The objective of this post is to explain how to perform a GET request over HTTPS using the Arduino core on the ESP32. The tests of this ESP32 tutorial were performed using a DFRobot’s ESP-WROOM-32 device integrated in a ESP32 FireBeetle board.
Introduction
The objective of this post is to explain how to perform a GET request over HTTPS using the Arduino core on the ESP32.
Explaining in detail how HTTPS works is outside the scope of this post. So, basically HTTPS is the secure version of HTTP, meaning that the data exchanged between the server and the client is encrypted [1].
In order to establish a HTTPS connection, the server needs to provide its digital certificate, which contains its public encryption key, needed for the initial protocol handshake [1].
Nonetheless, it’s important to note that usually clients don’t know if the certificate of the server they are trying to reach is valid, meaning that they don’t know if they can trust it.
So, the certificate validation procedure checks who issued the certificate of the server we are connecting to. Then, it checks the issuer’s certificate and if we still don’t trust it, we go up another level and so on, building a certificate chain.
At some point we need to trust someone. Usually, clients trust in the Root CAs, which are at the top of the certification chain [2]. For instance, browsers have a list of CAs that they will trust when found on the certification chain. You can check here an example for Mozilla.
So, since we are going to perform our request from the ESP32 and not from a browser, this means we will need to specify the Certificate of a Certification Authority we trust for validating the certification chain for the website we are trying to reach. We will see below how to get the needed certificate.
The tests of this ESP32 tutorial were performed using a DFRobot’s ESP-WROOM-32 device integrated in a ESP32 FireBeetle board.
Getting the certificate of the Root CA
In order to perform our tests, we will contact a fake online REST API website, which is available over HTTPS. You can check here, using a web browser, the endpoint we are going to reach and confirm the information that should be returned.
To get the Certificate of the Root CA, an easy way is to access the website on Firefox and click the lock icon at the left of the URL, as can be seen at figure 1.
Note also that this endpoint of the API will return some JSON content, which should match the data received later on the Arduino program.
Figure 1 – Checking certificates on Firefox.
Then on the popup that appears you need to click the arrow highlighted in figure 2.
Figure 2 – Firefox certificate popup.
Then you should click on “More information” (my browser is in Portuguese), as highlighted in figure 3.
Figure 3 – Firefox certificate more information.
Now a new popup should open. There, click in the “View certificate” button, highlighted in figure 4.
Figure 4 – View certificate popup.
Again, a new popup should open. On the tabs on the top, select “Details”. Then, you should get to a tab with a box titled “Certificate hierarchy”, as indicated in figure 5.
This box shows the certificate chain all the way up to a Root CA in which the browser trusts. Select it and on the bottom of the popup click on the “Export” button, so we can get the certificate to use on the ESP32.
Figure 5 – Certificate chain popup.
Upon clicking the button, save it somewhere on your computer. After that, open it with a text editor such as Notepad++. You should get a result similar to figure 6.
Figure 6 – Certificate of the root CA for the test API website.
Now we must convert it to a Arduino multi-line string, so we can use it in our program. You can check below the final format, for an easy copy and paste. You can check here a trick on Notepad++ to do vertical selections, for easily pasting the extra characters needed to turn the certificate in a Arduino multi-line string.
const char* root_ca= \ "-----BEGIN CERTIFICATE-----\n" \ "MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL\n" \ "MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n" \ "BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT\n" \ "IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzA2MDAw\n" \ "MDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy\n" \ "ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N\n" \ "T0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlv\n" \ "biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSR\n" \ "FtSrYpn1PlILBs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0J\n" \ "cfRK9ChQtP6IHG4/bC8vCVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQW\n" \ "BBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/\n" \ "BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VGFAkK+qDm\n" \ "fQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdv\n" \ "GDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY=\n" \ "-----END CERTIFICATE-----\n";
The Code
We will start our code by including the necessary libraries. We will include the WiFi.h library, which is needed for connecting the ESP32 to a WiFi network. We will also need the HTTPClient.h library, which will make available the class needed to perform the request.
#include <WiFi.h> #include <HTTPClient.h>
We will also need to declare two variables to hold both the WiFi network name (ssid) and password, which are needed to connect to it.
const char* ssid = "yourNetworkName"; const char* password = "yourNetworkPassword";
Finally, we will need to paste here the CA certificate we just fetched in the previous section.
const char* root_ca= \ "-----BEGIN CERTIFICATE-----\n" \ "MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL\n" \ "MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n" \ "BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT\n" \ "IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzA2MDAw\n" \ "MDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy\n" \ "ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N\n" \ "T0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlv\n" \ "biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSR\n" \ "FtSrYpn1PlILBs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0J\n" \ "cfRK9ChQtP6IHG4/bC8vCVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQW\n" \ "BBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/\n" \ "BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VGFAkK+qDm\n" \ "fQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdv\n" \ "GDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY=\n" \ "-----END CERTIFICATE-----\n";
Moving on to the setup function, we will open a serial connection to output the results of our program. Then, we will connect the ESP32 to a WiFi network, using the previously declared credentials. You can check on this previous post a detailed explanation on how to connect to a WiFi network.
