Hi all,
There is a planned expiration date coming to the CA certificate on mqtt.googleapis.com:8883
. Google’s Google Cloud Platform (GCP) has changed the certificate chain - it is still signed by a globalsign root but by a different one. The new expiration date is 2028. The error manifests itself as follows:
[Aug 23 14:05:33.515] mg_ssl_if_mbedtls.c:207 0x3fff3c24 mbedTLS error: -0x2700
[Aug 23 14:05:33.515] mgos_mqtt.c:141 MQTT TCP connect error (-3)
[Aug 23 14:05:33.515] mgos_mqtt.c:164 MQTT Disconnect
[Aug 23 14:05:33.515] mgos_mqtt.c:507 MQTT connecting after 1025 ms
[Aug 23 14:05:33.515] mgos_mongoose.c:66 New heap free LWM: 10608
[Aug 23 14:05:34.543] mgos_mqtt.c:431 MQTT connecting to mqtt.googleapis.com:8883
[Aug 23 14:05:34.650] mg_ssl_if_mbedtls.c:35 0x3fff42c4 ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
[Aug 23 14:05:35.769] mg_ssl_if_mbedtls.c:35 0x3fff42c4 x509_verify_cert returned -9984
[Aug 23 14:05:35.769] mg_ssl_if_mbedtls.c:35 0x3fff42c4 The certificate is not correctly signed by the trusted CA
The CA certificate is part of the ca-bundle
package. The update to change to the new CA certificate for GCP in the package is this commit. The expiring CA certificate in my current firmware causes the device not being able to connect to IoT Core (GCP IoT).
- My goal is:
My goal is to update the firmware without physically flashing it.
- My actions are:
I have an OTA mechanism that uses GCP’s IoT Core, but since the device cannot connect to it, it is rendered obsolete. I have tried OTA via RPC as discussed here.
- The result I see is:
When I am connected with my local machine (that performs the OTAvia RPC) to the same network as the device is connected to, the OTA via RPC starts and then stops with a core dump due to memory leakage, that is, the firmware can receive the OTA via RPC until around 40% and then it reboots after a core dump. My guess is that the IoT Core connectivity issue (induced by the old CA certificate) causes the device to constantly try to re-connect to IoT Core and cannot handle the OTA via RPC memory-wise.
- My expectation & question is:
My question is if there is another way I could update the old CA certificate to the new one on the device either via either OTA or some other mechanism?
Thank you for your time and replies in advance!
Mark