Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BasicHttpsClient example rootCACertificate is outdated #10825

Open
1 task done
blueskyson opened this issue Jan 8, 2025 · 2 comments
Open
1 task done

BasicHttpsClient example rootCACertificate is outdated #10825

blueskyson opened this issue Jan 8, 2025 · 2 comments
Labels
Type: Example Issue is related to specific example.

Comments

@blueskyson
Copy link

Board

ESP32 Dev Kit V1

Device Description

ESP32 Dev Kit V1

Hardware Configuration

UART0, UART2

Version

latest master (checkout manually)

IDE Name

Arduino IDE

Operating System

Ubuntu 24.04

Flash frequency

40Mhz

PSRAM enabled

no

Upload speed

115200

Description

The rootCACertificate in BasicHttpsClient example is outdated. After checking its SSL by

openssl s_client -showcerts -connect jigsaw.w3.org:443

It can be renewed to:

const char *rootCACertificate = R"string_literal(
-----BEGIN CERTIFICATE-----
MIIDejCCAmKgAwIBAgIQf+UwvzMTQ77dghYQST2KGzANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIzMTEx
NTAzNDMyMVoXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE83Rzp2iLYK5DuDXFgTB7S0md+8Fhzube
Rr1r1WEYNa5A3XP3iZEwWus87oV8okB2O6nGuEfYKueSkWpz6bFyOZ8pn6KY019e
WIZlD6GEZQbR3IvJx3PIjGov5cSr0R2Ko4H/MIH8MA4GA1UdDwEB/wQEAwIBhjAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUgEzW63T/STaj1dj8tT7FavCUHYwwHwYDVR0jBBgwFoAUYHtmGkUN
l8qJUC99BM00qP/8/UswNgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzAChhpodHRw
Oi8vaS5wa2kuZ29vZy9nc3IxLmNydDAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8v
Yy5wa2kuZ29vZy9yL2dzcjEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqG
SIb3DQEBCwUAA4IBAQAYQrsPBtYDh5bjP2OBDwmkoWhIDDkic574y04tfzHpn+cJ
odI2D4SseesQ6bDrarZ7C30ddLibZatoKiws3UL9xnELz4ct92vID24FfVbiI1hY
+SW6FoVHkNeWIP0GCbaM4C6uVdF5dTUsMVs/ZbzNnIdCp5Gxmx5ejvEau8otR/Cs
kGN+hr/W5GvT1tMBjgWKZ1i4//emhA1JG1BbPzoLJQvyEotc03lXjTaCzv8mEbep
8RqZ7a2CPsgRbuvTPBwcOMBBmuFeU88+FSBX6+7iP0il8b4Z0QFqIwwMHfs/L6K1
vepuoxtGzi4CZ68zJpiq1UvSqTbFJjtbD4seiMHl
-----END CERTIFICATE-----
)string_literal";

I've already tested on my device and it worked.

Sketch

/**
   BasicHTTPSClient.ino

    Created on: 14.10.2018

*/

#include <Arduino.h>

#include <WiFi.h>
#include <WiFiMulti.h>

#include <HTTPClient.h>

#include <NetworkClientSecure.h>

// This is a Baltimore CyberTrust cert, the root Certificate Authority that
// signed the server certificate for the demo server https://jigsaw.w3.org in this
// example. This certificate is valid until Mon, 12 May 2025 23:59:00 GMT
const char *rootCACertificate = "-----BEGIN CERTIFICATE-----\n"
                                "MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\n"
                                "RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\n"
                                "VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX\n"
                                "DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y\n"
                                "ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy\n"
                                "VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr\n"
                                "mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr\n"
                                "IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK\n"
                                "mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu\n"
                                "XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy\n"
                                "dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye\n"
                                "jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1\n"
                                "BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3\n"
                                "DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92\n"
                                "9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx\n"
                                "jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0\n"
                                "Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz\n"
                                "ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\n"
                                "R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\n"
                                "-----END CERTIFICATE-----\n";