The full code for the setup function, which already includes the mentioned configurations, can be seen below.
void setup() {
Serial.begin(115200);
delay(1000);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(1000);
Serial.println("Connecting to WiFi..");
}
Serial.println("Connected to the WiFi network");
}
We will establish the connection to the server and make the request on the Arduino main loop function.
We start by declaring an object of class HTTPClient, which will expose the methods needed to perform the request.
HTTPClient http;
Then we will call the begin method on our HTTPClient object, passing as first input the URL to which we want to make the request and as second input the root CA certificate we declared as a global variable.
This will perform the necessary initialization before we can proceed with sending the request.
Please note that the URL should have the HTTPS prefix, since we are doing an HTTPS request rather that using regular HTTP.
http.begin("https://jsonplaceholder.typicode.com/posts?userId=1", root_ca); //Specify the URL and certificate
Now, to perform the actual HTTPS GET request, we simply call the GET method on our HTTPClient object.
This method call will return an integer. If its value is greater than zero, it will correspond to the HTTP code returned by the server. If it is lesser than 0, then it corresponds to an internal error on the ESP32.
int httpCode = http.GET();
So, if the code is indeed greater than zero, we can obtain the payload of the answer returned by the server by calling the getString method of the HTTPClient object. As the name indicates, it will return a string with the response payload.
We will then print both the payload and the HTTP code.
if (httpCode > 0) { //Check for the returning code
String payload = http.getString();
Serial.println(httpCode);
Serial.println(payload);
}
else {
Serial.println("Error on HTTP request");
}
Finally, we free the resources with a call to the end method on the HTTPClient object.
http.end(); //Free the resources
The final source code can be seen below. It also includes a validation to check if we are still connected to the WiFi network before proceeding with the request.
#include <WiFi.h>
#include <HTTPClient.h>
const char* ssid = "yourNetworkName";
const char* password = "yourNetworkPass";
void setup() {
Serial.begin(115200);
delay(1000);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
delay(1000);
Serial.println("Connecting to WiFi..");
}
Serial.println("Connected to the WiFi network");
}
const char* root_ca= \
"-----BEGIN CERTIFICATE-----\n" \
"MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL\n" \
"MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n" \
"BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT\n" \
"IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzA2MDAw\n" \
"MDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy\n" \
"ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N\n" \
"T0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlv\n" \
"biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSR\n" \
"FtSrYpn1PlILBs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0J\n" \
"cfRK9ChQtP6IHG4/bC8vCVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQW\n" \
"BBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/\n" \
"BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VGFAkK+qDm\n" \
"fQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdv\n" \
"GDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY=\n" \
"-----END CERTIFICATE-----\n";
void loop() {
if ((WiFi.status() == WL_CONNECTED)) { //Check the current connection status
HTTPClient http;
http.begin("https://jsonplaceholder.typicode.com/posts?userId=1", root_ca); //Specify the URL and certificate
int httpCode = http.GET(); //Make the request
if (httpCode > 0) { //Check for the returning code
String payload = http.getString();
Serial.println(httpCode);
Serial.println(payload);
}
else {
Serial.println("Error on HTTP request");
}
http.end(); //Free the resources
}
delay(10000);
}
Testing the code
To test the code, simply compile it and upload it to your ESP32 board using the Arduino IDE. Then open the serial monitor and check the result.
You should get an output similar to figure 7, which shows the response of the GET request getting printed to the serial monitor. This content matches the one we obtain if we access the website using a web browser.
Figure 7 – Output of the HTTPS GET request.
References
[1] https://www.instantssl.com/ssl-certificate-products/https.html
[2] https://support.dnsimple.com/articles/what-is-ssl-root-certificate/
Pingback: ESP32 Arduino: Basic Authentication | techtutorialsx
Pingback: ESP32 Arduino: Basic Authentication | techtutorialsx
this example works with or without the certificate
http.begin(“https://jsonplaceholder.typicode.com/posts?userId=1”);
Hi!
I’ve not analyzed it deeply, but from a quick look at the libraries what seems to happen when you call an HTTPS endpoint without providing a certificate is that it is identified as a secure request and a secure http client object is created, providing NULL in the certificate field.
