[Solved] ESP8266_Standalone_SSL : Certificate not validated

s-muller · November 21, 2018, 7:52am

Hello,

I am new to Blynk, I installed a local server for few days.
At this time, I use the ESP8266_Standalone sketch (build Arduino 1.8.6 - esp8266 2.4.2) with my local server (0.35.3) and the client (Android 2.27.0) is able to reach the server from outside (port 9443 NAT is configured correctly and SSL certificate too).

Problem comes when I try ESP8266_Standalone_SSL, I got a “Certificate not validated” message on the hardware side (NodeMCU 1.0).
SSL works great for Client connection (I think so) but not for Hardware connection.

Do you think I misconfigured something?

Thanks in advance for your help

Steve

s-muller · November 23, 2018, 12:50pm

Hello,

I enable the debug level SSL+TLS_MEM in Arduino.
I got a lot of trace but I am not familiar enough with SSL and TLS to understand everything.
Above all, the connection from the Internet through port 9443 (SSL) works with the same certificate.

Why does this certificate not work for the hardware connection?
Am I wrong with my assumptions?

Thanks for your help

Steve

 1384, room 16 
tail 8
chksum 0x2d
csum 0x2d
vbb28d4a3
~ld

SDK:2.2.1(cfd48f3)/Core:2.4.2/lwIP:2.0.3(STABLE-2_0_3_RELEASE/glue:arduino-2.4.1-13-g163bb82)/BearSSL:6d1cefc
[24184] Connecting to WiFiAccessPoint
scandone
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 3
cnt 

connected with WiFiAccessPoint, channel 1
dhcp client start...
ip:192.168.0.1,mask:255.255.255.0,gw:192.168.0.254
[24687] Connected to WiFi
[24687] IP: 192.168.0.1
[24687] 
    ___  __          __
   / _ )/ /_ _____  / /__
  / _  / / // / _ \/  '_/
 /____/_/\_, /_//_/_/\_\
        /___/ v0.5.4 on NodeMCU

=== CERTIFICATE ISSUED TO ===
Common Name (CN):		blynk-cloud.com
Organization (O):		IT
Organizational Unit (OU):	Blynk Inc.
Location (L):			Kyiv
Country (C):			UA
State (ST):			Kyiv
Basic Constraints:		CA:TRUE, pathlen:10000
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		blynk-cloud.com
Organization (O):		IT
Organizational Unit (OU):	Blynk Inc.
Location (L):			Kyiv
Country (C):			UA
State (ST):			Kyiv
Not Before:			Thu Mar 17 11:58:07 2016
Not After:			Tue Mar 16 11:58:07 2021
RSA bitsize:			2048
Sig Type:			SHA256
[25249] NTP time: Fri Nov 23 11:40:45 2018
[25249] Connecting to mydomain.tld:9443
State:	sending Client Hello (1)
State:	receiving Server Hello (2)
State:	receiving Certificate (11)
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		mydomain.tld
Organization (O):		<Not Part Of Certificate>
Basic Constraints:		critical, CA:FALSE, pathlen:10000
Key Usage:			critical, Digital Signature, Key Encipherment
Subject Alt Name:		mydomain.tld 
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		Let's Encrypt Authority X3
Organization (O):		Let's Encrypt
Country (C):			US
Not Before:			Mon Oct 22 14:00:58 2018
Not After:			Sun Jan 20 14:00:58 2019
RSA bitsize:			3072
Sig Type:			SHA256
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		Let's Encrypt Authority X3
Organization (O):		Let's Encrypt
Country (C):			US
Basic Constraints:		critical, CA:TRUE, pathlen:0
Key Usage:			critical, Digital Signature, Key Cert Sign, CRL Sign
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		DST Root CA X3
Organization (O):		Digital Signature Trust Co.
Not Before:			Thu Mar 17 16:40:46 2016
Not After:			Wed Mar 17 16:40:46 2021
RSA bitsize:			2048
Sig Type:			SHA256
State:	receiving Server Hello Done (14)
State:	sending Client Key Exchange (16)
State:	sending Finished (16)
State:	receiving Finished (16)
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		mydomain.tld
Organization (O):		<Not Part Of Certificate>
Basic Constraints:		critical, CA:FALSE, pathlen:10000
Key Usage:			critical, Digital Signature, Key Encipherment
Subject Alt Name:		mydomain.tld 
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		Let's Encrypt Authority X3
Organization (O):		Let's Encrypt
Country (C):			US
Not Before:			Mon Oct 22 14:00:58 2018
Not After:			Sun Jan 20 14:00:58 2019
RSA bitsize:			3072
Sig Type:			SHA256
Verify:				No trusted cert is available
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		Let's Encrypt Authority X3
Organization (O):		Let's Encrypt
Country (C):			US
Basic Constraints:		critical, CA:TRUE, pathlen:0
Key Usage:			critical, Digital Signature, Key Cert Sign, CRL Sign
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		DST Root CA X3
Organization (O):		Digital Signature Trust Co.
Not Before:			Thu Mar 17 16:40:46 2016
Not After:			Wed Mar 17 16:40:46 2021
RSA bitsize:			2048
Sig Type:			SHA256
Verify:				No trusted cert is available
Error: No trusted cert is available
[26813] Certificate not validated
[27747] Login timeout
[29749] NTP time: Fri Nov 23 11:40:49 2018
[29749] Connecting to mydomain.tld:9443
Alert: close notify
State:	sending Client Hello (1)
State:	receiving Server Hello (2)
State:	receiving Certificate (11)
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		mydomain.tld
Organization (O):		<Not Part Of Certificate>
Basic Constraints:		critical, CA:FALSE, pathlen:10000
Key Usage:			critical, Digital Signature, Key Encipherment
Subject Alt Name:		mydomain.tld 
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		Let's Encrypt Authority X3
Organization (O):		Let's Encrypt
Country (C):			US
Not Before:			Mon Oct 22 14:00:58 2018
Not After:			Sun Jan 20 14:00:58 2019
RSA bitsize:			3072
Sig Type:			SHA256
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		Let's Encrypt Authority X3
Organization (O):		Let's Encrypt
Country (C):			US
Basic Constraints:		critical, CA:TRUE, pathlen:0
Key Usage:			critical, Digital Signature, Key Cert Sign, CRL Sign
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		DST Root CA X3
Organization (O):		Digital Signature Trust Co.
Not Before:			Thu Mar 17 16:40:46 2016
Not After:			Wed Mar 17 16:40:46 2021
RSA bitsize:			2048
Sig Type:			SHA256
State:	receiving Server Hello Done (14)
State:	sending Client Key Exchange (16)
State:	sending Finished (16)
State:	receiving Finished (16)
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		mydomain.tld
Organization (O):		<Not Part Of Certificate>
Basic Constraints:		critical, CA:FALSE, pathlen:10000
Key Usage:			critical, Digital Signature, Key Encipherment
Subject Alt Name:		mydomain.tld 
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		Let's Encrypt Authority X3
Organization (O):		Let's Encrypt
Country (C):			US
Not Before:			Mon Oct 22 14:00:58 2018
Not After:			Sun Jan 20 14:00:58 2019
RSA bitsize:			3072
Sig Type:			SHA256
Verify:				No trusted cert is available
=== CERTIFICATE ISSUED TO ===
Common Name (CN):		Let's Encrypt Authority X3
Organization (O):		Let's Encrypt
Country (C):			US
Basic Constraints:		critical, CA:TRUE, pathlen:0
Key Usage:			critical, Digital Signature, Key Cert Sign, CRL Sign
=== CERTIFICATE ISSUED BY ===
Common Name (CN):		DST Root CA X3
Organization (O):		Digital Signature Trust Co.
Not Before:			Thu Mar 17 16:40:46 2016
Not After:			Wed Mar 17 16:40:46 2021
RSA bitsize:			2048
Sig Type:			SHA256
Verify:				No trusted cert is available
Error: No trusted cert is available
[31239] Certificate not validated
[32748] Login timeout

