https client: Failed to verify peer certificate

zamek42@gmail.com
Posts: 34
Joined: Sat Dec 02, 2017 7:27 pm

https client: Failed to verify peer certificate

Postby zamek42@gmail.com » Tue Apr 27, 2021 8:08 am

Hi All,
I would like to download a simple file from a web server with https.
I'd downloaded the certificate from server with firefox and I'd stored it with ca_cert.pem named text file. It is a correct server cert.
I tried this code:

Code: Select all

      extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start");
      extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end");
      ...
     esp_err_t res=esp_tls_init_global_ca_store();
     res=esp_tls_set_global_ca_store(server_cert_pem_start, server_cert_pem_end-server_cert_pem_start); 
    esp_http_client_config_t config = {
			.url=UPDATE_JSON_URL,
			.transport_type=HTTP_TRANSPORT_OVER_SSL,
			.event_handler=http_event_handler,
			.skip_cert_common_name_check=true,
			.cert_pem=(char *) server_cert_pem_start
	};

	esp_http_client_handle_t client=esp_http_client_init(&config);
	res=esp_http_client_perform(client);
When I run this code I've got an error:
E (5481) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
I (5481) esp-tls-mbedtls: Failed to verify peer certificate!
I (5501) esp-tls-mbedtls: verification info: ! The certificate is not correctly signed by the trusted CA

E (5501) esp-tls: Failed to open new connection
E (5511) TRANSPORT_BASE: Failed to open a new connection
E (5511) HTTP_CLIENT: Connection failed, sock < 0

Is there an error in my code?

thx,
Zamek

zamek42@gmail.com
Posts: 34
Joined: Sat Dec 02, 2017 7:27 pm

Re: https client: Failed to verify peer certificate

Postby zamek42@gmail.com » Tue Apr 27, 2021 11:04 am

I found it,
I have to add full chained certificate to my ca_cert.pem, not only the server certificate. It works well.

rajvrk36@gmail.com
Posts: 18
Joined: Fri May 28, 2021 10:58 am

Re: https client: Failed to verify peer certificate

Postby rajvrk36@gmail.com » Thu Aug 05, 2021 8:07 am

Hello,

I'm stuck at the same problem, please can you explain How to do this? And please provide references!

Thanks for the answers :)

Regards,
Rajkumar

venugopala
Posts: 2
Joined: Mon Nov 22, 2021 11:56 am

Re: https client: Failed to verify peer certificate

Postby venugopala » Tue Feb 08, 2022 7:08 am

Hello,

I'm stuck at the same problem, please can you explain How to do this? And please provide references!

Thanks for the answers :)

Regards,
Venugopala.d

micteus127
Posts: 4
Joined: Tue Mar 15, 2022 11:44 am

Re: https client: Failed to verify peer certificate

Postby micteus127 » Thu Dec 01, 2022 6:58 pm

Hello,
I had the same problem.
With full chained certificate is meant an "extended" version.
Just open certifaction details in Firefox for example:
https://cheapsslsecurity.com/blog/how-t ... n-firefox/
Certificate.png
Certificate.png (17.05 KiB) Viewed 6719 times
BR

micteus127
Posts: 4
Joined: Tue Mar 15, 2022 11:44 am

Re: https client: Failed to verify peer certificate

Postby micteus127 » Mon Dec 05, 2022 10:33 am

Some additional notes:
in the example project (https://github.com/espressif/esp-idf/bl ... _example.c) there is a hint ;)

Code: Select all

/* Root cert for howsmyssl.com, taken from howsmyssl_com_root_cert.pem
   The PEM file was extracted from the output of this command:
   openssl s_client -showcerts -connect www.howsmyssl.com:443 </dev/null
   The CA root cert is the last cert given in the chain of certs.
   To embed it in the app binary, the PEM file is named
   in the component.mk COMPONENT_EMBED_TXTFILES variable.
*/
I have now managed to use only the last certificate of it.
BR

chruge
Posts: 15
Joined: Fri Jul 21, 2023 8:06 am

Re: https client: Failed to verify peer certificate

Postby chruge » Wed Jan 24, 2024 3:03 pm

I do the same in ESP-IDF 5.1. I manage to download a file, when I place either the root certificate or the whole chain.

When I impair the server certificate, but leave the root certificate intact, I am still able to download the file, but I get the following debug code:

W (6997) esp-tls-mbedtls: mbedtls_x509_crt_parse was partly successful. No. of failed certificates: 1

I would like to either check the entire chain with no compormise or the server certificate (not the root one). Is there a setting I need to make?

Kind regards

Christian

Who is online

Users browsing this forum: No registered users and 278 guests