Page 1 of 1
How to do OTA from unknown local server
Posted: Fri Jan 25, 2019 12:06 am
by william.ferguson.au
My ESP32 devices will be deployed into environments without internet connection. They will connect to a local server from which they should retrieve any OTA.
I can generate a self signed cert that ships with the local server and ship the public key with the ESP32 binary. But since I won't know the IP address on which it is deployed I will not be able to generate a self signed cert that matches the server's location.
This means
will fail the update because it won't be able to validate the certificate.
So how should I provide OTA?
William
Re: How to do OTA from unknown local server
Posted: Fri Jan 25, 2019 2:14 am
by ESP_igrr
One option is to create a single shared certificate which you will use as your private certificate authority. Devices (esp32) will use the public key of that certificate to do the verification.
Local servers will need to generate thier own certificates (using their actual IP address as the common name) and use the shared certificate to sign them.
In this case, the assumption is that these local servers can store shared CA certificate and private key securely.
Re: How to do OTA from unknown local server
Posted: Fri Jan 25, 2019 5:50 pm
by fly135
Just take out the checks for cert and https in esp_https_ota and you can OTA from HTTP or HTTPS without checking the cert. Just comment out the two return ESP_FAIL lines.
Here....
if (!config->cert_pem) {
ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
//return ESP_FAIL;
}
esp_http_client_handle_t client = esp_http_client_init(config);
if (client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
return ESP_FAIL;
}
if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) {
ESP_LOGE(TAG, "Transport is not over HTTPS");
//return ESP_FAIL;
}
John A
Re: How to do OTA from unknown local server
Posted: Fri Jan 25, 2019 7:19 pm
by chegewara
fly135 wrote: ↑Fri Jan 25, 2019 5:50 pm
Just take out the checks for cert and https in esp_https_ota and you can OTA from HTTP or HTTPS without checking the cert. Just comment out the two return ESP_FAIL lines.
Here....
if (!config->cert_pem) {
ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
//return ESP_FAIL;
}
esp_http_client_handle_t client = esp_http_client_init(config);
if (client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
return ESP_FAIL;
}
if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) {
ESP_LOGE(TAG, "Transport is not over HTTPS");
//return ESP_FAIL;
}
John A
Or go easy way and turn off https for esp http client in menuconfig.
Re: How to do OTA from unknown local server
Posted: Sat Jan 26, 2019 6:57 pm
by fly135
chegewara wrote: ↑Fri Jan 25, 2019 7:19 pm
Or go easy way and turn off https for esp http client in menuconfig.
Not thinking that will do anything. Plus, you can OTA w/ HTTPS and w/o a certificate. Disabling HTTPS won't change the fail checks in esp_https_ota. Maybe you know something I don't, but I'm not seeing this as a workable answer.
John A
Re: How to do OTA from unknown local server
Posted: Mon Jan 28, 2019 12:13 pm
by william.ferguson.au
Thanks @fly135.
Providing OTA via HTTP seems like the sensible approach.
William