I am trying to get the simple esp_https_ota working with the esp_crt_bundle_attach and global_ca_store, but I am missing a step on how to add built-in crt bundle to the global CA store.
My OTA server is available over https and I am using Let's Encrypt to get valid certificates.
This code is failing:
Code: Select all
esp_http_client_config_t config = {
.url = "https://DOMAIN.COM/master.bin",
.use_global_ca_store = true};
esp_err_t ret = esp_https_ota(&config);
Code: Select all
E (14756) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (14766) esp-tls-mbedtls: Failed to verify peer certificate!
I (14776) esp-tls-mbedtls: verification info: ! The certificate is not correctly signed by the trusted CA
Code: Select all
esp_tls_cfg_t cfg = {
.crt_bundle_attach = esp_crt_bundle_attach,
};
struct esp_tls *tls = esp_tls_conn_http_new("https://DOMAIN.COM/master.bin", &cfg);
if(tls != NULL) {
printf("Connection established... \n");
} else {
printf("Connection failed... \n");
}
Code: Select all
I (145666) mbedtls: ssl_tls.c:2755 => flush output
I (145676) mbedtls: ssl_tls.c:2767 <= flush output
I (145676) mbedtls: ssl_tls.c:8094 <= handshake
Connection established...
The problem
I could not find how to get esp_crt_bundle_attach into global ca store (which is enabled with use_global_ca_store).
Is there a way how to do it?
Thanks for your help!