Gunner · November 23, 2018, 1:24pm

I haven’t worked with SSL on any ESP8266 devices (And I understand that they are not quite up to the needed horsepower for any real reliability)… but apparently with Cloud server you use port 443

EDIT - opps, somehow I missed the fact that you are using a Local Server… sorry… no further insight from me

s-muller · November 27, 2018, 9:46am

Hello,

I tried with the Cloud server and it works with SSL.
So, the problem comes from local server

Some hints to find out where the problem comes from are welcome.

Thanks for help

Steve

Gunner · November 30, 2018, 10:17am

Automatic or Manual Let’s Encript… or Generate your own?

Gunner · November 30, 2018, 10:20am

PS

s-muller · November 30, 2018, 12:49pm

Hello Gunner,

The Let’s Encrypt certificate are automatically generated.

I did not find this information about #define BLYNK_SSL_USE_LETSENCRYPT
But it made the trick.

Many thanks.

Steve

Nilava_Chowdhury · December 26, 2018, 8:11am

in the server address are you mentioning the domain name or the public ip or just the private ip? I am also having the same issue and i am fed up now I use blynk for everything nothing out on the internet can beat blynk and that’s why i want to make it work on blynk.

s-muller · January 1, 2019, 5:09pm

Hi Nilava_Chowdhury,

Sorry for late answer.

I use the domain name to access my server from worldwide.

Here is my working example.

#define BLYNK_PRINT Serial

#include <ESP8266WiFi.h>

#define BLYNK_SSL_USE_LETSENCRYPT
#include <BlynkSimpleEsp8266_SSL.h>

#define SERVER_URL “mydomain.tld”
#define SSL_PORT 9443

// You should get Auth Token in the Blynk App.
// Go to the Project Settings (nut icon).
char auth = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;

// Your WiFi credentials.
// Set password to “” for open networks.
char ssid = “yourssid”;
char pass = “passphrase”;

void setup()
{
// Debug console
Serial.begin(115200);

Blynk.begin(auth, ssid, pass, SERVER_URL, SSL_PORT);
}

void loop()
{
Blynk.run();
}

This works for me from home where the server is on local network and it works also from outside through my gateway.

Steve