The certificate is not correctly signed by the trusted CA

[kubera]

Hi iam trying to implement native ota example to azre iot hub. I generated ca certificate from https://www.sslforfree.com/

but iam stucked with this error.

..........................................................................................................................................................
E (9482) esp-tls: mbedtls_ssl_handshake returned -0x2700
I (9482) esp-tls: Failed to verify peer certificate!
I (9482) esp-tls: verification info: ! The certificate is not correctly signed
by the trusted CA

E (9492) esp-tls: Failed to open new connection
E (9492) TRANS_SSL: Failed to open a new connection
E (9502) HTTP_CLIENT: Connection failed, sock < 0
E (9502) native_ota_example: Failed to open HTTP connection: ESP_ERR_HTTP_CONNEC
T
E (9512) native_ota_example: Exiting task due to fatal error...

...............................................................................................................................................................

What iam doing wrong?
Is there anything to do with cipher suits?

[kubera]

a small correction I have been testing with azure app services not with specific device. i have a get url in the app services from where iam trying to download the bin file. But certficate is not gettng verfied.

[chegewara]

https://www.sslshopper.com/certificate-decoder.html

[kubera]

I tried to check the ca-cert file using the link provided by you. It has gone well. but when I tried to verify the cert using OpenSSL verify ca_cert.pem in the OpenSSL command-line it got failed.
It shows ----
"
error 18 at 0 depth lookup: self-signed certificate.
error ca_cert.pem: verification failed.

"

[irknowles]

Hello - I was chasing the same problem trying to perform an OTA from Amazon S3 with a bucket I created. Tried different combinations and think I found my issue. I by accident used the wrong PEM file.

So a few tricks I read up (from the net) is to hit the URL in the browser (for the upgrade file) and then go to the padlock in browser (I am using Firefox). Then click on the arrow then more information. I then have the option to View certificates. I then see some way down page: Download PEM (cert)PEM (chain).

Mistakenly I was using PEM(cert).
As soon as I tried PEM(chain) and embedded that into my esp build the system got past the CA checking.

Note - You can add more debug in TLS by setting the config flag CONFIG_MBEDTLS_DEBUG=y.

Hope this helps someone out. I cannot guarantee it will fix your issue, but hey, that's why we all do this stuff, to learn.

[dzungpv]

Hello - I was chasing the same problem trying to perform an OTA from Amazon S3 with a bucket I created. Tried different combinations and think I found my issue. I by accident used the wrong PEM file.

So a few tricks I read up (from the net) is to hit the URL in the browser (for the upgrade file) and then go to the padlock in browser (I am using Firefox). Then click on the arrow then more information. I then have the option to View certificates. I then see some way down page: Download PEM (cert)PEM (chain).

Mistakenly I was using PEM(cert).
As soon as I tried PEM(chain) and embedded that into my esp build the system got past the CA checking.

Note - You can add more debug in TLS by setting the config flag CONFIG_MBEDTLS_DEBUG=y.

Hope this helps someone out. I cannot guarantee it will fix your issue, but hey, that's why we all do this stuff, to learn.

It is 3 certs, how you add it to the code? I take many hours still failed.