TLS connections with local CA fails on Pico 2 W (RP2350 + CYW43439) with MBEDTLS_ERR_X509_CERT_VERIFY_FAILED

[davebarkerxyz]

CircuitPython version and board name

Adafruit CircuitPython 9.2.6 on 2025-03-23; Raspberry Pi Pico 2 W with rp2350a

Code/REPL

import os
import wifi
import adafruit_connection_manager
import adafruit_requests

ssid = os.getenv("WIFI_SSID")
wifikey = os.getenv("WIFI_PASSWORD")

wifi.radio.connect(ssid, wifikey)
pool = adafruit_connection_manager.get_radio_socketpool(wifi.radio)
ssl_context = adafruit_connection_manager.get_radio_ssl_context(wifi.radio)

with open("/mqtt-ca.crt", "rb") as f:
    ca_cert = f.read()
ssl_context.load_verify_locations(cadata=ca_cert.decode("utf-8"))

conn_mgr = adafruit_connection_manager.ConnectionManager(pool)
requests = adafruit_requests.Session(pool, ssl_context)
with requests.get("https://192.168.0.62:8111/") as response:
    print(response.text)

Behavior

code.py output:
Traceback (most recent call last):
  File "code.py", line 19, in <module>
  File "adafruit_requests.py", line 711, in get
  File "adafruit_requests.py", line 639, in request
  File "adafruit_connection_manager.py", line 337, in get_socket
  File "adafruit_connection_manager.py", line 249, in _get_connected_socket
OSError: (-9984, 'MBEDTLS_ERR_X509_CERT_VERIFY_FAILED')

Code done running.

Description

• Using a local CA cert generated with OpenSSL to sign a server certificate
• Copying CA cert onto CircuitPython board, and loading with ssl_context.load_verify_locations
• Connections fail with MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
• Originally observed when using this CA and server certificate combination with an Eclipse Mosquitto server and the adafruit_minimqtt library in CircuitPython, but replicated with a simple web server using the same certs and using adafruit_requests on the board
• This does not happen with the M5Stack AtomS3 Lite (ESP32-S3) running the same code with same certificates (both original MQTT client and the above test program) and CircuitPython 9.2.6; on that board, the connection succeeds.
• This does not happen with other clients using the same CA cert to talk to the same services (Eclipse Mosquitto's mosquitto_sub, and my own MQTT client written in Go)

The CA cert looks as follows, when printed withopenssl x509 -noout -text -in mqtt-ca.crt:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:4d:14:b5:99:b3:39:ce:26:d6:18:77:72:03:a9:78:9e:4c:48:78
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Scotland, O=ops, CN=mqtt ca
        Validity
            Not Before: May 12 00:06:59 2025 GMT
            Not After : May 10 00:06:59 2035 GMT
        Subject: C=GB, ST=Scotland, O=ops, CN=mqtt ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cf:0b:fc:e0:a1:a9:ef:52:45:a5:77:08:58:2d:
                    b5:08:fd:23:e5:00:e5:6e:73:e0:c4:ed:7e:b9:b5:
                    9f:06:40:1a:fc:bf:b6:08:42:f8:34:6b:f2:a1:51:
                    75:dc:29:13:e7:8d:c4:ae:6c:e9:8d:54:20:95:1d:
                    dc:cd:4f:e6:29:59:03:07:81:66:a3:56:52:71:20:
                    3f:25:cd:d0:c8:cb:92:b0:c1:6f:a6:b1:72:52:96:
                    1d:5c:0e:5c:b2:b7:a1:f4:47:4a:de:cc:d5:c0:3d:
                    f1:d0:cb:d8:71:5f:70:1f:70:89:94:bd:e7:72:44:
                    42:de:f5:d2:95:99:44:49:3b:67:7d:7c:41:a1:1e:
                    81:bf:03:a1:00:60:eb:9f:07:66:e3:3d:91:c9:57:
                    33:23:1e:71:b6:41:09:8a:c6:8d:fe:5e:fb:ff:87:
                    78:a2:d7:59:ee:fe:9f:17:0e:4f:ba:75:e9:50:5f:
                    84:46:c4:34:f0:fd:f2:f1:43:10:a4:c5:ca:13:5e:
                    a1:71:d9:80:d7:3d:75:c6:27:26:c7:54:1c:30:12:
                    46:93:a8:7c:e3:72:4e:2d:12:c8:7d:ef:ed:8a:f5:
                    84:ba:81:8c:59:26:2b:51:c0:6e:88:41:d5:0d:d8:
                    19:dc:3c:a3:27:05:9e:a0:5a:af:8a:f1:d1:1a:f4:
                    d3:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                31:86:37:0B:9D:D8:32:ED:EB:E4:32:1E:49:A5:3A:34:1E:F0:E6:8D
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5c:75:13:94:c8:80:aa:e7:61:a3:78:0c:3e:f6:90:06:71:16:
        aa:80:49:ad:37:20:c5:aa:78:eb:36:7d:a4:50:2d:a0:73:18:
        44:17:1a:46:44:9e:4c:c6:e9:9a:a0:f1:c6:f3:11:8c:e5:b3:
        fc:6e:a6:01:08:f0:07:f6:95:b5:8e:87:ce:ce:8d:c2:5f:28:
        e5:23:a9:ab:a4:49:76:a5:62:44:15:ef:a6:13:84:64:f3:64:
        ce:34:6d:c9:36:30:3e:07:41:41:71:f1:7c:61:a3:32:a9:96:
        65:a3:01:9b:98:1c:e9:5a:b3:9d:09:59:87:c1:ca:79:3b:d3:
        5c:be:a5:7d:81:ad:2d:e9:86:1d:b3:8b:be:49:f7:be:e3:a7:
        8e:08:78:6f:82:1c:65:59:1d:69:a5:c4:75:0d:44:94:fa:ea:
        39:98:ca:94:2a:2c:52:12:df:19:4a:b2:1c:7f:df:61:6a:95:
        89:97:80:26:f1:20:1f:19:20:78:80:6a:68:1c:70:6d:5e:97:
        03:1f:c9:4f:43:4a:89:25:7e:ec:c2:4c:51:ff:dd:19:f3:8c:
        81:e5:4c:87:a7:ef:1a:21:f2:e7:90:8f:e7:6a:c3:49:cb:d7:
        39:8d:2a:42:98:fa:87:8b:63:2d:96:b9:e6:62:2b:fb:1f:66:
        62:73:f1:16

