Gcp: The certificate is not correctly signed by the trusted CA

mark-antal-csizmadia · August 23, 2021, 12:14pm

Hi all,

I have done OTA on an ESP8266 that has been smoothly running an earlier firmware for some time. In essence, the firmware sends a JSON payload via MQTT to Google Cloud Platform’s IoT Core. The MQTT bridge between the ESP and the Cloud has been working flawlessly for the past weeks. However, after OTA, I get the error below.

[Aug 23 14:05:33.515] mg_ssl_if_mbedtls.c:207 0x3fff3c24 mbedTLS error: -0x2700
[Aug 23 14:05:33.515] mgos_mqtt.c:141         MQTT TCP connect error (-3)
[Aug 23 14:05:33.515] mgos_mqtt.c:164         MQTT Disconnect
[Aug 23 14:05:33.515] mgos_mqtt.c:507         MQTT connecting after 1025 ms
[Aug 23 14:05:33.515] mgos_mongoose.c:66      New heap free LWM: 10608
[Aug 23 14:05:34.543] mgos_mqtt.c:431         MQTT connecting to mqtt.googleapis.com:8883
[Aug 23 14:05:34.650] mg_ssl_if_mbedtls.c:35  0x3fff42c4 ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
[Aug 23 14:05:35.769] mg_ssl_if_mbedtls.c:35  0x3fff42c4 x509_verify_cert returned -9984
[Aug 23 14:05:35.769] mg_ssl_if_mbedtls.c:35  0x3fff42c4   The certificate is not correctly signed by the trusted CA

I would greatly appreciate it if someone could help me out with understanding what’s going on. I’m happy to share more of my logs but basically, the firmware is stuck at this stage. Thank you for your guidance in advance!

Have a great day,
Mark

nliviu · August 23, 2021, 1:09pm

This and this.

I modified the title to reflect the origin of the error.

mark-antal-csizmadia · September 6, 2021, 10:11am

Thank you so much, I really appreciate the pointers and your help!

mark-antal-csizmadia · October 26, 2021, 9:47am

Thank you for your help @nliviu, and everyone else who helped so far with my other questions, too!

I managed to fix the issue described before.

My next question would be if it is possible to somehow update firmware that has the old ca-bundle rather than the updated one . Since the device still can connect to the WiFi, it is reachable on the local network. Therefore, I tried to OTA via RPC the new firmware (updated ca-bundle), which could go through if t wasn’t for a core-dump induced by lack of memory (my fault). Is there another way to somehow OTA the firmware with the updated ca-bundle onto the device?