Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Let's Encrypt's new ISRG Root X1 -> failure #100

Open
joysfera opened this issue Apr 16, 2024 · 1 comment
Open

Let's Encrypt's new ISRG Root X1 -> failure #100

joysfera opened this issue Apr 16, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@joysfera
Copy link

joysfera commented Apr 16, 2024
edited
Loading

Describe the bug
Built an application for ESP32 with SIM800L in early 2021, has been working fine for almost 3 years and then it broke.

I assume it's related to the server's Let's Encrypt certificate and their recent shortening of chain of trust:
https://letsencrypt.org/2023/07/10/cross-sign-expiration.html

I went ahead and re-generated the certificate so it now looks as follows - but it didn't help:

/* This file is auto-generated by the pycert_bearssl tool.  Do not change it manually.
 * Certificates are BearSSL br_x509_trust_anchor format.  Included certs:
 *
 * Index:    0
 * Label:    ISRG Root X1
 * Subject:  CN=ISRG Root X1,O=Internet Security Research Group,C=US
 * Domain(s): iot.t-mobile.cz
 */

Screenshots/Serial Output
when calling http.post("server", 443, "/path") I now get the following SSL errors:

(SSLClient)(SSL_ERROR)(connected): Not connected because write error is set
(SSLClient)(SSL_ERROR)(m_print_ssl_error): SSL_BR_WRITE_ERROR
(SSLClient)(SSL_ERROR)(m_start_ssl): Failed to initlalize the SSL layer
(SSLClient)(SSL_ERROR)(m_print_br_error): Unknown error code: 0

Context (please complete the following information):

  • Device Type ESP32
  • Arduino Core Version 2.0.9
  • SSLClient Version 1.6.11
  • TinyGSM 0.10.9
@joysfera joysfera added the bug Something isn't working label Apr 16, 2024
@joysfera
Copy link
Author

Well, after three days of hair-pulling I'm kinda giving up :-/

My code is working just fine (HTTP downloading of large binary firmware and HTTP POSTing of large JSONs) without the SSLClient library (i.e. plain HTTP to port 80) but as soon as I wrap the TinyGSM's client in the SSLClient wrapper (and change port to 443) everything stops working completely while the SSLClient library prints the following debug messages:

mConnectSSL: Start connection.
mConnectSSL: Wait for SSL handshake.
mUpdateEngine: State RECVREC
mUpdateEngine: State RECVREC
mRunUntil: SSL state changed.
mRunUntil: State RECVREC
mRunUntil: Expected bytes count: 5
                             <---------------------- here it is waiting for about 60 seconds
mRunUntil: SSL internals timed out!
mConnectSSL: Failed to initlalize the SSL layer.

The same code works fine when the TinyGSM library is thrown away and ESP32's WiFi Client is used instead. That means the SSLClient itself is OK. It just does not talk to (or cannot hear anything from) my TinyGSM for some reason (while the TinyGSM itself seems fine as it works OK unless wrapped in the SSLClient).

I'm leaving it here as kind of a heads up for others... Wish you better luck.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joysfera