The certificate is not correctly signed by the trusted CA

kubera
Posts: 23
Joined: Wed May 20, 2020 10:21 am

The certificate is not correctly signed by the trusted CA

Postby kubera » Fri May 22, 2020 12:59 pm

Hi iam trying to implement native ota example to azre iot hub. I generated ca certificate from https://www.sslforfree.com/

but iam stucked with this error.

..........................................................................................................................................................
E (9482) esp-tls: mbedtls_ssl_handshake returned -0x2700
I (9482) esp-tls: Failed to verify peer certificate!
I (9482) esp-tls: verification info: ! The certificate is not correctly signed
by the trusted CA

E (9492) esp-tls: Failed to open new connection
E (9492) TRANS_SSL: Failed to open a new connection
E (9502) HTTP_CLIENT: Connection failed, sock < 0
E (9502) native_ota_example: Failed to open HTTP connection: ESP_ERR_HTTP_CONNEC
T
E (9512) native_ota_example: Exiting task due to fatal error...

...............................................................................................................................................................

What iam doing wrong?
Is there anything to do with cipher suits?

kubera
Posts: 23
Joined: Wed May 20, 2020 10:21 am

Re: The certificate is not correctly signed by the trusted CA

Postby kubera » Sat May 23, 2020 8:28 am

a small correction I have been testing with azure app services not with specific device. i have a get url in the app services from where iam trying to download the bin file. But certficate is not gettng verfied.


kubera
Posts: 23
Joined: Wed May 20, 2020 10:21 am

Re: The certificate is not correctly signed by the trusted CA

Postby kubera » Fri May 29, 2020 7:34 am

I tried to check the ca-cert file using the link provided by you. It has gone well. but when I tried to verify the cert using OpenSSL verify ca_cert.pem in the OpenSSL command-line it got failed.
It shows ----
"
error 18 at 0 depth lookup: self-signed certificate.
error ca_cert.pem: verification failed.

"

irknowles
Posts: 2
Joined: Sat Jun 13, 2020 7:43 pm

Re: The certificate is not correctly signed by the trusted CA

Postby irknowles » Sat Jun 13, 2020 7:56 pm

Hello - I was chasing the same problem trying to perform an OTA from Amazon S3 with a bucket I created. Tried different combinations and think I found my issue. I by accident used the wrong PEM file.

So a few tricks I read up (from the net) is to hit the URL in the browser (for the upgrade file) and then go to the padlock in browser (I am using Firefox). Then click on the arrow then more information. I then have the option to View certificates. I then see some way down page: Download PEM (cert)PEM (chain).

Mistakenly I was using PEM(cert).
As soon as I tried PEM(chain) and embedded that into my esp build the system got past the CA checking.

Note - You can add more debug in TLS by setting the config flag CONFIG_MBEDTLS_DEBUG=y.

Hope this helps someone out. I cannot guarantee it will fix your issue, but hey, that's why we all do this stuff, to learn.

dzungpv
Posts: 17
Joined: Thu Mar 26, 2020 4:52 am

Re: The certificate is not correctly signed by the trusted CA

Postby dzungpv » Sat Sep 30, 2023 10:25 am

irknowles wrote:
Sat Jun 13, 2020 7:56 pm
Hello - I was chasing the same problem trying to perform an OTA from Amazon S3 with a bucket I created. Tried different combinations and think I found my issue. I by accident used the wrong PEM file.

So a few tricks I read up (from the net) is to hit the URL in the browser (for the upgrade file) and then go to the padlock in browser (I am using Firefox). Then click on the arrow then more information. I then have the option to View certificates. I then see some way down page: Download PEM (cert)PEM (chain).

Mistakenly I was using PEM(cert).
As soon as I tried PEM(chain) and embedded that into my esp build the system got past the CA checking.

Note - You can add more debug in TLS by setting the config flag CONFIG_MBEDTLS_DEBUG=y.

Hope this helps someone out. I cannot guarantee it will fix your issue, but hey, that's why we all do this stuff, to learn.
It is 3 certs, how you add it to the code? I take many hours still failed.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 63 guests