// Not sure if NetworkClientSecure checks the validity date of the certificate.
// Setting clock just to be sure...
void setClock() {
  configTime(0, 0, "pool.ntp.org");

  Serial.print(F("Waiting for NTP time sync: "));
  time_t nowSecs = time(nullptr);
  while (nowSecs < 8 * 3600 * 2) {
    delay(500);
    Serial.print(F("."));
    yield();
    nowSecs = time(nullptr);
  }

  Serial.println();
  struct tm timeinfo;
  gmtime_r(&nowSecs, &timeinfo);
  Serial.print(F("Current time: "));
  Serial.print(asctime(&timeinfo));
}

WiFiMulti WiFiMulti;

void setup() {

  Serial.begin(115200);
  // Serial.setDebugOutput(true);

  Serial.println();
  Serial.println();
  Serial.println();

  WiFi.mode(WIFI_STA);
  WiFiMulti.addAP("SSID", "PASSWORD");

  // wait for WiFi connection
  Serial.print("Waiting for WiFi to connect...");
  while ((WiFiMulti.run() != WL_CONNECTED)) {
    Serial.print(".");
  }
  Serial.println(" connected");

  setClock();
}

void loop() {
  NetworkClientSecure *client = new NetworkClientSecure;
  if (client) {
    client->setCACert(rootCACertificate);

    {
      // Add a scoping block for HTTPClient https to make sure it is destroyed before NetworkClientSecure *client is
      HTTPClient https;

      Serial.print("[HTTPS] begin...\n");
      if (https.begin(*client, "https://jigsaw.w3.org/HTTP/connection.html")) {  // HTTPS
        Serial.print("[HTTPS] GET...\n");
        // start connection and send HTTP header
        int httpCode = https.GET();

        // httpCode will be negative on error
        if (httpCode > 0) {
          // HTTP header has been send and Server response header has been handled
          Serial.printf("[HTTPS] GET... code: %d\n", httpCode);

          // file found at server
          if (httpCode == HTTP_CODE_OK || httpCode == HTTP_CODE_MOVED_PERMANENTLY) {
            String payload = https.getString();
            Serial.println(payload);
          }
        } else {
          Serial.printf("[HTTPS] GET... failed, error: %s\n", https.errorToString(httpCode).c_str());
        }

        https.end();
      } else {
        Serial.printf("[HTTPS] Unable to connect\n");
      }

      // End extra scoping block
    }

    delete client;
  } else {
    Serial.println("Unable to create client");
  }

  Serial.println();
  Serial.println("Waiting 10s before the next round...");
  delay(10000);
}

