Home/Support/Support Forum/Is there a working example for TLS with LTE-M/NB-IoT?

Is there a working example for TLS with LTE-M/NB-IoT?

+1 vote
I have plain http working in API mode from the XBee (via XCTU).
I have https working via browser with the server with a self-signed certificate.
I've followed all instruction in the user guide for TLS ($0=apache-selfsigned.crt;;, etc.), but I always get back a status frame with delivery status 85 (Unknown error).

I'd like to see a working example for TSL like what is provided in the Xbee
connection examples of the user guide. Is there such a thing somewhere?
asked May 3 in XBee Cellular by bkerin New to the Community (3 points)
recategorized May 9 by michaelt

Please log in or register to answer this question.

1 Answer

0 votes
We used to have a worked example for using certificates but the service we used for that example was discontinued recently.

However, I think your issue comes down to the server configuration - https://www.digi.com/support/forum/70086/how-to-tell-if-sni-is-causing-tls-to-not-work-with-lte-m-nb-iot
answered May 9 by tckr Seasoned Professional (230 points)
Is there an example using amazon or google certificates? I have a server that uses AmazonRootCA1 as a root certificate, yet I still receive 0x85 unknown error code in response to 0x20 txreq
Our example code here uses AWS IoT. One thing to note for Amazon is you might want to make sure to use the "Starfield" certificate, as we've found that both u-blox and Telit modems tend to have problems using Amazon's own root CA.

https://github.com/digidotcom/xbee-micropython/tree/master/samples/cellular/aws
Thanks, that worked for me.

I was confused because Windows certificate manager indicates that AmazonRootCA1 is the root of trust for my domain. That turned out to be was misleading, AmazonRootCA1 is itself signed by Starfield Services.
Per https://www.digi.com/resources/documentation/Digidocs/90002258/#Reference/r_tls_cert_limits.htm the XBee3 Cellular modem only supports certificate files that contain a single certificate. This means that in order to connect to AWS, you must supply the Starfield certificate, not AmazonRootCA1. It's an unfortunate and confusing limitation in the u-blox modem.
...