On the link below, you can see that calling the begin method to a HTTP endpoint without certificate calls under the hood the begin method used in the tutorial passing null in the certificate argument
https://github.com/espressif/arduino-esp32/blob/master/libraries/HTTPClient/src/HTTPClient.cpp#L126
The creation of the WiFiClientSecure here:
https://github.com/espressif/arduino-esp32/blob/master/libraries/HTTPClient/src/HTTPClient.cpp#L54
On the WiFiClient secure you will see a call to a start_ssl_function, which has the certificate as parameter:
https://github.com/espressif/arduino-esp32/blob/d650ac6c3cffe5ed985127f909c2f25973d0ffbb/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp#L103
If you go to the implementation of that function, there’s a IF ELSE block that checks if the certificate is null or not, and in case it is null it sets the Certification mode to none, which means that the peer certificate is not validated
https://github.com/espressif/arduino-esp32/blob/master/libraries/WiFiClientSecure/src/ssl_client.cpp#L107
You can actually check the meaning of that constant (MBEDTLS_SSL_VERIFY_NONE) here, just do a ctrl+find a look for the section where it is described:
https://tls.mbed.org/api/ssl_8h.html#a1976b5c76af7b8b8f76c6f302828b387
If we go back to the start_ssl_function block that sets the certificate validation to none, there’s actually a logging block warning that we should use certificates for a more secure communication:
https://github.com/espressif/arduino-esp32/blob/master/libraries/WiFiClientSecure/src/ssl_client.cpp#L119
Most likely, if you turn on the ESP32 logging, this will get printed to the console (I’m not aware of the logging levels so this is just a guess).
This makes sense because encryption and authentication are two different things. So you can actually establish a connection with a server and use the public key of the certificate to start the encryption procedure without actually confirming if that certificate is valid.
If that’s the case, you only guarantee that the connection is encrypted, but you don’t guarantee that you are actually sending the data to the correct server, so even thought things are encrypted, the communication is not that much secure.
This is why it is important to provide a trusted root certificate in which you trust, so the ESP can validate the whole certificate chain.
Again this is a quick analysis, I have not analyzed the source code in detail or tested 🙂
One quick test you can also do is changing some of the characters of the certificate in the original code of the tutorial and it should no longer work, since when validating the certificate the signature will not be correct.
Note that not all the characters will work since the certificate contains some meta information that is not used in the certificate chain.
So, even if you change some characters it may still work. You need to change the characters from the key part.
You can actually check the information contained in a certificate on a decoder:
https://www.sslchecker.com/certdecoder
Best regards,
Nuno Santos
I’ve the same issue as Marco: CA doesn’t do anything. After I read your answer, I put your certificate in my sketch, but I still get connected to my own website (https is required). Maybe there’s an error or warning thrown by mbed, but I don’t know how to catch that (I work with Aruino IDE). I got a ‘1’ from the function connect, which means ‘connected’. Any suggestion would be appreciated.
Hi,
It’s important to clarify that the root CA certificate from this tutorial is most likely different for different websites.
For the website I’m reaching in this tutorial, the Root Certification authority in the certificate chain is the one pasted in the code.
If you are trying to reach your own website, then it will not work if you pass the root CA from this tutorial because it won’t be the same (unless you also got your certificate from Comodo or from someone below the chain that has Comodo as root CA)
So what you should do is using your own website root CA certificate and it should work.
In case you are using a self signed certificate, I think you can use that one (did not confirm though).
So, as I’ve answered to Marco and from the quick code analysis done at that time, my guess is that when we don’t pass a certificate and we reach a HTTPS website, the ESP32 just skips the certificate validation which is why it works.
But as mentioned, although the connection is encrypted, if we don’t validate the certificate, we are not sure to be contacting the correct peer (an attacker might just being impersonating that website) and we may be sending sensitive information to an attacker.
As mentioned, I’ve not been able to validate this, but this is my guess.
One place where you can ask to confirm this hypothesis is the ESP32 Arduino core GitHub page, since someone there that is involved in the development of the libs can provide more information on this.
In case you do and obtain an answer, please let us know since it is definitely useful information for others facing similar problems 🙂
Best regards,
Nuno Santos
Hi, thanks for answering. To clarify: I always get connected to my https website ( with no certificate, wrong certifcate or right certificate). Maybe the ESP skips verifcation in the first two cases (no and wrong), but in that case there should be (at least) some kind of warning I guess. I will ask the developer guy(s), I let you know.
You’re welcome 🙂
If that’s the case, that’s really a weird behavior and as you have mentioned, it should indeed return an error or something that let us know the certificate was wrong.
One thing that I’ve tested is arbitrarily change some parts of the certificate and it starts giving an error while sending the request.
Nonetheless I’ve tested this a while ago and I don’t recall if I tested reaching a website using the certificate from another, but I think I did not.
I’m really interested in hearing from the developers of the Arduino core and what’s their angle on this, so let us know if you get an answer 🙂
If I come across more information regarding this behavior I will make sure to share it.
Looking forward to hear more on this 🙂
Best regards,
Nuno Santos
Hi,
My results so far (just FYI, I think you better do not place this response directly on your site because it will bring up more questions than it answers):
1: I’ve contacted Copercini, who made the wificlientsecure library. He’s short in words, but he told me to open the logmenu in Arduino IDE for error and warning messages. Unfortunately, I can’t open this menu for any of the listed ESP32 boards (I can for the ESP8266).
