https client: Failed to verify peer certificate

[zamek42@gmail.com]

Hi All,
I would like to download a simple file from a web server with https.
I'd downloaded the certificate from server with firefox and I'd stored it with ca_cert.pem named text file. It is a correct server cert.
I tried this code:

Code: Select all

      extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
      extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");
      ...
     esp_err_t res=esp_tls_init_global_ca_store();
     res=esp_tls_set_global_ca_store(server_cert_pem_start, server_cert_pem_end-server_cert_pem_start); 
    esp_http_client_config_t config = {
			.url=UPDATE_JSON_URL,
			.transport_type=HTTP_TRANSPORT_OVER_SSL,
			.event_handler=http_event_handler,
			.skip_cert_common_name_check=true,
			.cert_pem=(char *) server_cert_pem_start
	};

	esp_http_client_handle_t client=esp_http_client_init(&config);
	res=esp_http_client_perform(client);

When I run this code I've got an error:
E (5481) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (5481) esp-tls-mbedtls: Failed to verify peer certificate!
I (5501) esp-tls-mbedtls: verification info: ! The certificate is not correctly signed by the trusted CA

E (5501) esp-tls: Failed to open new connection
E (5511) TRANSPORT_BASE: Failed to open a new connection
E (5511) HTTP_CLIENT: Connection failed, sock < 0

Is there an error in my code?

thx,
Zamek

[zamek42@gmail.com]

I found it,
I have to add full chained certificate to my ca_cert.pem, not only the server certificate. It works well.

[rajvrk36@gmail.com]

Hello,

I'm stuck at the same problem, please can you explain How to do this? And please provide references!

Thanks for the answers

Regards,
Rajkumar

[venugopala]

Hello,

I'm stuck at the same problem, please can you explain How to do this? And please provide references!

Thanks for the answers

Regards,
Venugopala.d

[micteus127]

Hello,
I had the same problem.
With full chained certificate is meant an "extended" version.
Just open certifaction details in Firefox for example:
https://cheapsslsecurity.com/blog/how-t ... n-firefox/

Certificate.png (17.05 KiB) Viewed 6899 times

BR

[micteus127]

Some additional notes:
in the example project (https://github.com/espressif/esp-idf/bl ... _example.c) there is a hint

Code: Select all

/* Root cert for howsmyssl.com, taken from howsmyssl_com_root_cert.pem
   The PEM file was extracted from the output of this command:
   openssl s_client -showcerts -connect www.howsmyssl.com:443 </dev/null
   The CA root cert is the last cert given in the chain of certs.
   To embed it in the app binary, the PEM file is named
   in the component.mk COMPONENT_EMBED_TXTFILES variable.
*/

I have now managed to use only the last certificate of it.
BR

[chruge]

I do the same in ESP-IDF 5.1. I manage to download a file, when I place either the root certificate or the whole chain.

When I impair the server certificate, but leave the root certificate intact, I am still able to download the file, but I get the following debug code:

W (6997) esp-tls-mbedtls: mbedtls_x509_crt_parse was partly successful. No. of failed certificates: 1

I would like to either check the entire chain with no compormise or the server certificate (not the root one). Is there a setting I need to make?

Kind regards

Christian