GCP: Updating firmware without physical flashing to solve "The certificate is not correctly signed by the trusted CA"

Hi all,

There is a planned expiration date coming to the CA certificate on mqtt.googleapis.com:8883. Google’s Google Cloud Platform (GCP) has changed the certificate chain - it is still signed by a globalsign root but by a different one. The new expiration date is 2028. The error manifests itself as follows:

[Aug 23 14:05:33.515] mg_ssl_if_mbedtls.c:207 0x3fff3c24 mbedTLS error: -0x2700
[Aug 23 14:05:33.515] mgos_mqtt.c:141         MQTT TCP connect error (-3)
[Aug 23 14:05:33.515] mgos_mqtt.c:164         MQTT Disconnect
[Aug 23 14:05:33.515] mgos_mqtt.c:507         MQTT connecting after 1025 ms
[Aug 23 14:05:33.515] mgos_mongoose.c:66      New heap free LWM: 10608
[Aug 23 14:05:34.543] mgos_mqtt.c:431         MQTT connecting to mqtt.googleapis.com:8883
[Aug 23 14:05:34.650] mg_ssl_if_mbedtls.c:35  0x3fff42c4 ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
[Aug 23 14:05:35.769] mg_ssl_if_mbedtls.c:35  0x3fff42c4 x509_verify_cert returned -9984
[Aug 23 14:05:35.769] mg_ssl_if_mbedtls.c:35  0x3fff42c4   The certificate is not correctly signed by the trusted CA

The CA certificate is part of the ca-bundle package. The update to change to the new CA certificate for GCP in the package is this commit. The expiring CA certificate in my current firmware causes the device not being able to connect to IoT Core (GCP IoT).

  1. My goal is:

My goal is to update the firmware without physically flashing it.

  1. My actions are:

I have an OTA mechanism that uses GCP’s IoT Core, but since the device cannot connect to it, it is rendered obsolete. I have tried OTA via RPC as discussed here.

  1. The result I see is:

When I am connected with my local machine (that performs the OTAvia RPC) to the same network as the device is connected to, the OTA via RPC starts and then stops with a core dump due to memory leakage, that is, the firmware can receive the OTA via RPC until around 40% and then it reboots after a core dump. My guess is that the IoT Core connectivity issue (induced by the old CA certificate) causes the device to constantly try to re-connect to IoT Core and cannot handle the OTA via RPC memory-wise.

  1. My expectation & question is:

My question is if there is another way I could update the old CA certificate to the new one on the device either via either OTA or some other mechanism?

Thank you for your time and replies in advance!

I’m not sure you actually need the whole CA bundle, and I’m assuming you can just update a single CA certificate.
When I evaluated GCP in 2020 I did not need anything other than what was provided by mos gcp-iot-setup, and I did not include the ca-bundle then.
In such a scenario, you just need to upload a new CA certificate, then you can do it by using the file services provided by the RPC; you don’t need OTA. Make sure your connection is outside GCP, though.
For testing you can just use mos tool.

1 Like

Thank you for your prompt reply @scaprile! Really appreciated!