Anyway, I added a few lines in the wificlientsecure example sketch, because there’s a function called lastError(), which gives you the error codes, if generated. It is a hex number, and explained in x509.h file. E.g. 0x2700 should be thrown when the certificate check has failed.
2. As you already mentioned: if you don’t pass the certificate, the function to check it will not be called. You only use encryption, but you’re not sure to whom…
3. For me, the most interesting part: As you said on your example, I put the root certifcate in the Arduino sketch. I used the one on MY website, and to see if it rejected communication if I use another: I used the root certificate from YOUR (this) website. In both cases, I could connect to my own website.
But after some other experiments with other certificates, I couldn’t indeed connect to my website, and got error 0x2700!
After futher investigation, I found out that the root certificates of both websites (yours and mine), are exactly the same. The CA is DST Root CA X3. That explains why changing the certificate has no effect. It was just pure (or bad) luck that both were the same…
So, instead of using the upper (root) certificate, you should use the lower, that’s the unique one for your (and all other) website.
So far my findings, hope to hear from you if I misunderstood items.
Regards, George
Thank you very much for your feedback 🙂
Your findings are very interesting indeed.
Regarding point 3, if the root CAs are the same, them it makes sense for the ESP32 to accept the certificate as valid.
When you experimented with other certificates and got an error, it meant than the root CAs were different, and it makes sense for the ESP32 to not allow the connection.
But note that it’s totally normal that multiple sites share the same root CA.
CAs are authorities that are dedicated precisely to issue certificates, so there’s a limited number of CAs issuing certificates for all the websites.
Note that this doesn’t mean you should use the lower level certificate by any means, because that would be insecure, at least in regular web browsing.
We have Certification Authorities precisely because we cannot trust in the lower lever certificates (the ones from the websites we directly contact) for authentication.
This is because anyone can generate a self signed valid certificate (it’s trivial, a couple of command line commands).
So, for the millions of websites you have around the web, you would have to trust them all because they would all have their own certificates.
Then, an attacker could simply create a fake website and your browser would trust it because the lower level certificate was valid, although no one trusted had verified the entity behind it.
So, instead of trusting lower level certificates, what browsers do is having a list of trusted authorities and their certificates.
Then, when you contact a website, its certificate says who issued it.
Then browser fetches the issuer certificate and check if it trusts him. If not, it goes up the certification chain to whoever issued that certificate and so on, to the root, which should be a trusted CA.
If you go up all the chain and don’t find a CA you trust, then you should not trust the website you are trying to reach, and you should not send information to it.
Note that CAs should confirm that the entities to whom they issue certificates are legit.
So, this is how it should be done “by the book”, at least in terms of web browsing.
I’m not sure if in the case of IoT where you probably want to reach a single server that you know for certain has that certificate, you can hardcode and trust it without this chain validation. That’s surely an interesting question that I would like to know an answer from a security expert 🙂
Thanks again for sharing your findings and let us know if you discover more info, this has been an interesting topic so far and, as you said, there are some questions yet to answer.
As a final note, please take in consideration that security is something very sensitive and if you are working in some kind of comercial device, I would recommend asking advice from a security expert.
And of course if someone wants to add something else or some of the information is incorrect or inaccurate, please let us know 🙂
Best regards,
Nuno Santos
this example works with or without the certificate
http.begin(“https://jsonplaceholder.typicode.com/posts?userId=1”);
Hi!
I’ve not analyzed it deeply, but from a quick look at the libraries what seems to happen when you call an HTTPS endpoint without providing a certificate is that it is identified as a secure request and a secure http client object is created, providing NULL in the certificate field.
On the link below, you can see that calling the begin method to a HTTP endpoint without certificate calls under the hood the begin method used in the tutorial passing null in the certificate argument
https://github.com/espressif/arduino-esp32/blob/master/libraries/HTTPClient/src/HTTPClient.cpp#L126
The creation of the WiFiClientSecure here:
https://github.com/espressif/arduino-esp32/blob/master/libraries/HTTPClient/src/HTTPClient.cpp#L54
On the WiFiClient secure you will see a call to a start_ssl_function, which has the certificate as parameter:
https://github.com/espressif/arduino-esp32/blob/d650ac6c3cffe5ed985127f909c2f25973d0ffbb/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp#L103
If you go to the implementation of that function, there’s a IF ELSE block that checks if the certificate is null or not, and in case it is null it sets the Certification mode to none, which means that the peer certificate is not validated
https://github.com/espressif/arduino-esp32/blob/master/libraries/WiFiClientSecure/src/ssl_client.cpp#L107
You can actually check the meaning of that constant (MBEDTLS_SSL_VERIFY_NONE) here, just do a ctrl+find a look for the section where it is described:
https://tls.mbed.org/api/ssl_8h.html#a1976b5c76af7b8b8f76c6f302828b387
If we go back to the start_ssl_function block that sets the certificate validation to none, there’s actually a logging block warning that we should use certificates for a more secure communication:
https://github.com/espressif/arduino-esp32/blob/master/libraries/WiFiClientSecure/src/ssl_client.cpp#L119
Most likely, if you turn on the ESP32 logging, this will get printed to the console (I’m not aware of the logging levels so this is just a guess).
