nrf9151 Feather - FOTA_Download()

cptel

The modem is programmed with mfw_nrf91×1_2.0.4 firmware.
FOTA_Download() worked until it didn’t as of last week. I have attached a PCAP screenshot and error. Is anyone familiar with this error and a resolution?

NOTE: I am upgrading the Application Firmware, resident on the nrf9151, when i run into this error.

jaredwolff

Hey @cptel — a few things to narrow this down, since “worked until last week” almost always points at the server side rather than the device.

Can you paste the log instead of (or in addition to) the screenshot? The PCAP shows the wire but the modem’s error code from the fota_download event is what tells us which step failed. Build with:

CONFIG_FOTA_DOWNLOAD_LOG_LEVEL_DBG=y                                                                                                                                                                                                                                                                                      
CONFIG_DOWNLOADER_LOG_LEVEL_DBG=y

and grab the run from FOTA_Download() through to the failure.

Most likely causes, in order:

Root CA on the firmware host rotated/expired. If you’re hosting on S3/CloudFront, AWS has been migrating from the Starfield root chain to the Amazon Trust Services chain. If your modem’s sec_tag only carries the old root, new connections will start failing with no code change on your side. Check what’s loaded:
```
   AT+CFUN=4
   AT%CMNG=1
```
and if needed re-provision the Amazon roots from https://www.amazontrust.com/repository/. Full flow: https://docs.circuitdojo.com/nrf9151-feather/troubleshooting.html#httpstls-certificate-errors

One thing I’ve seen with AWS and other services is that depending on the region they will rug pull the intermediate certificate leaving your device unable to establish an HTTPS session to download a file. My mistake was not to use the root cert.

Server cipher change. The nRF91×1 modem only accepts:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

If the host’s TLS config dropped one of those, every handshake fails the same way. Quick sanity check from a laptop:

   curl -v --tlsv1.2 --ciphers ECDHE-RSA-AES128-GCM-SHA256 <your firmware URL>

Adjacent thread that may also be relevant if it turns out to be a flaky-link issue rather than TLS: https://community.circuitdojo.com/d/741

cptel

I am using Azure Blob storage to host the binary file and everything points to Azure rolling a cert, which they do every 6 months (just learning).

here’s the capture:
[00:02:05.806,060] <dbg> downloader: dl_socket_create_and_connect: family: 1, type: 1, proto: 258
[00:02:05.817,840] <dbg> downloader: dl_socket_create_and_connect: Socket opened, fd 4
[00:02:05.828,369] <inf> downloader: Setting up TLS credentials, sec tag count 1
[00:02:05.838,470] <inf> downloader: Connecting to 52.239.253.132
[00:02:05.847,167] <dbg> downloader: dl_socket_create_and_connect: fd 4, addrlen 8, fam IPv4, port 443
[00:02:06.287,231] <dbg> downloader: dl_socket_close: Socket closed, fd 4
[00:02:06.296,661] <err> downloader: Failed to connect, err -111
[00:02:06.305,541] <err> fota_download: Downloader error event -111
[00:02:06.314,697] <dbg> fota_download: downloader_callback: No DFU target was initialized
[00:02:06.325,592] <inf> PWL:
CommsFOTAdlHandler(): evt: 5

[00:02:06.334,045] <inf> PWL: Received error from fota_download

cptel

Claude’s response to rolling certs & global certs:

The Two Types of Certs in Play
GlobalSign Root G2 ← Root CA cert (what your devices trust)
↓ signs
Microsoft TLS G2 Intermediate ← Intermediate cert
↓ signs
*.blob.core.windows.net ← Leaf/end-entity cert (what Azure presents)
(your 3,927 byte cert — expires Oct 2026)

What Each Cert Does
Cert TypePurposeWho Manages ItRotation FrequencyRoot CA (GlobalSign G2)Establishes the trust anchor — "who do we trust to sign certs?"GlobalSignDecades (25+ years)Intermediate CABridges root to leaf, limits root exposureMicrosoftYearsLeaf certProves THIS specific server is who it claims to beMicrosoft (for blob.core.windows.net)Every 6 months or less

Why Root G2 Doesn’t Solve the Rotation Problem
Your devices trusting the GlobalSign Root G2 means they trust any leaf cert that chains up to that root. It does not mean they pin to or lock on a specific leaf cert.
So the rolling cert problem still exists because:
Device trusts: GlobalSign Root G2 ✅ (static, long-lived — fine)

Azure rotates: *.blob.core.windows.net leaf cert every ₆ months
(your device doesn’t need to update anything for THIS)

BUT the industry mandate says:
Mar 2026 → max 200 days
2027 → max 100 days
2029 → max 47 days
The device trusting the root is fine — that part doesn’t rotate. The problem is what the device does during the TLS handshake:
Device connects to Azure Blob
↓
Azure presents NEW leaf cert (rotated every 6 months)
↓
Device checks: does this cert chain up to GlobalSign Root G2?
↓
If YES → connection succeeds ✅ (root trust works fine)
If device has PINNED the old leaf cert → connection FAILS ❌

Does anyone know if Nordic saves the Leaf Cert? This explains the issue I am running into.

jaredwolff

@cptel — short answer: no, the nRF91 modem doesn’t pin or cache leaf certs. It validates the chain on every handshake against whatever roots/intermediates are in your sec_tag. So a rotated leaf is a non-issue as long as it still chains to a root the modem trusts. Claude’s writeup is correct about how chain validation works in general, but the “device pinned the old leaf” path doesn’t apply here.

