OTA Example Not Working On ESP32 - ESP-IDF

[Mahonroy]

Hello, I was running through this example (simple_ota_example) and I am having some issues:
https://github.com/espressif/esp-idf/tr ... system/ota

I followed the steps exactly as it states. I can see my local IP address is 192.168.1.8, so I used that for the "Common Name" when creating the certificate. I copy the certificate over to the "server_certs" directory, I update the "firmware upgrade url endpoint" to "https://192.168.1.8:8070/blink.bin". While in the blink build directory, I start the server with the command "openssl s_server -WWW -key ca_key.pem -cert ca_cert.pem -port 8070".

I build and flash the firmware to an ESP32, and this is the error message I get:

Code: Select all

I (4696) simple_ota_example: Starting OTA example
W (4806) wifi:<ba-add>idx:1 (ifx:0, 9c:c9:eb:f5:fe:e3), tid:0, ssn:0, winSize:64
I (5176) esp-tls-mbedtls: Failed to verify peer certificate!
I (5176) esp-tls-mbedtls: verification info:   ! The certificate is not correctly signed by the trusted CA

E (5186) esp-tls: Failed to open new connection
E (5196) TRANS_SSL: Failed to open a new connection
E (5206) HTTP_CLIENT: Connection failed, sock < 0
E (5206) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (5216) esp_https_ota: Failed to establish HTTP connection
E (5216) simple_ota_example: Firmware upgrade failed

** SKIP SOME LINES **

I (6174) simple_ota_example: Starting OTA example
W (6304) wifi:<ba-add>idx:1 (ifx:0, 9c:c9:eb:f5:fe:e3), tid:0, ssn:0, winSize:64
W (6364) wifi:<ba-add>idx:2 (ifx:0, 9c:c9:eb:f5:fe:e3), tid:1, ssn:0, winSize:64
E (6674) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (6674) esp-tls-mbedtls: Failed to verify peer certificate!
I (6674) esp-tls-mbedtls: verification info:   ! The certificate is not correctly signed by the trusted CA

E (6684) esp-tls: Failed to open new connection
E (6694) TRANS_SSL: Failed to open a new connection
E (6704) HTTP_CLIENT: Connection failed, sock < 0
E (6704) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (6714) esp_https_ota: Failed to establish HTTP connection
E (6714) simple_ota_example: Firmware upgrade failed

** SKIP SOME LINES **

I (5682) simple_ota_example: Starting OTA example
W (5762) wifi:<ba-add>idx:1 (ifx:0, 9c:c9:eb:f5:fe:e3), tid:0, ssn:0, winSize:64
E (23932) esp-tls: Failed to connnect to host (errno 113)
E (23932) esp-tls: Failed to open new connection
E (23932) TRANS_SSL: Failed to open a new connection
E (23932) HTTP_CLIENT: Connection failed, sock < 0
E (23942) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (23952) esp_https_ota: Failed to establish HTTP connection
E (23952) simple_ota_example: Firmware upgrade failed

** SKIP SOME LINES **

I (6172) simple_ota_example: Starting OTA example
E (24432) esp-tls: Failed to connnect to host (errno 113)
E (24432) esp-tls: Failed to open new connection
E (24432) TRANS_SSL: Failed to open a new connection
E (24432) HTTP_CLIENT: Connection failed, sock < 0
E (24442) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (24452) esp_https_ota: Failed to establish HTTP connection
E (24452) simple_ota_example: Firmware upgrade failed

I'm guessing its trying multiple times which is why it tries it 4 times?

I tested the server by typing this into Internet Explorer: "https://localhost:8070/blink.bin", this works and I can download the file (it says its not secure, but I ignore this).

However, if I type in the IP Address instead of localhost, it does not work, I get an error saying "Can't reach this page". I also tried 127.0.0.1 which is typically the same as "localhost" and this also did not work.
I am assuming this is where the problem lies? I don't know. I followed the example exactly as described though.

I tried typing "netstat -a -n" in a command prompt, and I see this in the list:

Code: Select all

 TCP    [::]:8070              [::]:0                 LISTENING

And this goes away as soon as I close the server, so I think that part is working.

Any ideas what the problem might be? Thanks and any help or advice is greatly appreciated!

[ESP_Mahavir]

Please find some troubleshooting guidelines at https://github.com/espressif/esp-idf/tr ... leshooting

Also you can check if certificate common name is not the problem by skipping the check as shown at https://github.com/espressif/esp-idf/bl ... ple.c#L111

[Mahonroy]

Thank you for the response.

I tried your troubleshooting suggestion, and still could not make any progress. So I ended up ditching the OpenSSL local server, and hosted the binary file on the cloud instead (Azure Blob Storage).

I can access this file from any computer/phone and it downloads just fine.

On the SDK Configuration editor, I have the URL set, I have checked "Skip server certificate CN fieldcheck", and I also checked "Allow HTTP for OTA (WARNING: ONLY FOR TESTING PURPOSE READ HELP)".

Still does not work. I get errors saying "Failed to verify peer certificate!", and "The certificate is not correctly signed by the trusted CA". I thought those settings were supposed to make it skip this step so I can test that its working?