This makes sense because encryption and authentication are two different things. So you can actually establish a connection with a server and use the public key of the certificate to start the encryption procedure without actually confirming if that certificate is valid.
If that’s the case, you only guarantee that the connection is encrypted, but you don’t guarantee that you are actually sending the data to the correct server, so even thought things are encrypted, the communication is not that much secure.
This is why it is important to provide a trusted root certificate in which you trust, so the ESP can validate the whole certificate chain.
Again this is a quick analysis, I have not analyzed the source code in detail or tested 🙂
One quick test you can also do is changing some of the characters of the certificate in the original code of the tutorial and it should no longer work, since when validating the certificate the signature will not be correct.
Note that not all the characters will work since the certificate contains some meta information that is not used in the certificate chain.
So, even if you change some characters it may still work. You need to change the characters from the key part.
You can actually check the information contained in a certificate on a decoder:
https://www.sslchecker.com/certdecoder
Best regards,
Nuno Santos
I’ve the same issue as Marco: CA doesn’t do anything. After I read your answer, I put your certificate in my sketch, but I still get connected to my own website (https is required). Maybe there’s an error or warning thrown by mbed, but I don’t know how to catch that (I work with Aruino IDE). I got a ‘1’ from the function connect, which means ‘connected’. Any suggestion would be appreciated.
Hi,
It’s important to clarify that the root CA certificate from this tutorial is most likely different for different websites.
For the website I’m reaching in this tutorial, the Root Certification authority in the certificate chain is the one pasted in the code.
If you are trying to reach your own website, then it will not work if you pass the root CA from this tutorial because it won’t be the same (unless you also got your certificate from Comodo or from someone below the chain that has Comodo as root CA)
So what you should do is using your own website root CA certificate and it should work.
In case you are using a self signed certificate, I think you can use that one (did not confirm though).
So, as I’ve answered to Marco and from the quick code analysis done at that time, my guess is that when we don’t pass a certificate and we reach a HTTPS website, the ESP32 just skips the certificate validation which is why it works.
But as mentioned, although the connection is encrypted, if we don’t validate the certificate, we are not sure to be contacting the correct peer (an attacker might just being impersonating that website) and we may be sending sensitive information to an attacker.
As mentioned, I’ve not been able to validate this, but this is my guess.
One place where you can ask to confirm this hypothesis is the ESP32 Arduino core GitHub page, since someone there that is involved in the development of the libs can provide more information on this.
In case you do and obtain an answer, please let us know since it is definitely useful information for others facing similar problems 🙂
Best regards,
Nuno Santos
Hi, thanks for answering. To clarify: I always get connected to my https website ( with no certificate, wrong certifcate or right certificate). Maybe the ESP skips verifcation in the first two cases (no and wrong), but in that case there should be (at least) some kind of warning I guess. I will ask the developer guy(s), I let you know.
You’re welcome 🙂
If that’s the case, that’s really a weird behavior and as you have mentioned, it should indeed return an error or something that let us know the certificate was wrong.
One thing that I’ve tested is arbitrarily change some parts of the certificate and it starts giving an error while sending the request.
Nonetheless I’ve tested this a while ago and I don’t recall if I tested reaching a website using the certificate from another, but I think I did not.
I’m really interested in hearing from the developers of the Arduino core and what’s their angle on this, so let us know if you get an answer 🙂
If I come across more information regarding this behavior I will make sure to share it.
Looking forward to hear more on this 🙂
Best regards,
Nuno Santos
Hi,
My results so far (just FYI, I think you better do not place this response directly on your site because it will bring up more questions than it answers):
1: I’ve contacted Copercini, who made the wificlientsecure library. He’s short in words, but he told me to open the logmenu in Arduino IDE for error and warning messages. Unfortunately, I can’t open this menu for any of the listed ESP32 boards (I can for the ESP8266).
Anyway, I added a few lines in the wificlientsecure example sketch, because there’s a function called lastError(), which gives you the error codes, if generated. It is a hex number, and explained in x509.h file. E.g. 0x2700 should be thrown when the certificate check has failed.
2. As you already mentioned: if you don’t pass the certificate, the function to check it will not be called. You only use encryption, but you’re not sure to whom…
3. For me, the most interesting part: As you said on your example, I put the root certifcate in the Arduino sketch. I used the one on MY website, and to see if it rejected communication if I use another: I used the root certificate from YOUR (this) website. In both cases, I could connect to my own website.
But after some other experiments with other certificates, I couldn’t indeed connect to my website, and got error 0x2700!