More importantly, your log rules out a TLS problem entirely:

[00:02:05.838,470] <inf> downloader: Connecting to 52.239.253.132
[00:02:06.287,231] <dbg> downloader: dl_socket_close: Socket closed, fd 4
[00:02:06.296,661] <err> downloader: Failed to connect, err -111

That’s ECONNREFUSED on connect() — the failure happens at TCP, _450ms after the socket opens, before any TLS handshake bytes are exchanged. If it were a cert problem (rotated leaf, missing intermediate, expired root, cipher mismatch) you’d see the connection succeed at TCP and fail later with a TLS-specific error like -116 (ETIMEDOUT during handshake) or a modem_key_mgmt / peer-verify error.

A few things that do match -111 against an Azure Blob endpoint:

The IP changed and your modem is talking to a stale one. 52.239.253.132 is one of many Azure Front Door / Blob frontends, and they rotate. If your firmware is hitting a hard-coded IP, or DNS got cached at the modem level, you can end up dialing an address that no longer answers on 443. Confirm by re-resolving the hostname from a laptop right now and comparing.
Azure storage firewall / network rules. If the storage account has “Selected networks” or a private endpoint enabled, anything outside that allowlist gets refused at the LB. Check the storage account → Networking blade.
SAS / container ACL flipped to private. A blob that’s no longer publicly readable (or a SAS token that expired) won’t refuse TCP — but if the rules above were toggled at the same time, you’d see exactly this.
Operator / APN egress filtering. Some cellular APNs block specific ranges or require an explicit allowlist. Less likely if it was working last week and nothing changed on the SIM side, but worth ruling out by trying a different APN or hitting a known-good HTTPS host with https_client.

Quickest triage path:

# from a laptop, on the same URL the device uses
curl -v https://<account>.blob.core.windows.net/<container>/<blob>
nslookup <account>.blob.core.windows.net

If curl works and resolves to a different IP than 52.239.253.132, you’ve got stale DNS or a hard-coded address. If curl also fails with connection refused, it’s the storage account’s network config.

Once you’ve got TCP connecting again, then the cert/cipher checklist from my earlier post becomes relevant — but I’d bet this one is network, not crypto.

cptel

Update.. I updated my instance of Azure blob storage to accept HTTP connection and FOTA worked as expected. Good thing is that I was able to go from my prod version to test version back-n-forth without code change (phew…)

Bigger question is why was HTTPS working till April 24 (last known conducted FOTA test) and stopped working on May 1st. The only thing that changed was the leaf certificate on April 28 (deducted this by looking at cert details). My leaf certificate hypothesis doesn’t make sense as I only stored the root cert and you stated Nordic doesn’t either.

I fed detailed .pcap to Claude, than posted here, and have an analysis from it that points to issues within Nordic’s Download Fota. Happy to share the analysis here if you’d like.

And I do have few more questions related to this but for now, i am moving on.

jaredwolff

cptel if you think it is a genuine bug I definitely recommend you share your findings with Nordic on Devzone

cptel

I created a support request on Nordic Dev Zone about a week ago and they suggested to use HTTP instead of HTTPS, which worked. I’ve shared my findings and questions to the Nordic team.
The below mentioned 7.8 kB is actually 65kB but modem says it can only support 6.3kB which it never ACKs and hence the ‘TCP Window Full’ error - resulting in error -111.

Here’s the response from Nordic Dev Zone:
Thanks for the PCAP, it shows the failure happens before the actual download starts, during the TLS/HTTPS handshake. As right after the device sends its TLS “ClientHello”, the server sends a single TLS handshake record of around 7.8 kB. The nRF91 series modem has a known around 2 kB secure socket/TLS receive buffer limit, so it can’t accept that large TLS record and the connection gets aborted or reset, which then surfaces as your download error.

Can you try host the firmware on a server you control and download it over plain HTTP (no TLS), then update the FOTA URL to http:/. This may avoids the modem TLS size limitation.

NOTE: This worked before the Leaf Rollover date and there were no firmware code changes nor any update to the Azure blob storage.

jaredwolff

Alternatively if you want HTTPS you can use mbedTLS as the TLS layer rather than offloading to the modem. While functional, the modem implementation lacks in certain places (like this case!). It does add a fairly large amount of code to your application though. Usually it gets pretty close to the size of the firmware slot if you’re doing split slots on the nRF9151 internal flash.

So it’s ultimately a factor of “how much do I care about this..”

AchimKraus

Just for completeness:
You may also try to setup a https-proxy, using smaller server-certificates for the device endpoint and support the larger ones from the service. Anyway, I guess, the pain is mainly introduced from the requirement (wish?) to use available cloud-services and setting up such an proxy would AFAIK require to setup a own box to run it.
(It may even work with a TLS socat proxy, you will need to add also the proxy CA to your trusts. Otherwise it would be a classic “man in the middle” and TLS would protect from that.)

cptel

While HTTPS is preferred for end-to-end security purposes, I think HTTP works just fine in this scenario. Here’s my logic/assumptions and welcome community’s input.
Known fact: HTTP is prone to man-in-the-middle attach. Assume this happens in which case the modem will download a hacked/corrupt binary file.
Role Play:
If corrupt binary file, modem should ignore due to file checksum validation (assuming FOTA download does this). Risk: Low.
If hacked binary file, the hacker must have same binary file key to encode the hacked binary file that is in the firmware. Otherwise the modem will download and ignore because of encoding mismatch. Risk: Low.
Adding a VPN between my app server and service provider’s network, chances of man-in-the-middle attack should be ultra low. Risk: Low

jaredwolff

Thanks @AchimKraus! That reminds me:

What I’ve done for this problem in the past is use Caddy as an intermediate proxy to whatever service you’re connecting to. The nRF91xx seems to work ok with the Let’s Encrypt certificates on Caddy.

AchimKraus

Just also to mention:
To protect from corrupt or hacked binary files, you may try to use “encrypted images”.
Unfortunately not for the devices, which are already on the field, but maybe for future devices.