so what are the steps that you took?

thanks

Personally I’m not a LWM2M user, but when it comes to DTLS, generally the certificate chain that the device is sending to Cumulocity matters, as you might need to ensure that you’re sending all of the required certificates.

For instance, if you have a chain of 3 (leaf > intermediate > root), and if you uploaded the root certificate to Cumulocity, then you’ll need to send all 3 certificates when connecting to Cumulocity, as just sending the leaf certificate won’t be enough.

Do you know the full certificate chain that you’re sending to the Cumulocity?

I am using a modem for communicating with Cumulocity so all the certificates are handled by that. I simply upload the root CA, the device cert and the device key to the modem and the rest just works. That is the case for TCP and MQTT so far.

Is there a way I can test connection with the server without having to use the modem? How would you check device communication via a pc for example?

thanks

I’ll let someone else answer, but it might be useful to post the exact error (e.g. screenshot, copy/paste output).

The output I get is this: +KUDP_NOTIF: 1,13 which is a UDP SSL connection error, as the modem’s datasheet states.

I didn’t want to get into the modem’s behavior as I would prefer to stick to finding a way to connect via the pc first to check if the certificates are ok.

Hi Hariss,

For the LWM2M device connections with X.509, it is also required to register the LWM2M device beforehand.

Have you done this step already?

Device is registered and its name is shared with the common name of the device certificate.

Okay then could you write the URL you use for the device connection? We will check on the Service logs side if we see any errors.

I am using this: lwm2m.eu-latest.cumulocity.com

We have noticed that the communication starts but does not continue.
We will enable trace logging to see more information in the next days and will let you know via message.

The DTLS handshake seems to be successful now.

The issues that are identified:

Firstly, the device sent fatal alert after receiving the Server certificate.
The LWM2M Server certificate for lwm2m.eu-latest.cumulocity.com is shared with Haris.
After this, the device recognized the certificate and the handshake progressed.

Secondly, the device certificate verification failed because device certificate was in RSA algorithm.
As per LwM2M specification, the device certificate must be in Elliptic Curve algorithm.

LwM2M Specification document: “https://www.openmobilealliance.org/release/lightweightm2m/V1_1_1-20190617-A/OMA-TS-LightweightM2M_Transport-V1_1_1-20190617-A.pdf“

After the new device certificate set with Elliptic Curve algorithm, the verification was successful.