Need Help with HTTPS Get

gb.123 · Postby **gb.123** » Wed Dec 08, 2021 11:31 pm

[Codebox=cpp ]
const String URL = "https://ota.xxxx.com/api";

// Lets Encrypt Root Certificate (Self Signed)
static const char* ota_root_ca=\
"-----BEGIN CERTIFICATE-----\n" \
"MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n" \
"TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n" \
"cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n" \
"WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n" \
"ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n" \
"MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n" \
"h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n" \
"0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n" \
"A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n" \
"T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n" \
"B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n" \
"B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n" \
"KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n" \
"OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n" \
"jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n" \
"qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n" \
"rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n" \
"HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n" \
"hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n" \
"ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n" \
"3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n" \
"NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n" \
"ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n" \
"TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n" \
"jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n" \
"oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n" \
"4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n" \
"mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n" \
"emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n" \
"-----END CERTIFICATE-----\n";

HTTPClient client;

WiFiClientSecure WFSclient;

String updateCerts1(String cert_OTP)
{
        String msg = "Begin Update...";
        Serial.println(msg);
        WFSclient.setCACert(ota_root_ca);
        
        if (!WFSclient.connect(URL.c_str(), 443))
        {
            Serial.println("Connection failed!");
        } 
        else 
        {
            Serial.println("Connected to server!");
            // create HTTP request
            WFSclient.println("GET https://ota.xxxx.com HTTP/1.0");
            WFSclient.println("Host: ota.xxxx.com");
            WFSclient.println("Connection: close");
            WFSclient.println();

            Serial.print("Waiting for response ");
            while (!WFSclient.available())
            {
            delay(50); //
            Serial.print(".");
            }

            // if data is available then receive and print to Terminal
            while (WFSclient.available()) 
            {
            char c = WFSclient.read();
            Serial.write(c);
            }

            // if the server disconnected, stop the client
            if (!WFSclient.connected()) 
            {
            Serial.println();
            Serial.println("Server disconnected");
            WFSclient.stop();
            }
        }
    return "OK";
 }
    

String updateCerts2(String cert_OTP)
{
       
        
        //Connect
        String msg = "Begin Update...";
        Serial.println(msg);
        String finalURL = URL+"/OTAData/GetFile?otp="+cert_OTP;
        boolean start = client.begin(finalURL, ota_root_ca);
        msg = String(start);
        Serial.println(msg);
        
        int8_t resp = client.GET();
        msg = ("ServerResponse:"+String(resp));
        Serial.println(msg);
        if (resp > 0)
        {
            String payload = client.getString();
            msg = ("ServerPayload:"+String(payload));
            Serial.println(msg);
            int32_t payload_length = client.getSize();
            msg = ("ServerPayloadLength:"+String(payload_length));
            Serial.println(msg);
                      
           return "OK";
        }
        else
        {
            return ("Error");
        }
        client.end();
  }
    

[/Codebox]

Hi ! I am using the above code snippet to try and connect to execute a HTTPS get request, but it always throws errors:

updateCerts1(String) : this Throws : handle_error(): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Error Code : message code: -9984

updateCerts2(String) throws :
[E][ssl_client.cpp:36] _handle_error(): [start_ssl_client():202]: (-78) UNKNOWN ERROR CODE (004E)
[E][WiFiClientSecure.cpp:132] connect(): start_ssl_client: -78

Sometimes I get : Response = -56

I am using the Letsencrypt Root Certificate (4096 bits) but I have tried with creating my own CA certificate and key of 2048 bits.

I followed the following while creating my own CA :
1. Generate CAkey & CAcert (using CAKey)
2. Generate server cert (ota.xxxx.com) and signed it using CA cert and CAkey using openssl ca command
3. installed the CAcert as ota_root_ca in the above code.

Any help would be greatly appreciated !

