https ota with crt bundle

Post Reply
kracejic
Posts: 2
Joined: Sun May 31, 2020 6:46 pm

https ota with crt bundle

Postby kracejic » Sun May 31, 2020 7:04 pm

Hello everyone,

I am trying to get the simple esp_https_ota working with the esp_crt_bundle_attach and global_ca_store, but I am missing a step on how to add built-in crt bundle to the global CA store.
My OTA server is available over https and I am using Let's Encrypt to get valid certificates.

This code is failing:

Code: Select all

        esp_http_client_config_t config = {
            .url = "https://DOMAIN.COM/master.bin",
            .use_global_ca_store = true};

        esp_err_t ret = esp_https_ota(&config);
with output ending with:

Code: Select all

E (14756) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (14766) esp-tls-mbedtls: Failed to verify peer certificate!
I (14776) esp-tls-mbedtls: verification info:   ! The certificate is not correctly signed by the trusted CA
But this is working:

Code: Select all

        esp_tls_cfg_t cfg = {
            .crt_bundle_attach = esp_crt_bundle_attach,
        };
        struct esp_tls *tls = esp_tls_conn_http_new("https://DOMAIN.COM/master.bin", &cfg);
        if(tls != NULL) {
            printf("Connection established... \n");
        } else {
            printf("Connection failed... \n");
        }

Code: Select all

I (145666) mbedtls: ssl_tls.c:2755 => flush output
I (145676) mbedtls: ssl_tls.c:2767 <= flush output
I (145676) mbedtls: ssl_tls.c:8094 <= handshake
Connection established...
So there is no problem with TLS itself, I am just not able to get the CA cert bundle to OTA.

The problem

I could not find how to get esp_crt_bundle_attach into global ca store (which is enabled with use_global_ca_store).
Is there a way how to do it?

Thanks for your help! :)
Top
User avatar
jrakus
Posts: 6
Joined: Mon Aug 05, 2019 12:09 pm

Re: https ota with crt bundle

Postby jrakus » Fri Jun 26, 2020 7:07 am

Bump. I have exactly the same problem. Anyone got working solution?
Top
0dd1er
Posts: 1
Joined: Fri Mar 05, 2021 10:30 pm

Re: https ota with crt bundle

Postby 0dd1er » Fri Mar 05, 2021 10:35 pm

Hi,
exactly the same issue for me. -> OTA via Let's Encrypt server, -> need for bundle OTA-crt-bundle
Is there any update?

BR
0dd1er
Top
kracejic
Posts: 2
Joined: Sun May 31, 2020 6:46 pm

Re: https ota with crt bundle

Postby kracejic » Sun Jul 11, 2021 9:19 pm

Did not found a real solution, but since I am using let's encrypt, I just put their root cert there and did something on the lines of:

Code: Select all

const std::string root_cert = R"(-----BEGIN CERTIFICATE-----
MIIF6zCCBNOgAwIBAgISAxo+BGDNDfRczrd96.................................
-----END CERTIFICATE-----)";

std::string url =
    "https://XXX.com/fw/image.bin";

esp_http_client_config_t config = {
    .url = url.c_str(), 
    .cert_pem = root_cert.c_str()
    };

esp_err_t ret = esp_https_ota(&config);
if (ret == ESP_OK)
{
    printf("Update successful: %d\n", ret);
    esp_restart();
}
else
{
    printf("Update unsuccessful: %d\n", ret);
    return;
}
Forks for me.
Top
Post Reply

Return to “ESP-IDF”

Who is online

Users browsing this forum: No registered users and 105 guests