SSL Certificate Renewal

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: SSL Certificate Renewal

Postby ESP_Angus » Fri Aug 30, 2019 2:27 am

Adriano wrote:
Thu Aug 29, 2019 3:27 pm
I don't know if it is a good solution, but I am developing it in this way:

1. load certificate from SPIFFS.
2. connect to HTTPS_WEBPAGE.
3. if it fails, I connect to HTTP_WEBPAGE/cer.php to download the new certificate.
4. save the new certificate in the SPIFFS.
5. reboot ESP32

It is simple to create a php script for retrieving the certificate. You just need a server able to answer also without https.
Hi Adriano,

I'm glad this works for you, but from a security perspective you might as well disable HTTPS certificate checking in the client - if an attacker can MITM the HTTPS connection then they can force step (3) to execute, and force the device to download a new certificate that they provide. (Note that HTTPS without certificate checking is still better than HTTP, as it protects against passive listeners - but it can't protect against an active attacker who can MITM.)

Instead, suggest configuring the client to trust the root certificate used by LetsEncrypt, instead of the device certificate. Root certificate expiry should be very long, so you can plan for this in advance (my LetsEncrypt web server uses "ISRG Root X1" which is valid until 4 June 2035).

You still need to plan for the possibility that LetsEncrypt will change root cert providers, but you can do this by (a) storing some alternative root certs in the device just in case and (b) keeping backups of your old LetsEncrypt certificate chains so if necessary you can keep using an old cert for long enough to have the device download or OTA update to use a newer root cert, which you then start using.

We have another plan for making this whole process easier in ESP-IDF (root certificate management) but unfortunately we don't have an ETA for that support.

Adriano
Posts: 9
Joined: Thu Aug 29, 2019 1:04 pm

Re: SSL Certificate Renewal

Postby Adriano » Fri Aug 30, 2019 1:08 pm

Thank you for your answer.
ESP_Angus wrote:
Fri Aug 30, 2019 2:27 am
I'm glad this works for you, but from a security perspective you might as well disable HTTPS certificate checking in the client.
Is it possible also in the Arduino IDE? I am getting "connection refused" if the certificate is not valid.
It would be nice to have a feature like the webbrowser, who is able to get the certificate automatically.

I don't have access to my host server, so maybe they will change also the root certificate one day if they are not happy with it.
On my server they use letsencrypt certificate. Letsencrypt have the certificate directly on their webpage:

Webpage: https://letsencrypt.org/certificates/
Certificate (as PEM, for ESP32): https://letsencrypt.org/certs/isrgrootx1.pem.txt

So the ESP could download it directly from there. But all certificates (up to the Root CA X3) are valid only until 2021.

umer-ilyas
Posts: 1
Joined: Tue Aug 06, 2019 12:36 pm

Re: SSL Certificate Renewal

Postby umer-ilyas » Mon Apr 27, 2020 6:45 am

in the examples of esp-idf this example

Code: Select all

esp-idf\examples\protocols\http2_request
can communicate with server without providing the ssl certificate.

i have tested it somehow this works even you update/change the certificate on server.

RogerFL
Posts: 1
Joined: Sun Apr 21, 2019 8:14 pm

Re: SSL Certificate Renewal

Postby RogerFL » Sun Oct 18, 2020 8:01 pm

Adriano,
Your method creates an easy attack for a fake server.
You might use your own custom CA that creates certificates that expire after the maximum life of the product if you only used it for devices, not users on browsers.
Roger

DannyBackx
Posts: 33
Joined: Wed Sep 19, 2018 7:17 pm

Re: SSL Certificate Renewal

Postby DannyBackx » Mon May 31, 2021 6:07 pm

I'm a bit late with this reply but check out my acme client.
https://sourceforge.net/projects/esp32-acme-client/

Who is online

Users browsing this forum: Majestic-12 [Bot], sshwarts and 61 guests