Hello everyone! I'm working on a project that sets up a Flask-based web server on an ngrok endpoint, allowing Internet access. The goal is to serve static files (JSON and binary) to manage OTA updates on ESP32 microcontrollers.

I've successfully deployed my Flask application using the free-tier ngrok static domain. I can access it on both my cellphone and computer without any issues. I also managed to serve a JSON file containing firmware version information for managing update requests from the ESP32. However, I encounter SSL certificate errors when trying to access the static domain via an HTTPClient instance on the microcontroller. The error occurs when this function is called:

float getFirmwareVFromServer(const char* url) {
  HTTPClient http;
  WiFiClientSecure client;
  client.setCACert(root_ca);
  http.begin(client, url);
  int httpCode = http.GET();

  float version = 0.0;

  if (httpCode > 0) {
    if (httpCode == HTTP_CODE_OK) {
      String payload = http.getString();
      Serial.println("Update Info: " + payload);

      const size_t capacity = JSON_OBJECT_SIZE(2) + 60;
      DynamicJsonDocument doc(capacity);

      DeserializationError error = deserializeJson(doc, payload);
      if (!error) {
        version = doc["last-firmware-v"].as<float>();
      } else {
        Serial.print("JSON deserialization failed: ");
        Serial.println(error.f_str());
      }
    } else {
      Serial.printf("HTTP GET failed, error: %s\n", http.errorToString(httpCode).c_str());
    }
  } else {
    Serial.printf("Unable to connect, error: %s\n", http.errorToString(httpCode).c_str());
  }

  http.end();
  return version;
}

Instead of retrieving the firmware version, I receive a connection error (line 29):

[  7124][E][ssl_client.cpp:37] _handle_error(): [start_ssl_client():273]: (-29312) SSL - The connection indicated an EOF
[  7124][E][WiFiClientSecure.cpp:144] connect(): start_ssl_client: -29312
Unable to connect, error: connection refused

This code was written using the Arduino framework on PlatformIO. It's also worth mentioning that the required SSL certificates are already included in my code (as a const char* declared with the name root_ca). However, the server is not allowing the connection to be established. Any advice on resolving this SSL issue would be greatly appreciated!

 

If you haven't done so already check the server / SSL logs for clues.

I'll admit SSL is not an area I have dealt with yet, but from the little bit of searching I did confirms it's a server issue.

Good luck!!

 

If you haven't done so already check the server / SSL logs for clues.

I'll admit SSL is not an area I have dealt with yet, but from the little bit of searching I did confirms it's a server issue.

Good luck!!

I'll have to say I'm not familliar with SSL either to be honest.

Interestingly, the server logs show requests made from my cellphone and computer, but there are no logs when the microcontroller tries to access it.

Very strange indeed.

 

In the example on this https://randomnerdtutorials.com/esp32-https-requests/#esp32-https-requests-wificlientsecure it shows

if (!client.connect(server, 443))
    Serial.println("Connection failed!");
    else {
        Serial.println("Connected to server!");
        // Make a HTTP request:
        client.println("GET https://www.howsmyssl.com/a/check HTTP/1.0");
        client.println("Host: www.howsmyssl.com");
        client.println("Connection: close");
        client.println();

        while (client.connected()) {
            String line = client.readStringUntil('\n');
            if (line == "\r") {
                Serial.println("headers received");
                break;
            }
        }
        // if there are incoming bytes available
        // from the server, read them and print them:
        while (client.available()) {
            char c = client.read();
            Serial.write(c);
     }
     client.stop();
}

instead of

int httpCode = http.GET();
...
...
...

I'm going to guess http.GET() is not using HTTPS, but rather a basic HTTP request instead unless you found that in another SSL example. If you did find this somewhere else then don't pay attention to anything I said.

 

I'm going to guess http.GET() is not using HTTPS, but rather a basic HTTP request instead unless you found that in another SSL example. If you did find this somewhere else then don't pay attention to anything I said.

It could be. I altered my function momentarily based on the tutorial you shared. Connection still cannot be established but the error code changed:

[  5902][E][ssl_client.cpp:37] _handle_error(): [start_ssl_client():273]: (-9984) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
[  5906][E][WiFiClientSecure.cpp:144] connect(): start_ssl_client: -9984
Connection failed!

It seems like the certificates are somehow not set properly on the microcontroller or maybe I'm missing some extra certificate.

 

That sounds promising to some extent. Does the server at least show some sort of activity now? Unfortunately now we're at a point where I don't know anymore and guesses aren't going to get anywhere. It looks like certificates are pretty finicky from the few minutes I could spend searching this morning... part of the reason I have never bothered with SSL so far.

Maybe https://arduino.stackexchange.com/q...ith-mosquitto-on-raspberry-using-certificates can offer some insight, but other than that I really don't know at this point.

 

That sounds promising to some extent. Does the server at least show some sort of activity now?

No, the server does not show any activity anyways. I'm out of ideas, since I tried changing certificates and had no luck whatsoever.

Maybe https://arduino.stackexchange.com/q...ith-mosquitto-on-raspberry-using-certificates can offer some insight, but other than that I really don't know at this point.

Thanks for the advice, from the link you shared I understand there must be some error on certificate generation, maybe I should regenerate certificates for my ESP32 to establish the secure connection but I will have to keep looking for a way to do this. I will keep updating this thread on the next few weeks as I try to work around the errors.

 

No, the server does not show any activity anyways. I'm out of ideas, since I tried changing certificates and had no luck whatsoever.

That kind of makes sense about the server activity. I did a little more looking around earlier when I had a few minutes to spare and realized that error typically comes from the client side.

Good luck with it and I'll make sure to keep an eye for updates. SSL has always been something I wanted to learn about, but never really had any real use for it.