Not able to perform OTA from HTTPS server

[brahmajit]

I'm trying to perform OTA from a HTTPS server and using the advanced_https_ota example. As the readme in the root OTA folder suggests I've tried hosting the OTA server locally and everything works fine, but then I tried uploading the binary to a git repo and trying to download from there. It's most probably an issue with the certificate

I get this as the error

Code: Select all

E (18332) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (18332) esp-tls-mbedtls: Failed to verify peer certificate!
E (18342) esp-tls: Failed to open new connection
E (18352) TRANSPORT_BASE: Failed to open a new connection
E (18352) HTTP_CLIENT: Connection failed, sock < 0
E (18362) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (18372) esp_https_ota: Failed to establish HTTP connection
E (18372) advanced_https_ota_example: ESP HTTPS OTA Begin failed

I generated the certificate (as suggested in the readme) with

Code: Select all

openssl s_client -showcerts -connect github.com:443 </dev/null

. Then copied the text between BEGIN and END sections. I've tried all possible combinations of only including the last certificate, both the certificates and only the first certificates. Same with S3 bucket (public), I've tried what Mahavir suggested in this comment https://github.com/espressif/esp-idf/is ... -460917118, but still doesn't work.

[ESP_Mahavir]

Hello,

You are using wrong server URL here, correct command would be:

Code: Select all

echo "" | openssl s_client -showcerts -connect raw.githubusercontent.com:443 | sed -n "1,/Root/d; /BEGIN/,/END/p" | openssl x509 -outform PEM >ca_cert.pem

- Please note server here is `raw.githubusercontent.com`
- Additionally root certificate is last one in the chain of certs shown by `openssl` command

If you would like ready to use example, please refer to:

https://github.com/mahavirj/advanced_ht ... 562724990d

Relevant technical blog post:

https://blog.espressif.com/ota-updates- ... 5438e30c12

Hope this helps!

[ESP_Mahavir]

Alternative solution:

You may also use another feature to attach "Certificate Bundle" instead of providing individual server certificate file to ESP HTTPS OTA configuration. This approach shall work with any server e.g., Github or AWS S3

Code: Select all

diff --git examples/system/ota/simple_ota_example/main/simple_ota_example.c examples/system/ota/simple_ota_example/main/simple_ota_example.c
index b6e21605b8..3305a84370 100644
--- examples/system/ota/simple_ota_example/main/simple_ota_example.c
+++ examples/system/ota/simple_ota_example/main/simple_ota_example.c
@@ -16,6 +16,7 @@
 #include "esp_https_ota.h"
 #include "protocol_examples_common.h"
 #include "string.h"
+#include "esp_crt_bundle.h"
 
 #include "nvs.h"
 #include "nvs_flash.h"
@@ -88,7 +89,7 @@ void simple_ota_example_task(void *pvParameter)
 #endif
     esp_http_client_config_t config = {
         .url = CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL,
-        .cert_pem = (char *)server_cert_pem_start,
+        .crt_bundle_attach = esp_crt_bundle_attach,
         .event_handler = _http_event_handler,
         .keep_alive_enable = true,
 #ifdef CONFIG_EXAMPLE_FIRMWARE_UPGRADE_BIND_IF

This will have slightly higher flash footprint as we are bringing entire certificate bundle here. Please try and select the approach that best suits your requirement.

[brahmajit]

Thank you Mahavir. With the correct url, I'm able to download the binary from github. Might want to change the docs at https://github.com/espressif/esp-idf/bl ... tps-server. Are pull requests from non espressif members welcome? Then I would send one.

Also, is the openssl command same for generating certificates for AWS's S3? Because I was trying out what you mentioned in that comment, but couldn't get it to work.

[ESP_Mahavir]

Thank you Mahavir. With the correct url, I'm able to download the binary from github. Might want to change the docs at https://github.com/espressif/esp-idf/bl ... tps-server.

We will fix the documentation. Thanks for notifying.

Also, is the openssl command same for generating certificates for AWS's S3? Because I was trying out what you mentioned in that comment, but couldn't get it to work.

Yes, command remains same. Only server URL would be `s3.amazonaws.com`

Alternatively you could try "certificate bundle" solution from my earlier comment. With that approach you need not find and replace certificate based on different servers. Here is more information about this feature: https://docs.espressif.com/projects/esp ... undle.html

[brahmajit]

Yes the bundle approach is quite good and I'll use that.

Thanks for the quick response.