RAK5860 (BG77) MQTT TLS connection to HiveMQ Cloud — +QMTCONN: 0,0,5 Not Authorized

Hello, I am having a connection issue with the 5860.

Question:
Does firmware version BG77LAR02A04_01.002.01.002 properly implement TLS SNI in the ClientHello packet? HiveMQ Cloud Serverless requires SNI to identify tenants. The command AT+QSSLCFG=“sni”,2,1 returns OK but we are unsure if SNI is actually being sent in the TLS handshake at this firmware version.

Is a firmware update required, and if so how do we obtain it for the RAK5860?

Hardware:

  • RAK4631 (WisBlock Core)
  • RAK5860 (BG77 firmware: BG77LAR02A04_01.002.01.002)
  • RAK19007 baseboard
  • Soracom SIM (Cat-M1, US)

What works:

  • BG77 powers on correctly via WB_IO1 PWRKEY pulse
  • Soracom SIM registers on Cat-M1 network (+CEREG: 0,5)
  • IP address assigned (10.155.33.66)
  • TLS connection to HiveMQ Cloud opens successfully (+QMTOPEN: 0,0)
  • Same credentials connect successfully via HiveMQ Web Client

The problem:
Every MQTT connection attempt returns +QMTCONN: 0,0,5 (Not Authorized) followed by +QMTSTAT: 0,4 (connection closed by server).

AT command sequence used:

AT+QSSLCFG="cacert",2,"isrg_root_x1.pem"   // ISRG Root X1 from Let's Encrypt
AT+QSSLCFG="sslversion",2,4
AT+QSSLCFG="ciphersuite",2,0xFFFF
AT+QSSLCFG="ignorelocaltime",2,1
AT+QSSLCFG="sni",2,1
AT+QMTCFG="version",0,4                      // MQTT 3.1.1
AT+QMTCFG="ssl",0,1,2
AT+QMTOPEN=0,"<cluster>.s1.eu.hivemq.cloud",8883
// waits for +QMTOPEN: 0,0 — succeeds consistently
AT+QMTCONN=0,"clientID","unmoor","Unmoor2026"
// returns +QMTCONN: 0,0,5

What we have ruled out:

  • Credentials are valid — confirmed working via HiveMQ Web Client with same username/password
  • TLS handshake completes — +QMTOPEN: 0,0 succeeds every time
  • Not a reboot loop — BG77 is stable with RAK1904 removed from slot A
  • Not a network issue — Soracom registers and assigns IP consistently
  • seclevel intentionally omitted — adding it causes +QMTOPEN: 0,-1
  • ISRG Root X1 certificate uploaded and verified on BG77 filesystem

Thank you for the help!

Bob

Welcome to the forum @bob_unmoormarine.com

Does firmware version BG77LAR02A04_01.002.01.002 properly implement TLS SNI in the ClientHello packet?

is a question that is better asked directly to Quectel. We are not developing the firmware on the BG77 modem chip.