Thanks a lot guys

chegewara · Postby **chegewara** » Thu Dec 09, 2021 9:05 pm

Code: Select all

gb.123 · Postby **gb.123** » Thu Dec 09, 2021 11:43 pm

Hi !

Thanks for your reply. I tried the certificate, but it still gives an error (though a different one now). Now for updateCerts1() it gives :

Code: Select all

[E][WiFiGeneric.cpp:685] hostByName(): DNS Failed for https://ota.xxxx.com/api
[E][WiFiClientSecure.cpp:132] connect(): start_ssl_client: -1

Could you tell me what was wrong in the cert I had set ?

Thanks once again !

chegewara · Postby **chegewara** » Thu Dec 09, 2021 11:48 pm

It is different error because its different issue.
Did you try to open that URL in browser? It looks like you have problem with server now.

gb.123 · Postby **gb.123** » Fri Dec 10, 2021 12:05 am

I see you have posted the 'R3' intermediate certificate instead of the 'ISRG Root X1' certificate for lets encrypt.

The server in browser works fine and also it works fine if I test it by sending GET request through 'POSTMAN'.
Infact even the 'ISRG Root X1' root certificate (which I posted in my code seems to work if I append "\r\n" instead of "\n" .

updateCert2() consistently doesn't work and restarts the ESP.

gb.123 · Postby **gb.123** » Fri Dec 10, 2021 6:45 pm

[Update]: The problem of unknown error code was due to the fact that port 443 was blocked by another task in esp32. The solution was to change the port.

The dns error I am seeing :

Code: Select all

E][WiFiGeneric.cpp:685] hostByName(): DNS Failed for https://ota.xxxx.com/api
[E][WiFiClientSecure.cpp:132] connect(): start_ssl_client: -1

could be due to the fact that I am using "mDNS.h".

Is there any way to manually specify the DNS for one instance of WifiClient or HTTP_Client while running mDNS ?

I tried calling mDNS.end() but still the hostname is unresolvable.

chegewara · Postby **chegewara** » Sat Dec 11, 2021 5:24 pm

chegewara wrote: ↑
Thu Dec 09, 2021 11:48 pm
Did you try to open that URL in browser? It looks like you have problem with server now.

I asked this question for a reason. When i tried to open URI to your server in browser then i got "Bad gateway error (502)".
I am using lets encrypt on my server (and not only) and CA certificate i am using is the one posted.

Code: Select all

E][WiFiGeneric.cpp:685] hostByName(): DNS Failed for https://ota.xxxx.com/api
[E][WiFiClientSecure.cpp:132] connect(): start_ssl_client: -1

This is different error and has nothing to do with certificate.

gb.123 · Postby **gb.123** » Sun Dec 12, 2021 9:29 am

@chegewara
I really appreciate your help ! Thank you so much !

You are correct that DNS error has nothing to do with certificate. It was a router problem. The server was supposed to give bad gateway error. Its fixed.

The certificate itself is not a problem, I think that there is some memory issue since after getting DNS error, I start getting the same X509 - Certificate verification failed and subsequently after 2-3 re-tries, it gives me SSL memory allocation failed.

gb.123 · Postby **gb.123** » Sun Dec 12, 2021 9:05 pm

Would it be ok if I create 2 tasks like this ?

---> xTaskCreatePinnedToCore(TASK1,"TASK1", 2048, NULL, 5, &TaskHandle,1);
This Task in turn creates :

---> xTaskCreatePinnedToCore(TASK2,"TASK2", 8192, NULL, 5, &Task2Handle,1);

Would the heap size of TASK2 be limited to 2048 (as described in TASK1 or would it be 8192 as described in TASK2 ?

Postby **ESP_Sprite** » Mon Dec 13, 2021 1:42 am

That parameter affects the stack size, not the heap size. Heap size generally is only restricted by the available RAM.

Need Help with HTTPS Get

Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Re: Need Help with HTTPS Get

Who is online

About Us

Extra

Information