Failed to verify Letsencrypt cert with ISRG Root X1 CA (IDFGH-11039) #8626
Description
Summary
On the ESP32 (I'm using C3), when trying to use SSL/TLS over WiFi to connect to a server - in my case using a Letsencrypt certificate - the certificate validation fails when using a certificate bundle.
This error is also mentioned by other users, for example here.
[E][esp_crt_bundle.c:147] esp_crt_verify_callback(): Failed to verify certificate
followed by
[E][ssl_client.cpp:37] _handle_error(): [start_ssl_client():273]: (-12288) X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed
The problem seems to be in this function:
https://github.com/espressif/esp-idf/blob/3640dc86bb4b007da0c53500d90e318f0b7543ef/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c#L84
I'm using the Arduino WiFiClientSecure to test. Two servers: Letsencrypt valid cert test server, and my own server.
Using client.setCACert(isrgx1ca);
First test hardcoding the ISRG Root X1 CA pem in the sketch.
On https://valid-isrgrootx1.letsencrypt.org/
[ 3369][V][ssl_client.cpp:290] start_ssl_client(): Verifying peer X.509 certificate...
[ 3369][V][ssl_client.cpp:298] start_ssl_client(): Certificate verified.
[ 3372][V][ssl_client.cpp:313] start_ssl_client(): Free internal heap after TLS 188492
Connected to server!
On my server
[ 3781][V][ssl_client.cpp:290] start_ssl_client(): Verifying peer X.509 certificate...
[ 3781][V][ssl_client.cpp:298] start_ssl_client(): Certificate verified.
[ 3784][V][ssl_client.cpp:313] start_ssl_client(): Free internal heap after TLS 184632
Connected to server!
Using client.setCACertBundle(rootca_crt_bundle_start);
On https://valid-isrgrootx1.letsencrypt.org/
[ 2393][D][esp_crt_bundle.c:108] esp_crt_verify_callback(): 141 certificates in bundle
[ 2559][I][esp_crt_bundle.c:142] esp_crt_verify_callback(): Certificate validated
[ 3497][V][ssl_client.cpp:290] start_ssl_client(): Verifying peer X.509 certificate...
[ 3497][V][ssl_client.cpp:298] start_ssl_client(): Certificate verified.
[ 3500][V][ssl_client.cpp:313] start_ssl_client(): Free internal heap after TLS 187900
Connected to server!
On my server
[ 2868][D][esp_crt_bundle.c:108] esp_crt_verify_callback(): 141 certificates in bundle
[ 2868][E][esp_crt_bundle.c:147] esp_crt_verify_callback(): Failed to verify certificate
[ 2874][E][ssl_client.cpp:37] _handle_error(): [start_ssl_client():273]: (-12288) X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed
[ 2887][E][WiFiClientSecure.cpp:144] connect(): start_ssl_client: -12288
[ 2894][V][ssl_client.cpp:321] stop_ssl_socket(): Cleaning SSL connection.
Connection failed!
Cert bundle
Following the steps here. Cert bundle downloaded from curl. It's the Mozilla bundle that contains the ISRG Root X1 cert.
Server certs
Both the test server and my server report to have certificates that are signed by ISRG Root X1, with the cert serial numbers matching the screenshot above.
Test server:
My server:
