Page 1 of 1

WifiClientSecure throws cert error when attempting to access api.github.com

Posted: Sun Jan 14, 2018 12:54 am
by Acroman
Attempting to hit github api for OTA process, but getting consistent certificate mismatch errors as follows:

Code: Select all

 
  Attempting SSL/HTTPS connect to port 443 of api.github.com
  [E][ssl_client.cpp:28] handle_error(): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
  [E][ssl_client.cpp:30] handle_error(): MbedTLS message code: -9984
  [E][WiFiClientSecure.cpp:107] connect(): lwip_connect_r: 11
  Connection failed 
  
Tested working with howsmyssl.com and their root cert, but api.github.com and their root cert give the above error - tried half a dozen different ways (all certs I could find on github) and a dozen searches but nothing seems to work.

Does anyone know why this might be happening?

Thanks



Code:

Code: Select all


const char* ssid = "";
const char* wifi_pw = "";
const char* server = "api.github.com";
const char* ca_cert=\
     "-----BEGIN CERTIFICATE-----\n" \
     "MIIDZjCCAk6gAwIBAgIJAPGfoB4EtQnsMA0GCSqGSIb3DQEBBQUAMGAxLTArBgNV\n" \
     "BAMMJEJpdGRlZmVuZGVyIFBlcnNvbmFsIENBLk5ldC1EZWZlbmRlcjEMMAoGA1UE\n" \
     "CwwDSURTMRQwEgYDVQQKDAtCaXRkZWZlbmRlcjELMAkGA1UEBhMCVVMwHhcNMTAw\n" \
     "MTAxMDgwMDAwWhcNMjcxMTAzMTkwMzA1WjBgMS0wKwYDVQQDDCRCaXRkZWZlbmRl\n" \
     "ciBQZXJzb25hbCBDQS5OZXQtRGVmZW5kZXIxDDAKBgNVBAsMA0lEUzEUMBIGA1UE\n" \
     "CgwLQml0ZGVmZW5kZXIxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOC\n" \
     "AQ8AMIIBCgKCAQEAu+HgAaLiT6kLwwahUTzFFvCBKOjoRFqFvBTFUZ1Ytt7z5vml\n" \
     "6mcSW5yLyMFqbvVp37Nb25iCUJSuVeqA4nePY2pN86Hv/HeolQtrBy72Vc1g6pKV\n" \
     "0KlOdb0Uzsx2X6YNSg4KT8Wde/1mz8MZb2sYmKgZNeZ4RjOot3SoGmu13aC6EaOL\n" \
     "U3/QZvhpBMI6BLx3skk3AyPRD/Rdq4mYjROKQTnEMWgydYBSSBV3jjXc9dAc6kz7\n" \
     "ayVA2WRoX7wBgOG6lc13f0Ni7msOR1iX20WbAw3jJmJjdS1YrIefyAOfdh4nYIM4\n" \
     "GdjcgecVAtKDozCZT20OYIw2rV/usqlDJTg+AwIDAQABoyMwITAPBgNVHRMBAf8E\n" \
     "BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAmw3YH43K\n" \
     "/EDYuVNfdYfhP9CfC+IG328V0LMbkyQ+1l+npzc3rHqQ+saigCP4jdYyDj/tfh/G\n" \
     "JCv0U4mCyoZXou+QRqu1h5027cdSDj823f9jhhzh2eChHaL/oUZ1GHP4fI9gcN0Y\n" \
     "VRkhQ8Ythc1HrHmlQSEIY9JO6KTq9ZvkCgJlcvb6jaJmRZwY2rJdXGmG0fCEsjkb\n" \
     "goKkSJt28t68ojjT/kihTGeLiSAFMGQvkPacQpAZqU3kI9FW8+ldmFwF+v5hF3BJ\n" \
     "Ymsx/t/HpkdFLwaAcu9ANWYzcAJJ3r5vl7zFW5l5oF2k0DJFzoXNgzXuLxgzwTLD\n" \
     "+3BFHnpeuRMoQQ==\n" \
     "-----END CERTIFICATE-----\n";
int ledPin = 2;
int updateEverySecs = 60;
WiFiClientSecure updateClient;

void checkForUpdates() {
  Serial.print("Attempting SSL/HTTPS connect to port 443 of ");
  Serial.println(server);
  if (!updateClient.connect(server,443)) {
    Serial.println("Connection failed :(");
  }
  else {
    Serial.println("Successful connect to server on 443!");

    updateClient.println("GET https:/api.github.com HTTP/1.0");
    updateClient.println("Host: api.github.com");
    updateClient.println("Connection: close");
    updateClient.println();

    Serial.println("Request dispatched, awaiting response from server.");
    while (!updateClient.available()) {
      delay(50);
      Serial.print(".");
    }
    while(updateClient.available()) {
      char c = updateClient.read();
      Serial.write(c);
    }

    if (!updateClient.connected()) {
      Serial.println();
      Serial.println("!! SERVER DISCONNECTED !!");
      updateClient.stop();
    }
  }
}

void setup()
{
  Serial.begin(115200);
  Serial.print("Attempting wifi connection...");
  WiFi.begin(ssid,wifi_pw);

  while (WiFi.status() != WL_CONNECTED) {
    Serial.println(".");
    delay(100);
  }

  Serial.print("Connected to ");
  Serial.print(ssid);
  Serial.println("!");

  updateClient.setCACert(ca_cert);
  checkForUpdates();
}

void loop()
{
    digitalWrite(ledPin, HIGH);
    delay(200);
    digitalWrite(ledPin, LOW);
    delay(100);
}

Re: WifiClientSecure throws cert error when attempting to access api.github.com

Posted: Sat Oct 13, 2018 6:06 pm
by tllvllp
Hi, I know that it's been almost a year but have you managed to find a solution to the problem?
I'm relatively new to SSL/TSL and experiencing the same problem when trying to access a Mosquitto MQTT server via WifiClientSecure.

The WifiClientSecure works perfectly with the example code (like in your case)
The Mosquitto server is properly configured with SSL and can be accessed using the same certificate via the MQTT.fx java client.
But I cannot connect to the Mosquitto from the ESP32 using WifiClientSecure - the credentials are the same.

Thanks!