Page 1 of 1

https client: Failed to verify peer certificate

Posted: Tue Apr 27, 2021 8:08 am
by zamek42@gmail.com
Hi All,
I would like to download a simple file from a web server with https.
I'd downloaded the certificate from server with firefox and I'd stored it with ca_cert.pem named text file. It is a correct server cert.
I tried this code:

Code: Select all

      extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
      extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");
      ...
     esp_err_t res=esp_tls_init_global_ca_store();
     res=esp_tls_set_global_ca_store(server_cert_pem_start, server_cert_pem_end-server_cert_pem_start); 
    esp_http_client_config_t config = {
			.url=UPDATE_JSON_URL,
			.transport_type=HTTP_TRANSPORT_OVER_SSL,
			.event_handler=http_event_handler,
			.skip_cert_common_name_check=true,
			.cert_pem=(char *) server_cert_pem_start
	};

	esp_http_client_handle_t client=esp_http_client_init(&config);
	res=esp_http_client_perform(client);
When I run this code I've got an error:
E (5481) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (5481) esp-tls-mbedtls: Failed to verify peer certificate!
I (5501) esp-tls-mbedtls: verification info: ! The certificate is not correctly signed by the trusted CA

E (5501) esp-tls: Failed to open new connection
E (5511) TRANSPORT_BASE: Failed to open a new connection
E (5511) HTTP_CLIENT: Connection failed, sock < 0

Is there an error in my code?

thx,
Zamek

Re: https client: Failed to verify peer certificate

Posted: Tue Apr 27, 2021 11:04 am
by zamek42@gmail.com
I found it,
I have to add full chained certificate to my ca_cert.pem, not only the server certificate. It works well.

Re: https client: Failed to verify peer certificate

Posted: Thu Aug 05, 2021 8:07 am
by rajvrk36@gmail.com
Hello,

I'm stuck at the same problem, please can you explain How to do this? And please provide references!

Thanks for the answers :)

Regards,
Rajkumar

Re: https client: Failed to verify peer certificate

Posted: Tue Feb 08, 2022 7:08 am
by venugopala
Hello,

I'm stuck at the same problem, please can you explain How to do this? And please provide references!

Thanks for the answers :)

Regards,
Venugopala.d

Re: https client: Failed to verify peer certificate

Posted: Thu Dec 01, 2022 6:58 pm
by micteus127
Hello,
I had the same problem.
With full chained certificate is meant an "extended" version.
Just open certifaction details in Firefox for example:
https://cheapsslsecurity.com/blog/how-t ... n-firefox/
Certificate.png
Certificate.png (17.05 KiB) Viewed 6909 times
BR

Re: https client: Failed to verify peer certificate

Posted: Mon Dec 05, 2022 10:33 am
by micteus127
Some additional notes:
in the example project (https://github.com/espressif/esp-idf/bl ... _example.c) there is a hint ;)

Code: Select all

/* Root cert for howsmyssl.com, taken from howsmyssl_com_root_cert.pem
   The PEM file was extracted from the output of this command:
   openssl s_client -showcerts -connect www.howsmyssl.com:443 </dev/null
   The CA root cert is the last cert given in the chain of certs.
   To embed it in the app binary, the PEM file is named
   in the component.mk COMPONENT_EMBED_TXTFILES variable.
*/
I have now managed to use only the last certificate of it.
BR

Re: https client: Failed to verify peer certificate

Posted: Wed Jan 24, 2024 3:03 pm
by chruge
I do the same in ESP-IDF 5.1. I manage to download a file, when I place either the root certificate or the whole chain.

When I impair the server certificate, but leave the root certificate intact, I am still able to download the file, but I get the following debug code:

W (6997) esp-tls-mbedtls: mbedtls_x509_crt_parse was partly successful. No. of failed certificates: 1

I would like to either check the entire chain with no compormise or the server certificate (not the root one). Is there a setting I need to make?

Kind regards

Christian