Code: Select all

I (5682) simple_ota_example: Starting OTA example
W (5812) wifi:<ba-add>idx:1 (ifx:0, 9c:c9:eb:f5:fe:e3), tid:0, ssn:0, winSize:64
W (5972) wifi:<ba-add>idx:2 (ifx:0, 9c:c9:eb:f5:fe:e3), tid:1, ssn:0, winSize:64
E (6312) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (6312) esp-tls-mbedtls: Failed to verify peer certificate!
I (6312) esp-tls-mbedtls: verification info:   ! The certificate is not correctly signed by the trusted CA

E (6322) esp-tls: Failed to open new connection
E (6332) TRANS_SSL: Failed to open a new connection
E (6342) HTTP_CLIENT: Connection failed, sock < 0
E (6342) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (6352) esp_https_ota: Failed to establish HTTP connection
E (6352) simple_ota_example: Firmware upgrade failed

I am able to ping the ESP32 on the network, so its definately connected and online.

I now tried exporting the certificate from the Azure blob storage "blob.core.windows.net", exported it as a .cer file. I used this command to convert it to .pem file "openssl x509 -inform der -in ca_cert.cer -out ca_cert.pem". Copied that to "server_certs", re-enabled HTTPS in SDK Configuration, rebuilt, flashed.

Still doesn't work. I get the exact same errors "Failed to verify peer certificate!", "The certificate is not correctly signed by the trusted CA".

Any ideas?

Thanks again and any help is greatly appreciated.

[TadeasekF]

Hello,

have you solved it? I have the same issues.

Thanks.

[adrian-fratila]

Hi Mahonroy / TadeasekF,

I experience the same problem that you describe above, while trying to fetch a binary file from the Azure Blob Storage.

Did you find a solution eventually?

I would really appreciate any help, as I have already wasted a lot of time with this issue.

Thank you!

[tpbedford]

Hi Mahonroy / TadeasekF,

I experience the same problem that you describe above, while trying to fetch a binary file from the Azure Blob Storage.

Did you find a solution eventually?

I would really appreciate any help, as I have already wasted a lot of time with this issue.

Thank you!

Try looking into sdkconfig:
CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY=y
or
CONFIG_ESP_TLS_INSECURE=y

[adrian-fratila]

Hi tpbedford,

Thank you for your input!

I have set those defines in the sdkconfig, and the connection to the Azure server is established, but now I get the error message as "Server failed to authenticate the request":

I(15113) APP : Opened successfully the HTTP connection
I(15273) HTTP_CLIENT : Body received in fetch header state, 0x3ffbb6da, 166
I(15293) APP : Read data : ���< ? xml version = "1.0" encoding = "utf-8" ? >
<Error><Code>AuthenticationFailed< / Code><Message>Server failed to authenticate the request.Make sure the value of Authorization header is formed correctly including the signature.
RequestId : 01100f54 - 901e-0045 - 18cc - e3e32c000000

I have tried various combinations for the connection setting: the url with and without the SAS at the end, and setting separately in the http header "Authorization" field the SAS value.
Also the fetch works by using Postman with the whole URL (which includes the SAS), so I suspect the problem comes from the way the connection data is sent by the esp http client.

The build uses IDF v5.0.1. Below there is the code that I have tested:

///////////////////////////////
esp_http_client_config_t config = {
//.url = "https://name.blob.core.windows.net/test ... 0MtMgNI%3D",
.url = "https://name.blob.core.windows.net/test/v0.0.2-fw.bin",
.transport_type = HTTP_TRANSPORT_OVER_SSL,
.event_handler = http_event_handler,
.cert_pem = rootCaPem,
.cert_len = rootCaPemLen,
.timeout_ms = RECEIVE_TIMEOUT,
.keep_alive_enable = true,
.skip_cert_common_name_check = true,
//.use_global_ca_store = true
};

esp_http_client_handle_t client = esp_http_client_init(&config);
if (client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
return;
}

esp_http_client_set_header(client, "Authorization", "SharedAccessSignature sp=r&st=2023-09-09T12:28:28Z&se=2023-09-16T20:28:28Z&spr=https&sv=2022-11-02&sr=b&sig=bUqDlofJInIc8Q7XIZW%2BJVjRUcJnPBtax91X0MtMgNI%3D");
//esp_http_client_set_header(client, "ContentType", "application/octet-stream");
esp_http_client_set_header(client, "Accept", "*/*"); // copied from Postman
esp_http_client_set_header(client, "Accept-Encoding", "gzip, deflate, br"); // copied from Postman
esp_http_client_set_header(client, "Host", "name.blob.core.windows.net");
esp_http_client_set_method(client, HTTP_METHOD_GET);

err = esp_http_client_open(client, 0);

if (err != ESP_OK) {
ESP_LOGE(TAG, "Failed to open HTTP connection: %s", esp_err_to_name(err));
esp_http_client_cleanup(client);
return;
}
else {
ESP_LOGI(TAG, "Opened successfully the HTTP connection");
}

esp_http_client_fetch_headers(client);
///////////////////////////////

Any idea on why the Azure authorization fails?

I would really appreciate any help!

Thank you!