The certificate is not correctly signed by the trusted CA

[kubera]

Hi iam trying to implement native ota example to azre iot hub. I generated ca certificate from https://www.sslforfree.com/

but iam stucked with this error.

..........................................................................................................................................................
E (9482) esp-tls: mbedtls_ssl_handshake returned -0x2700
I (9482) esp-tls: Failed to verify peer certificate!
I (9482) esp-tls: verification info: ! The certificate is not correctly signed
by the trusted CA

E (9492) esp-tls: Failed to open new connection
E (9492) TRANS_SSL: Failed to open a new connection
E (9502) HTTP_CLIENT: Connection failed, sock < 0
E (9502) native_ota_example: Failed to open HTTP connection: ESP_ERR_HTTP_CONNEC
T
E (9512) native_ota_example: Exiting task due to fatal error...

...............................................................................................................................................................

What iam doing wrong?
Is there anything to do with cipher suits?

[kubera]

a small correction I have been testing with azure app services not with specific device. i have a get url in the app services from where iam trying to download the bin file. But certficate is not gettng verfied.

[chegewara]

https://www.sslshopper.com/certificate-decoder.html

[kubera]

I tried to check the ca-cert file using the link provided by you. It has gone well. but when I tried to verify the cert using OpenSSL verify ca_cert.pem in the OpenSSL command-line it got failed.
It shows ----
"
error 18 at 0 depth lookup: self-signed certificate.
error ca_cert.pem: verification failed.

"

[irknowles]

Hello - I was chasing the same problem trying to perform an OTA from Amazon S3 with a bucket I created. Tried different combinations and think I found my issue. I by accident used the wrong PEM file.

So a few tricks I read up (from the net) is to hit the URL in the browser (for the upgrade file) and then go to the padlock in browser (I am using Firefox). Then click on the arrow then more information. I then have the option to View certificates. I then see some way down page: Download PEM (cert)PEM (chain).

Mistakenly I was using PEM(cert).
As soon as I tried PEM(chain) and embedded that into my esp build the system got past the CA checking.

Note - You can add more debug in TLS by setting the config flag CONFIG_MBEDTLS_DEBUG=y.

Hope this helps someone out. I cannot guarantee it will fix your issue, but hey, that's why we all do this stuff, to learn.

[dzungpv]

Hello - I was chasing the same problem trying to perform an OTA from Amazon S3 with a bucket I created. Tried different combinations and think I found my issue. I by accident used the wrong PEM file.

So a few tricks I read up (from the net) is to hit the URL in the browser (for the upgrade file) and then go to the padlock in browser (I am using Firefox). Then click on the arrow then more information. I then have the option to View certificates. I then see some way down page: Download PEM (cert)PEM (chain).

Mistakenly I was using PEM(cert).
As soon as I tried PEM(chain) and embedded that into my esp build the system got past the CA checking.

Note - You can add more debug in TLS by setting the config flag CONFIG_MBEDTLS_DEBUG=y.

Hope this helps someone out. I cannot guarantee it will fix your issue, but hey, that's why we all do this stuff, to learn.

It is 3 certs, how you add it to the code? I take many hours still failed.

[bigbear]

To follow up on this thread, and to leave an answer for future visitors, here is how it definitely works

First of all, as @irknowles already mentioned, it is not sufficient to embed the server certificate, but you need the root certificate (which is also present in the certificate chain). This is also mentioned in the OTA example readme https://github.com/espressif/esp-idf/tr ... production.

In order to grab the root certificate, either extract it from the browser, or just run

Code: Select all

openssl s_client -connect www.google.com:443 -showcerts

, where you replace www.google.com with your actual server address. It will show you three certificates (server, intermediate and root). Just copy paste the root certificate.

About how to embed the certificate properly in the code, just follow the Simple OTA example: https://github.com/espressif/esp-idf/tr ... ta_example.
In Short:
1. save the certificate in ${project_dir}/server_certs/ca_cert.pem
2. make sure to embed the certificate in CMakelists.txt
3. define pointers to the embedded certificate

Code: Select all

extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");

4. initialize the esp_http_client_config_t struct accordingly

Code: Select all

esp_http_client_config_t config = {
        .url = CONFIG_FIRMWARE_UPGRADE_URL,
        .cert_pem = (char *)server_cert_pem_start,
    };

5. make sure that the OTA url is configured correctly in menuconfig