After futher investigation, I found out that the root certificates of both websites (yours and mine), are exactly the same. The CA is DST Root CA X3. That explains why changing the certificate has no effect. It was just pure (or bad) luck that both were the same…
So, instead of using the upper (root) certificate, you should use the lower, that’s the unique one for your (and all other) website.
So far my findings, hope to hear from you if I misunderstood items.
Regards, George
Thank you very much for your feedback 🙂
Your findings are very interesting indeed.
Regarding point 3, if the root CAs are the same, them it makes sense for the ESP32 to accept the certificate as valid.
When you experimented with other certificates and got an error, it meant than the root CAs were different, and it makes sense for the ESP32 to not allow the connection.
But note that it’s totally normal that multiple sites share the same root CA.
CAs are authorities that are dedicated precisely to issue certificates, so there’s a limited number of CAs issuing certificates for all the websites.
Note that this doesn’t mean you should use the lower level certificate by any means, because that would be insecure, at least in regular web browsing.
We have Certification Authorities precisely because we cannot trust in the lower lever certificates (the ones from the websites we directly contact) for authentication.
This is because anyone can generate a self signed valid certificate (it’s trivial, a couple of command line commands).
So, for the millions of websites you have around the web, you would have to trust them all because they would all have their own certificates.
Then, an attacker could simply create a fake website and your browser would trust it because the lower level certificate was valid, although no one trusted had verified the entity behind it.
So, instead of trusting lower level certificates, what browsers do is having a list of trusted authorities and their certificates.
Then, when you contact a website, its certificate says who issued it.
Then browser fetches the issuer certificate and check if it trusts him. If not, it goes up the certification chain to whoever issued that certificate and so on, to the root, which should be a trusted CA.
If you go up all the chain and don’t find a CA you trust, then you should not trust the website you are trying to reach, and you should not send information to it.
Note that CAs should confirm that the entities to whom they issue certificates are legit.
So, this is how it should be done “by the book”, at least in terms of web browsing.
I’m not sure if in the case of IoT where you probably want to reach a single server that you know for certain has that certificate, you can hardcode and trust it without this chain validation. That’s surely an interesting question that I would like to know an answer from a security expert 🙂
Thanks again for sharing your findings and let us know if you discover more info, this has been an interesting topic so far and, as you said, there are some questions yet to answer.
As a final note, please take in consideration that security is something very sensitive and if you are working in some kind of comercial device, I would recommend asking advice from a security expert.
And of course if someone wants to add something else or some of the information is incorrect or inaccurate, please let us know 🙂
Best regards,
Nuno Santos
Thanks for the write up, seems pretty straight forward. I was hoping that you could maybe help with an issue I’m having. My issue is that the cert format doesn’t seem to becorrect.
Here is the error I get in the serial monitor when I try to perform a request.
[E][ssl_client.cpp:28] handle_error(): X509 – Format not recognized as DER or PEM
[E][ssl_client.cpp:30] handle_error(): MbedTLS message code: -10112
[E][WiFiClientSecure.cpp:108] connect(): lwip_connect_r: 22
I’m trying to get data from this site. https://newsapi.org/
Here is my multi line string for the cert value.
const char *rootCA =
“—–BEGIN CERTIFICATE—–”
“MIIE8TCCA9mgAwIBAgIRAJ/NvLD5HJ7MvXt1GVx/GIwwDQYJKoZIhvcNAQELBQAw”
“XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO”
“MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy”
“MB4XDTE3MDUwNDAwMDAwMFoXDTE5MDgwNDIzNTk1OVowVjEhMB8GA1UECxMYRG9t”
“YWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQLExJHYW5kaSBTdGFuZGFyZCBT”
“U0wxFDASBgNVBAMTC25ld3NhcGkub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A”
“MIIBCgKCAQEAkF9t9PyPXkCzoQCeFKt5OzfGaiwgetvDOESXcBV2aejt+i7j4bFP”
“wMO5k4jmXqZvLQ/BmfK4VntLB119pMYypGgN6/1Br70QH+lIIdih41qqbhaxUtir”
“dhQsyXKp0Ht07tsX3wy9MEhieK9QVIK94P5kgDO6vdQyS+zbM59ZctPT99fvVFr0”
“q2ZaYJkiS3KIhC+UyB5hkcXCmAIJ3sdRJv967QStyfP9moFw3Vj7HD4OJGQTLYZk”
“R69VVByxbXX8G8oKd8g7nBrx7Yw141hJlpcIUO59yuSHBeeY3IXwxrdnhCWob2mI”
“0CueIZ/rXGWj2uDYTg3KjVcGxXY1mVF9/QIDAQABo4IBrzCCAaswHwYDVR0jBBgw”
“FoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYEFCdmeuIPPQeWUcmMlYku”
“YYGIu6ObMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG”
“CCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYGCysGAQQBsjEBAgIaMCcw”
“JQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20wCAYGZ4EMAQIB”
“MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9HYW5k”
“aVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRnMGUwPAYIKwYBBQUHMAKG”
“MGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNy”
“dDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAnBgNVHREE”
“IDAeggtuZXdzYXBpLm9yZ4IPd3d3Lm5ld3NhcGkub3JnMA0GCSqGSIb3DQEBCwUA”
“A4IBAQBNL1QG+GV2yVP9s7Qkb4scmLCuVHdpRD/6/EgJv46C1f5IQcTKcpt8N4dB”
“f0q6aMEs1kJH9gvCUQAB9d7JVuWdEhqNCnsweaXIuVjPYfdH8vFGXPdnZ/FG/PKz”
“B4fv5LBztOorHJjKNhi9QG/R0VKjmylfcPyJAQeERup3kTpwcgjkK6T0AiCU7rGM”
“r6YMG7CE3COCxwZC5kppAnpn5fcHA5vwkjdNUx92wEipsQgFSNtkBNSzHTYmn7Pp”
“mCleWReVhjWydMGIyWnWe8ZgW+rF85Ukx+1g/vgG4bUHsgVqs8sOHvwnZxVn3Exl”
“JQquWEhQUeJzxF88xE2WxDEWwifr”
“—–END CERTIFICATE—–“;
While the directions are pretty clear there I’m having a little trouble knowing field value I need to get from the details tab on the certificate viewer.
