Hello, I am having a connection issue with the 5860.
Question:
Does firmware version BG77LAR02A04_01.002.01.002 properly implement TLS SNI in the ClientHello packet? HiveMQ Cloud Serverless requires SNI to identify tenants. The command AT+QSSLCFG=“sni”,2,1 returns OK but we are unsure if SNI is actually being sent in the TLS handshake at this firmware version.
Is a firmware update required, and if so how do we obtain it for the RAK5860?
Hardware:
- RAK4631 (WisBlock Core)
- RAK5860 (BG77 firmware: BG77LAR02A04_01.002.01.002)
- RAK19007 baseboard
- Soracom SIM (Cat-M1, US)
What works:
- BG77 powers on correctly via WB_IO1 PWRKEY pulse
- Soracom SIM registers on Cat-M1 network (+CEREG: 0,5)
- IP address assigned (10.155.33.66)
- TLS connection to HiveMQ Cloud opens successfully (+QMTOPEN: 0,0)
- Same credentials connect successfully via HiveMQ Web Client
The problem:
Every MQTT connection attempt returns +QMTCONN: 0,0,5 (Not Authorized) followed by +QMTSTAT: 0,4 (connection closed by server).
AT command sequence used:
AT+QSSLCFG="cacert",2,"isrg_root_x1.pem" // ISRG Root X1 from Let's Encrypt
AT+QSSLCFG="sslversion",2,4
AT+QSSLCFG="ciphersuite",2,0xFFFF
AT+QSSLCFG="ignorelocaltime",2,1
AT+QSSLCFG="sni",2,1
AT+QMTCFG="version",0,4 // MQTT 3.1.1
AT+QMTCFG="ssl",0,1,2
AT+QMTOPEN=0,"<cluster>.s1.eu.hivemq.cloud",8883
// waits for +QMTOPEN: 0,0 — succeeds consistently
AT+QMTCONN=0,"clientID","unmoor","Unmoor2026"
// returns +QMTCONN: 0,0,5
What we have ruled out:
- Credentials are valid — confirmed working via HiveMQ Web Client with same username/password
- TLS handshake completes — +QMTOPEN: 0,0 succeeds every time
- Not a reboot loop — BG77 is stable with RAK1904 removed from slot A
- Not a network issue — Soracom registers and assigns IP consistently
- seclevel intentionally omitted — adding it causes +QMTOPEN: 0,-1
- ISRG Root X1 certificate uploaded and verified on BG77 filesystem
Thank you for the help!
Bob