https client: Failed to verify peer certificate

[zamek42@gmail.com]

Hi All,
I would like to download a simple file from a web server with https.
I'd downloaded the certificate from server with firefox and I'd stored it with ca_cert.pem named text file. It is a correct server cert.
I tried this code:

Code: Select all

      extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
      extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");
      ...
     esp_err_t res=esp_tls_init_global_ca_store();
     res=esp_tls_set_global_ca_store(server_cert_pem_start, server_cert_pem_end-server_cert_pem_start); 
    esp_http_client_config_t config = {
			.url=UPDATE_JSON_URL,
			.transport_type=HTTP_TRANSPORT_OVER_SSL,
			.event_handler=http_event_handler,
			.skip_cert_common_name_check=true,
			.cert_pem=(char *) server_cert_pem_start
	};

	esp_http_client_handle_t client=esp_http_client_init(&config);
	res=esp_http_client_perform(client);

When I run this code I've got an error:
E (5481) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (5481) esp-tls-mbedtls: Failed to verify peer certificate!
I (5501) esp-tls-mbedtls: verification info: ! The certificate is not correctly signed by the trusted CA

E (5501) esp-tls: Failed to open new connection
E (5511) TRANSPORT_BASE: Failed to open a new connection
E (5511) HTTP_CLIENT: Connection failed, sock < 0

Is there an error in my code?

thx,
Zamek

[zamek42@gmail.com]

I found it,
I have to add full chained certificate to my ca_cert.pem, not only the server certificate. It works well.

[rajvrk36@gmail.com]

Hello,

I'm stuck at the same problem, please can you explain How to do this? And please provide references!

Thanks for the answers

Regards,
Rajkumar

[venugopala]

Hello,

I'm stuck at the same problem, please can you explain How to do this? And please provide references!

Thanks for the answers

Regards,
Venugopala.d

[micteus127]

Hello,
I had the same problem.
With full chained certificate is meant an "extended" version.
Just open certifaction details in Firefox for example:
https://cheapsslsecurity.com/blog/how-t ... n-firefox/

Certificate.png (17.05 KiB) Viewed 9592 times

BR

[micteus127]

Some additional notes:
in the example project (https://github.com/espressif/esp-idf/bl ... _example.c) there is a hint

Code: Select all

/* Root cert for howsmyssl.com, taken from howsmyssl_com_root_cert.pem
   The PEM file was extracted from the output of this command:
   openssl s_client -showcerts -connect www.howsmyssl.com:443 </dev/null
   The CA root cert is the last cert given in the chain of certs.
   To embed it in the app binary, the PEM file is named
   in the component.mk COMPONENT_EMBED_TXTFILES variable.
*/

I have now managed to use only the last certificate of it.
BR

[chruge]

I do the same in ESP-IDF 5.1. I manage to download a file, when I place either the root certificate or the whole chain.

When I impair the server certificate, but leave the root certificate intact, I am still able to download the file, but I get the following debug code:

W (6997) esp-tls-mbedtls: mbedtls_x509_crt_parse was partly successful. No. of failed certificates: 1

I would like to either check the entire chain with no compormise or the server certificate (not the root one). Is there a setting I need to make?

Kind regards

Christian

[Jimis1]

I have the same issue. My OTA upgrade was working until some time ago. It throws a certification verification error.

I download my binary from https://raw.githubusercontent.com
Github changed the root certificates and they don't work anymore.

I tried downloading the new ones using git bash command
openssl s_client -connect raw.githubusercontent.com:443 -showcerts

I added intermediate and root certificates in the ca_cert.pem file but I get error

E (41626) esp-tls-mbedtls: mbedtls_x509_crt_parse of CA cert returned -0x2180
E (41626) esp-tls-mbedtls: Failed to set client configurations, returned [0x8015] (ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED)

looks like a formatting error in the ca_cert.pem file but I can't see why.
I verify the file with
openssl s_client -CAfile ca_cert.pem -connect raw.githubusercontent.com:443

and get an error : Verify return code: 2 (unable to get issuer certificate)

I tried with bundle cert file from Mozilla which passes the verification but I get an error in ESP cause the file is too large to handle

Total nightmare. Been trying with AI helping me get the correct ca_cert.pem file but nothing works. All files seems to be wrongly formatted which is unlikely.

I attach a file taken from openssl s_client -connect raw.githubusercontent.com:443 -showcerts

I also tried disabling the certification check through menuconfig (Skip server certificate CN fieldcheck). That also didn't work. It still tried to verify the certification as if I hadn't checked this!

Any help would be greatly appreciated.

ESP IDF 5.1.2
ESP32-S3-series-DevKitC-1-N32R8V_WROOM-2_32MB

[Jimis1]

I finally found the problem!
During the tests to make my cert file work I probably checked "Variable SSL buffer length" don't see how else this could have been checked. That was the problem.

After that everything worked perfectly. I even managed to get the built-in bundle working which is supposed to be more reliable for future certification changes.