How to do OTA from unknown local server

[william.ferguson.au]

My ESP32 devices will be deployed into environments without internet connection. They will connect to a local server from which they should retrieve any OTA.

I can generate a self signed cert that ships with the local server and ship the public key with the ESP32 binary. But since I won't know the IP address on which it is deployed I will not be able to generate a self signed cert that matches the server's location.

This means

Code: Select all

 esp_https_ota()

will fail the update because it won't be able to validate the certificate.
So how should I provide OTA?

William

[ESP_igrr]

One option is to create a single shared certificate which you will use as your private certificate authority. Devices (esp32) will use the public key of that certificate to do the verification.
Local servers will need to generate thier own certificates (using their actual IP address as the common name) and use the shared certificate to sign them.
In this case, the assumption is that these local servers can store shared CA certificate and private key securely.

[fly135]

Just take out the checks for cert and https in esp_https_ota and you can OTA from HTTP or HTTPS without checking the cert. Just comment out the two return ESP_FAIL lines.

Here....

if (!config->cert_pem) {
ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
//return ESP_FAIL;
}

esp_http_client_handle_t client = esp_http_client_init(config);
if (client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
return ESP_FAIL;
}

if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) {
ESP_LOGE(TAG, "Transport is not over HTTPS");
//return ESP_FAIL;
}



John A

[chegewara]

Just take out the checks for cert and https in esp_https_ota and you can OTA from HTTP or HTTPS without checking the cert. Just comment out the two return ESP_FAIL lines.

Here....

if (!config->cert_pem) {
ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
//return ESP_FAIL;
}

esp_http_client_handle_t client = esp_http_client_init(config);
if (client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
return ESP_FAIL;
}

if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) {
ESP_LOGE(TAG, "Transport is not over HTTPS");
//return ESP_FAIL;
}



John A

Or go easy way and turn off https for esp http client in menuconfig.

[fly135]

Or go easy way and turn off https for esp http client in menuconfig.

Not thinking that will do anything. Plus, you can OTA w/ HTTPS and w/o a certificate. Disabling HTTPS won't change the fail checks in esp_https_ota. Maybe you know something I don't, but I'm not seeing this as a workable answer.

John A

[william.ferguson.au]

Thanks @fly135.

Providing OTA via HTTP seems like the sensible approach.

William