Any help would be very appreciated, I’m trying to make a news ticker with the ability to swipe through headlines & news sources with a gesture sensor.
Hi! Thanks for the feedback 🙂
You are using the certificate of the website, not the one from the root certificate authority right?
I’m not aware of all the details of both the certificate formats and what embedTLS expects, but it may be expecting a root certificate.
Can you test with the root certificate? Here is the string:
const char* root_ca= \
“—–BEGIN CERTIFICATE—–\n” \
“MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB\n” \
“iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl\n” \
“cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV\n” \
“BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw\n” \
“MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV\n” \
“BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU\n” \
“aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy\n” \
“dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\n” \
“AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B\n” \
“3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY\n” \
“tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/\n” \
“Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2\n” \
“VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT\n” \
“79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6\n” \
“c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT\n” \
“Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l\n” \
“c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee\n” \
“UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE\n” \
“Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd\n” \
“BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G\n” \
“A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF\n” \
“Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO\n” \
“VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3\n” \
“ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs\n” \
“8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR\n” \
“iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze\n” \
“Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ\n” \
“XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/\n” \
“qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB\n” \
“VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB\n” \
“L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG\n” \
“jjxDah2nGN59PRbxYvnKkKj9\n” \
“—–END CERTIFICATE—–\n”;
It seems a very interesting project you got there 🙂 what sensor are you using? I’ve both a swipe gestor sensor a couple of months ago, but did not have the chance to test it yet. Hopefully I get some time to do it.
Best regards,
Nuno Santos
I think wordpress is formatting something wrong, but please try to test it with the certificate from the root. If you follow the guide with FireFox, notice that I’m grabbing the certificate from the outermost element of the hierarchy. I’ve tried the code with that certificate and it seems to work 🙂
Don’t forget to properly format the certificate as a string, like is shown in the code.
Hope this helps!
Best regards,
Nuno Santos
Thanks for the write up, seems pretty straight forward. I was hoping that you could maybe help with an issue I’m having. My issue is that the cert format doesn’t seem to becorrect.
Here is the error I get in the serial monitor when I try to perform a request.
[E][ssl_client.cpp:28] handle_error(): X509 – Format not recognized as DER or PEM
[E][ssl_client.cpp:30] handle_error(): MbedTLS message code: -10112
[E][WiFiClientSecure.cpp:108] connect(): lwip_connect_r: 22
I’m trying to get data from this site. https://newsapi.org/
Here is my multi line string for the cert value.