Debug Message

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:1
load:0x3fff0030,len:4832
load:0x40078000,len:16460
load:0x40080400,len:4
load:0x40080404,len:3504
entry 0x400805cc
[    17][D][esp32-hal-cpu.c:264] setCpuFrequencyMhz(): PLL: 480 / 2 = 240 Mhz, APB: 80000000 Hz
=========== Before Setup Start ===========
Chip Info:
------------------------------------------
  Model             : ESP32
  Package           : D0WD-Q5
  Revision          : 3.01
  Cores             : 2
  CPU Frequency     : 240 MHz
  XTAL Frequency    : 40 MHz
  Features Bitfield : 0x00000032
  Embedded Flash    : No
  Embedded PSRAM    : No
  2.4GHz WiFi       : Yes
  Classic BT        : Yes
  BT Low Energy     : Yes
  IEEE 802.15.4     : No
------------------------------------------
INTERNAL Memory Info:
------------------------------------------
  Total Size        :   331224 B ( 323.5 KB)
  Free Bytes        :   300288 B ( 293.2 KB)
  Allocated Bytes   :    23776 B (  23.2 KB)
  Minimum Free Bytes:   294856 B ( 287.9 KB)
  Largest Free Block:   110580 B ( 108.0 KB)
------------------------------------------
Flash Info:
------------------------------------------
  Chip Size         :  4194304 B (4 MB)
  Block Size        :    65536 B (  64.0 KB)
  Sector Size       :     4096 B (   4.0 KB)
  Page Size         :      256 B (   0.2 KB)
  Bus Speed         : 80 MHz
  Bus Mode          : QIO
------------------------------------------
Partitions Info:
------------------------------------------
                nvs : addr: 0x00009000, size:    20.0 KB, type: DATA, subtype: NVS
            otadata : addr: 0x0000E000, size:     8.0 KB, type: DATA, subtype: OTA
               app0 : addr: 0x00010000, size:  1280.0 KB, type:  APP, subtype: OTA_0
               app1 : addr: 0x00150000, size:  1280.0 KB, type:  APP, subtype: OTA_1
             spiffs : addr: 0x00290000, size:  1408.0 KB, type: DATA, subtype: SPIFFS
           coredump : addr: 0x003F0000, size:    64.0 KB, type: DATA, subtype: COREDUMP
------------------------------------------
Software Info:
------------------------------------------
  Compile Date/Time : Jan  7 2025 22:17:18
  Compile Host OS   : linux
  ESP-IDF Version   : v5.1.4-972-g632e0c2a9f-dirty
  Arduino Version   : 3.0.7
------------------------------------------
Board Info:
------------------------------------------
  Arduino Board     : ESP32_DEV
  Arduino Variant   : esp32
  Arduino FQBN      : esp32:esp32:esp32:UploadSpeed=921600,CPUFreq=240,FlashFreq=80,FlashMode=qio,FlashSize=4M,PartitionScheme=default,DebugLevel=debug,PSRAM=disabled,LoopCore=1,EventsCore=1,EraseFlash=none,JTAGAdapter=default,ZigbeeMode=default
============ Before Setup End ============
[   619][I][WiFiMulti.cpp:86] addAP(): [WIFI][APlistAdd] add SSID: HSNU-AP
Waiting for WiFi to connect...[  3416][I][WiFiMulti.cpp:129] run(): [WIFI] scan done
[  3421][I][WiFiMulti.cpp:134] run(): [WIFI] 14 networks found
[  3426][D][WiFiMulti.cpp:228] run():  --->   0: [6][DA:6C:54:2E:69:76] HSNU-AP (-47) (*) (visible)
[  3435][D][WiFiMulti.cpp:233] run():         1: [11][4C:19:5D:8D:CA:77] SpectrumSetup-71 (-61) (*) (visible)
[  3445][D][WiFiMulti.cpp:233] run():         2: [6][4C:AB:F8:0C:21:F6] SpectrumSetup-F8 (-72) (*) (visible)
[  3455][D][WiFiMulti.cpp:233] run():         3: [6][74:93:DA:3F:5D:49] SpectrumSetup-4B (-77) (*) (visible)
[  3464][D][WiFiMulti.cpp:233] run():         4: [1][14:7D:05:8F:2D:DF] SpectrumSetup-DD (-82) (*) (visible)
[  3474][D][WiFiMulti.cpp:233] run():         5: [1][B0:FC:88:30:A9:79] Exposition (-82) (*) (visible)
[  3483][D][WiFiMulti.cpp:233] run():         6: [1][F0:7B:65:C5:E7:AA] SpectrumSetup-E7A4 (-84) (*) (visible)
[  3493][D][WiFiMulti.cpp:233] run():         7: [1][44:6F:D8:11:2D:4C] B-030 (-86) (*) (visible)
[  3501][D][WiFiMulti.cpp:233] run():         8: [6][4C:19:5D:8D:F7:DA] SpectrumSetup-D4 (-86) (*) (visible)
[  3511][D][WiFiMulti.cpp:233] run():         9: [6][50:B3:B4:25:52:22] B-056 (-87) ( ) (visible)
[  3520][D][WiFiMulti.cpp:233] run():         10: [1][B0:FC:88:73:43:7B] head stuhooch (-94) (*) (visible)
[  3529][D][WiFiMulti.cpp:233] run():         11: [11][16:7F:67:D0:BB:A9] [LG_Oven]bba9 (-94) (*) (visible)
[  3539][D][WiFiMulti.cpp:233] run():         12: [1][4C:19:5D:77:0F:9D] SpectrumSetup-97 (-95) (*) (visible)
[  3548][D][WiFiMulti.cpp:233] run():         13: [1][F8:AA:3F:F5:01:63] SpectrumSetup-61 (-95) (*) (visible)
[  3558][I][WiFiMulti.cpp:249] run(): [WIFI] Connecting BSSID: DA:6C:54:2E:69:76 SSID: HSNU-AP Channel: 6 (-47)
[  3568][W][STA.cpp:537] disconnect(): STA already disconnected.
[  3715][I][WiFiMulti.cpp:272] run(): [WIFI] Connecting done.
[  3721][D][WiFiMulti.cpp:273] run(): [WIFI] SSID: HSNU-AP
[  3726][D][WiFiMulti.cpp:274] run(): [WIFI] IP: 192.168.10.220
[  3732][D][WiFiMulti.cpp:275] run(): [WIFI] MAC: DA:6C:54:2E:69:76
[  3738][D][WiFiMulti.cpp:276] run(): [WIFI] Channel: 6
[  3743][D][WiFiMulti.cpp:334] resetFails(): [WIFI] Resetting failure flags
 connected
Waiting for NTP time sync: ..
Current time: Wed Jan  8 06:18:19 2025
=========== After Setup Start ============
INTERNAL Memory Info:
------------------------------------------
  Total Size        :   331224 B ( 323.5 KB)
  Free Bytes        :   251804 B ( 245.9 KB)
  Allocated Bytes   :    69412 B (  67.8 KB)
  Minimum Free Bytes:   248980 B ( 243.1 KB)
  Largest Free Block:   110580 B ( 108.0 KB)
------------------------------------------
GPIO Info:
------------------------------------------
  GPIO : BUS_TYPE[bus/unit][chan]
  --------------------------------------  
     1 : UART_TX[0]
     3 : UART_RX[0]
============ After Setup End =============
[HTTPS] begin...
[  4827][D][HTTPClient.cpp:293] beginInternal(): protocol: https, host: jigsaw.w3.org port: 443 url: /HTTP/connection.html
[HTTPS] GET...
[  4839][D][HTTPClient.cpp:574] sendRequest(): request type: 'GET' redirCount: 0

