Page 1 of 1

https ota with crt bundle

Posted: Sun May 31, 2020 7:04 pm
by kracejic
Hello everyone,

I am trying to get the simple esp_https_ota working with the esp_crt_bundle_attach and global_ca_store, but I am missing a step on how to add built-in crt bundle to the global CA store.
My OTA server is available over https and I am using Let's Encrypt to get valid certificates.

This code is failing:

Code: Select all

        esp_http_client_config_t config = {
            .url = "https://DOMAIN.COM/master.bin",
            .use_global_ca_store = true};

        esp_err_t ret = esp_https_ota(&config);
with output ending with:

Code: Select all

E (14756) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (14766) esp-tls-mbedtls: Failed to verify peer certificate!
I (14776) esp-tls-mbedtls: verification info:   ! The certificate is not correctly signed by the trusted CA
But this is working:

Code: Select all

        esp_tls_cfg_t cfg = {
            .crt_bundle_attach = esp_crt_bundle_attach,
        };
        struct esp_tls *tls = esp_tls_conn_http_new("https://DOMAIN.COM/master.bin", &cfg);
        if(tls != NULL) {
            printf("Connection established... \n");
        } else {
            printf("Connection failed... \n");
        }

Code: Select all

I (145666) mbedtls: ssl_tls.c:2755 => flush output
I (145676) mbedtls: ssl_tls.c:2767 <= flush output
I (145676) mbedtls: ssl_tls.c:8094 <= handshake
Connection established... 
So there is no problem with TLS itself, I am just not able to get the CA cert bundle to OTA.

The problem

I could not find how to get esp_crt_bundle_attach into global ca store (which is enabled with use_global_ca_store).
Is there a way how to do it?

Thanks for your help! :)

Re: https ota with crt bundle

Posted: Fri Jun 26, 2020 7:07 am
by jrakus
Bump. I have exactly the same problem. Anyone got working solution?

Re: https ota with crt bundle

Posted: Fri Mar 05, 2021 10:35 pm
by 0dd1er
Hi,
exactly the same issue for me. -> OTA via Let's Encrypt server, -> need for bundle OTA-crt-bundle
Is there any update?

BR
0dd1er

Re: https ota with crt bundle

Posted: Sun Jul 11, 2021 9:19 pm
by kracejic
Did not found a real solution, but since I am using let's encrypt, I just put their root cert there and did something on the lines of:

Code: Select all

const std::string root_cert = R"(-----BEGIN CERTIFICATE-----
MIIF6zCCBNOgAwIBAgISAxo+BGDNDfRczrd96.................................
-----END CERTIFICATE-----)";

std::string url =
    "https://XXX.com/fw/image.bin";

esp_http_client_config_t config = {
    .url = url.c_str(), 
    .cert_pem = root_cert.c_str()
    };

esp_err_t ret = esp_https_ota(&config);
if (ret == ESP_OK)
{
    printf("Update successful: %d\n", ret);
    esp_restart();
}
else
{
    printf("Update unsuccessful: %d\n", ret);
    return;
}

Forks for me.