const char *rootCA =
“—–BEGIN CERTIFICATE—–”
“MIIE8TCCA9mgAwIBAgIRAJ/NvLD5HJ7MvXt1GVx/GIwwDQYJKoZIhvcNAQELBQAw”
“XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO”
“MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy”
“MB4XDTE3MDUwNDAwMDAwMFoXDTE5MDgwNDIzNTk1OVowVjEhMB8GA1UECxMYRG9t”
“YWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQLExJHYW5kaSBTdGFuZGFyZCBT”
“U0wxFDASBgNVBAMTC25ld3NhcGkub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A”
“MIIBCgKCAQEAkF9t9PyPXkCzoQCeFKt5OzfGaiwgetvDOESXcBV2aejt+i7j4bFP”
“wMO5k4jmXqZvLQ/BmfK4VntLB119pMYypGgN6/1Br70QH+lIIdih41qqbhaxUtir”
“dhQsyXKp0Ht07tsX3wy9MEhieK9QVIK94P5kgDO6vdQyS+zbM59ZctPT99fvVFr0”
“q2ZaYJkiS3KIhC+UyB5hkcXCmAIJ3sdRJv967QStyfP9moFw3Vj7HD4OJGQTLYZk”
“R69VVByxbXX8G8oKd8g7nBrx7Yw141hJlpcIUO59yuSHBeeY3IXwxrdnhCWob2mI”
“0CueIZ/rXGWj2uDYTg3KjVcGxXY1mVF9/QIDAQABo4IBrzCCAaswHwYDVR0jBBgw”
“FoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYEFCdmeuIPPQeWUcmMlYku”
“YYGIu6ObMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG”
“CCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYGCysGAQQBsjEBAgIaMCcw”
“JQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20wCAYGZ4EMAQIB”
“MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9HYW5k”
“aVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRnMGUwPAYIKwYBBQUHMAKG”
“MGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNy”
“dDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAnBgNVHREE”
“IDAeggtuZXdzYXBpLm9yZ4IPd3d3Lm5ld3NhcGkub3JnMA0GCSqGSIb3DQEBCwUA”
“A4IBAQBNL1QG+GV2yVP9s7Qkb4scmLCuVHdpRD/6/EgJv46C1f5IQcTKcpt8N4dB”
“f0q6aMEs1kJH9gvCUQAB9d7JVuWdEhqNCnsweaXIuVjPYfdH8vFGXPdnZ/FG/PKz”
“B4fv5LBztOorHJjKNhi9QG/R0VKjmylfcPyJAQeERup3kTpwcgjkK6T0AiCU7rGM”
“r6YMG7CE3COCxwZC5kppAnpn5fcHA5vwkjdNUx92wEipsQgFSNtkBNSzHTYmn7Pp”
“mCleWReVhjWydMGIyWnWe8ZgW+rF85Ukx+1g/vgG4bUHsgVqs8sOHvwnZxVn3Exl”
“JQquWEhQUeJzxF88xE2WxDEWwifr”
“—–END CERTIFICATE—–“;
While the directions are pretty clear there I’m having a little trouble knowing field value I need to get from the details tab on the certificate viewer.
Any help would be very appreciated, I’m trying to make a news ticker with the ability to swipe through headlines & news sources with a gesture sensor.
Hi! Thanks for the feedback 🙂
You are using the certificate of the website, not the one from the root certificate authority right?
I’m not aware of all the details of both the certificate formats and what embedTLS expects, but it may be expecting a root certificate.
Can you test with the root certificate? Here is the string:
const char* root_ca= \
“—–BEGIN CERTIFICATE—–\n” \
“MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB\n” \
“iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl\n” \
“cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV\n” \
“BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw\n” \
“MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV\n” \
“BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU\n” \
“aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy\n” \
“dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\n” \
“AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B\n” \
“3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY\n” \
“tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/\n” \
“Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2\n” \
“VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT\n” \
“79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6\n” \
“c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT\n” \
“Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l\n” \
“c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee\n” \
“UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE\n” \
“Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd\n” \
“BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G\n” \
“A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF\n” \
“Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO\n” \
“VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3\n” \
“ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs\n” \
“8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR\n” \
“iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze\n” \
“Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ\n” \
“XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/\n” \
“qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB\n” \
“VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB\n” \
“L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG\n” \
“jjxDah2nGN59PRbxYvnKkKj9\n” \
“—–END CERTIFICATE—–\n”;
It seems a very interesting project you got there 🙂 what sensor are you using? I’ve both a swipe gestor sensor a couple of months ago, but did not have the chance to test it yet. Hopefully I get some time to do it.
Best regards,
Nuno Santos
I think wordpress is formatting something wrong, but please try to test it with the certificate from the root. If you follow the guide with FireFox, notice that I’m grabbing the certificate from the outermost element of the hierarchy. I’ve tried the code with that certificate and it seems to work 🙂
Don’t forget to properly format the certificate as a string, like is shown in the code.
Hope this helps!
Best regards,
Nuno Santos
Hi, just copy an paste your code but i get “Error on HTTP request”. Is this methode doesn’t work anymore?
regards
Nico
Hi!
I’ve just tested after copy and paste and it is working fine for me.
Can you please give it another try? Maybe it was just a temporary unavailability 🙂
Also, can you directly access the URL on a web browser? It should output some json if everything is up and running.
Best regards,
Nuno Santos
Hi, just copy an paste your code but i get “Error on HTTP request”. Is this methode doesn’t work anymore?
regards
Nico
Hi!
I’ve just tested after copy and paste and it is working fine for me.
Can you please give it another try? Maybe it was just a temporary unavailability 🙂
Also, can you directly access the URL on a web browser? It should output some json if everything is up and running.
Best regards,
Nuno Santos
Pingback: Raspberry Pi 3 Flask: Receiving HTTP POST Request from ESP32 | techtutorialsx
Pingback: Raspberry Pi 3 Flask: Receiving HTTP POST Request from ESP32 | techtutorialsx