I had a problem with updating my IoT devices using ESP32 over the internet. The issue occurred because the SSL certificate, which is used to establish a secure connection with the server storing the updates, had expired. This prevented my devices from downloading the necessary updates.
To solve this problem without physically accessing the devices, I am considering setting up a special server called a proxy server. This server will act as a middleman between the devices and the update server, allowing the devices to get the updates through the proxy server without worrying about the expired certificate.
Note: We do not having physical access of the device. All devices are live
How to do that ? Please provide other ways to resolve this issue.
Error message :
(653422): OTA Request on version 1.0.8
E (654912) esp-tls: mbedtls_ssl_handshake returned -0x2700
I (654912) esp-tls: Failed to verify the peer certificate!
I (654912) esp-tls: Verification info: ! The certificate is not correctly signed by the trusted CA.
Microcontroler : Esp32 OTA download URL that statically stored into esp32 : https://ota.s3.amazonaws.com/ota.bin
Certificate details that statically stored into esp32 :
s3.amazonaws.com
Identity: s3.amazonaws.com
Verified by: DigiCert Baltimore CA-2 G2
Expires: 25/10/19
DigiCert Baltimore CA-2 G2
Identity: DigiCert Baltimore CA-2 G2
Verified by: Baltimore CyberTrust Root
Expires: 10/05/25
Baltimore CyberTrust Root
Identity: Baltimore CyberTrust Root
Verified by: Baltimore CyberTrust Root
Expires: 12/05/25
I attempted to perform an OTA update on ESP32 devices using a static SSL certificate. I expected the update process to establish a secure connection with the S3 bucket and successfully download the firmware. However, the SSL certificate had expired, leading to an error during the update process. The expected result was a successful OTA update, but the actual outcome was a failure due to the expired certificate.
You need to disable the use of HTTPS on the server, in which case the device will not check and the update should succeed. Provided that the existing logic in the ESP32 will allow you to make an HTTP connection without errors.
In the new firmware, I recommend adding a WiFi-AP function with a web server for manually updating certificates, as well as an additional option: searching for open WiFi networks for direct connection to the server via HTTP.