How to do OTA from unknown local server

william.ferguson.au
Posts: 107
Joined: Wed Jan 02, 2019 8:55 am

How to do OTA from unknown local server

Postby william.ferguson.au » Fri Jan 25, 2019 12:06 am

My ESP32 devices will be deployed into environments without internet connection. They will connect to a local server from which they should retrieve any OTA.

I can generate a self signed cert that ships with the local server and ship the public key with the ESP32 binary. But since I won't know the IP address on which it is deployed I will not be able to generate a self signed cert that matches the server's location.

This means

Code: Select all

 esp_https_ota()
will fail the update because it won't be able to validate the certificate.
So how should I provide OTA?

William

ESP_igrr
Posts: 2067
Joined: Tue Dec 01, 2015 8:37 am

Re: How to do OTA from unknown local server

Postby ESP_igrr » Fri Jan 25, 2019 2:14 am

One option is to create a single shared certificate which you will use as your private certificate authority. Devices (esp32) will use the public key of that certificate to do the verification.
Local servers will need to generate thier own certificates (using their actual IP address as the common name) and use the shared certificate to sign them.
In this case, the assumption is that these local servers can store shared CA certificate and private key securely.

User avatar
fly135
Posts: 606
Joined: Wed Jan 03, 2018 8:33 pm
Location: Orlando, FL

Re: How to do OTA from unknown local server

Postby fly135 » Fri Jan 25, 2019 5:50 pm

Just take out the checks for cert and https in esp_https_ota and you can OTA from HTTP or HTTPS without checking the cert. Just comment out the two return ESP_FAIL lines.

Here....

if (!config->cert_pem) {
ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
//return ESP_FAIL;
}

esp_http_client_handle_t client = esp_http_client_init(config);
if (client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
return ESP_FAIL;
}

if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) {
ESP_LOGE(TAG, "Transport is not over HTTPS");
//return ESP_FAIL;
}



John A

chegewara
Posts: 2207
Joined: Wed Jun 14, 2017 9:00 pm

Re: How to do OTA from unknown local server

Postby chegewara » Fri Jan 25, 2019 7:19 pm

fly135 wrote:
Fri Jan 25, 2019 5:50 pm
Just take out the checks for cert and https in esp_https_ota and you can OTA from HTTP or HTTPS without checking the cert. Just comment out the two return ESP_FAIL lines.

Here....

if (!config->cert_pem) {
ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
//return ESP_FAIL;
}

esp_http_client_handle_t client = esp_http_client_init(config);
if (client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
return ESP_FAIL;
}

if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) {
ESP_LOGE(TAG, "Transport is not over HTTPS");
//return ESP_FAIL;
}



John A
Or go easy way and turn off https for esp http client in menuconfig.

User avatar
fly135
Posts: 606
Joined: Wed Jan 03, 2018 8:33 pm
Location: Orlando, FL

Re: How to do OTA from unknown local server

Postby fly135 » Sat Jan 26, 2019 6:57 pm

chegewara wrote:
Fri Jan 25, 2019 7:19 pm
Or go easy way and turn off https for esp http client in menuconfig.
Not thinking that will do anything. Plus, you can OTA w/ HTTPS and w/o a certificate. Disabling HTTPS won't change the fail checks in esp_https_ota. Maybe you know something I don't, but I'm not seeing this as a workable answer.

John A

william.ferguson.au
Posts: 107
Joined: Wed Jan 02, 2019 8:55 am

Re: How to do OTA from unknown local server

Postby william.ferguson.au » Mon Jan 28, 2019 12:13 pm

Thanks @fly135.

Providing OTA via HTTP seems like the sensible approach.

William

Who is online

Users browsing this forum: Google [Bot] and 110 guests