[  4847][D][NetworkManager.cpp:83] hostByName(): Clearing DNS cache
[  4857][D][NetworkManager.cpp:123] hostByName(): DNS found IPv4 104.18.22.19
[  5945][E][ssl_client.cpp:36] _handle_error(): [ssl_starttls_handshake():313]: (-9984) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
[  5960][E][NetworkClientSecure.cpp:159] connect(): start_ssl_client: connect failed: -9984
[  5969][D][HTTPClient.cpp:1105] connect(): failed connect to jigsaw.w3.org:443
[  5977][W][HTTPClient.cpp:1421] returnError(): error(-1): connection refused
[  5984][E][NetworkClient.cpp:319] setSocketOption(): fail on 0, errno: 9, "Bad file number"
[HTTPS] GET... failed, error: connection refused
[  5992][E][NetworkClient.cpp:319] setSocketOption(): fail on 0, errno: 9, "Bad file number"
[  6004][D][HTTPClient.cpp:393] disconnect(): tcp is closed


Waiting 10s before the next round...

Other Steps to Reproduce

No response

I have checked existing issues, online documentation and the Troubleshooting Guide

  • I confirm I have checked existing issues, online documentation and Troubleshooting guide.
@blueskyson blueskyson added the Status: Awaiting triage Issue is waiting for triage label Jan 8, 2025
@me-no-dev
Copy link
Member

Hi @blueskyson ! Do you want to create a PR and update the certificate in the example?

@SuGlider SuGlider added Type: Example Issue is related to specific example. and removed Status: Awaiting triage Issue is waiting for triage labels Jan 8, 2025
@blueskyson
Copy link
Author

@me-no-dev Sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Example Issue is related to specific example.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@me-no-dev @blueskyson @SuGlider