Additional information

No response

[tannewt]

Please try 10.0.0-alpha.4 as well and 9.2.7 in case those versions fixed this issue.

[davebarkerxyz]

The issue persists Pico 2 W on 9.2.7 (same result and error as 9.2.6).

On 10.0.0-alpha.4 on the Pico 2 W, requests.get() times out. I added some print statements to check how far it got (as it looked like it wouldn't return at all), but eventually it exits with ETIMEOUT. Revised test code (with print statements), as follows, along with 10.0.0-alpha.4 output:

import os
import wifi
import adafruit_connection_manager
import adafruit_requests

ssid = os.getenv("WIFI_SSID")
wifikey = os.getenv("WIFI_PASSWORD")

wifi.radio.connect(ssid, wifikey)
print(f"Radio connected: {wifi.radio.connected}")
pool = adafruit_connection_manager.get_radio_socketpool(wifi.radio)
ssl_context = adafruit_connection_manager.get_radio_ssl_context(wifi.radio)

with open("/mqtt-ca.crt", "rb") as f:
    ca_cert = f.read()
ssl_context.load_verify_locations(cadata=ca_cert.decode("utf-8"))
print("Cert loaded")

conn_mgr = adafruit_connection_manager.ConnectionManager(pool)
requests = adafruit_requests.Session(pool, ssl_context)
print("Starting request")
with requests.get("https://192.168.0.62:8111/") as response:
    print(response.text)

code.py output:
Radio connected: True
Cert loaded
Starting request
Traceback (most recent call last):
  File "code.py", line 22, in <module>
  File "adafruit_requests.py", line 711, in get
  File "adafruit_requests.py", line 639, in request
  File "adafruit_connection_manager.py", line 337, in get_socket
  File "adafruit_connection_manager.py", line 249, in _get_connected_socket
OSError: [Errno 116] ETIMEDOUT

Code done running.

Press any key to enter the REPL. Use CTRL-D to reload.

Adafruit CircuitPython 10.0.0-alpha.4 on 2025-05-05; Raspberry Pi Pico 2 W with rp2350a
>>>

I tried connecting to an HTTP endpoint on the same remote host, and this works on both the Pico 2 W (RP2350+CYW) and the AtomS3 Lite (ESP32-S3), confirming the device is indeed connected to wi-fi and that it can talk to the remote host. But the HTTPS request always times out from the Pico 2 W with 10.0.0-alpha4.

I made sure to update adafruit_connection_manager and adafruit_requests to the versions from the 10.x bundle (adafruit-circuitpython-bundle-10.x-mpy-20250511).

10.0.0-alpha4 works fine on the ESP32-S3 (AtomS3 Lite) board.

So to summarise:

• AtomS3 (ESP32-S3) - CircuitPython 9.2.6 - HTTP ✅
• AtomS3 (ESP32-S3) - CircuitPython 10.0.0-alpha4 - HTTP ✅
• AtomS3 (ESP32-S3) - CircuitPython 9.2.6 - HTTPS with loaded CA cert ✅
• AtomS3 (ESP32-S3) - CircuitPython 10.0.0-alpha4 - HTTPS with loaded CA cert ✅
• Pico 2 W (RP2350 + CYW43439) - CircuitPython 9.2.6 - HTTP ✅
• Pico 2 W (RP2350 + CYW43439) - CircuitPython 10.0.0-alpha4- HTTP ✅
• Pico 2 W (RP2350 + CYW43439) - CircuitPython 9.2.7 - HTTPS with loaded CA cert ❌
• Pico 2 W (RP2350 + CYW43439) - CircuitPython 10.0.0-alpha4 - HTTPS with loaded CA cert ❌