-
Notifications
You must be signed in to change notification settings - Fork 156
ESP32-lwmqtt example does not works with latest WiFiClientSecure library #221
Comments
If you call this line |
No it does not work because in esp32-mqtt.h file line 16 Clint.h is included
netClient pointer, pointing to address of class Client is diclared
netClient is instentiated as an object of Class WIFIClientSecure
setInsecure() is defined in WIFIClientSecure
but Client class doesn't have the declaration for setInsecure();
Which gives the error
error message
|
and if you cast
|
Then changes are also to be made in the following files "CloudIoTCoreMqtt.h,CloudIoTCoreMqtt.cpp" Changes made:
CloudIoTCoreMqtt.cpp from line 24 to line 32
include WIFIClientSecure in CloudIoTCoreMqtt.h file
In the same file CloudIoTCoreMqtt.h replace "Client" by "WiFiClientSecure" in line 35 and 39
After netClient = new WiFiClientSecure(); in line 113 of file esp32-mqtt.h
Removing the use of Client Class and by setting the connection to InSecure, After making the following changes the connection is established. But the point remains by doing the above changes the connection has been made Insecure and it is still not using the root certificate, So basically its still not working with WIFIClientSecure connection rather with WIFIClientInsecure |
@Yaaximus I am not an expert in this field but it is my understanding that there is a degree of security provided by the JWT. After casting you should be able to set the certificate on the netClient? |
Yes JWT adds a degree of security for sure. After casting certificate can be set using the setCACert() but so far I was not able to establish secure connection using Long-term support (LTS) as mentioned here (https://cloud.google.com/iot/docs/how-tos/mqtt-bridge#iot-core-mqtt-auth-run-python).
When I run the above command this is the output I get
In the output I can see that there is an error
And even if I add the above certificate in var root_cert by following the instructions provided in the file ciot_config.h line 57 and 58
With verbose on I am still getting this error
|
I am not sure that you have the correct certificate - I suspect you have the server certificate (again I may well be mistaken). Can you try generate the certificates as follows:
|
I was able to connect to Cloud IOT Core while using root certificate by following these steps: Download primary and secondary crt files from the following link: Convert these '.crt' files in '.pem' file using the following command
And then copying the content from both these file which end up looking something like this in ciotc_config.h file
And obviously setting root_cert in esp32-mqtt.h in line 116
Serial Monitor output with core debug level set to verbose
|
Fantastic! Have you verified that both the primary and backup certificates are working? Maybe by putting an error in each on in turn? |
Still able to connect to Google Cloud IOT core even after putting an error in backup certificate but with error added in Primary certificate it fails to verify certificate.
It is mentioned that Google Trust Services may switch between the primary and backup certificate at any time means that its up to Google trust service to decide with which certificate its going to verify if the certificate is correct or not either primary or backup. Or should it work in any case if one of the certificate is correct? |
Your point is very valid and google may only be accepting the primary at the moment. My concern is that I am not sure if you can concatenate both certificates into one string like that. Do you know? Maybe invert the order so that the backup is first and see if it still connects. In our implementation we manually change to the backup cert if the primary does not work. Your approach is much more elegant, provided it works. |
Changed the order without putting error and it worked. I guess it can be safely be said that order does not matter. |
Fantastic! Thanks for discovering that. I think it would be a good idea to leave this issue open as there is scope for improving the documentation related to this. |
Your very much Welcome, Thanks for you guidance as well. Sure lets keep this issue open. If required I can make a pull request to merge changes into this repository for Certificate verification with WifiClientSecure latest library. |
Hi I have had a device working perfectly. I made an update and reuploaded and now run into the issue described. I guess the wifisecure lib changed with a core update. The fix above however doesn't work.I get an error with this line: netClient->setCACert(root_cert); What am I missing? Thanks |
Please double check all the steps discussed above especially the need to cast the client. If you don't come right, please share more information like your code and the error you are seeing. |
Hi I know i am missing the casting step but I am confused where is ? Does all of the steps to enable inscure need to be done. I don't know why this broke with the latest core update. Is there a set of updated files with this fix? |
It's broken on the latest update, because WifiClientSecure actually checks if the CA is being set and throws and exception if it isn't. You can disable this exception by setting the client to insecure or you can set the CA. Either of these options will require you to do the cast. The example code has a CA variable but it is never used. I'm not sure I can help you with where to do the casting. @fabltd is better positioned to provide guidance here as we have actually stripped out layers of this library due to issues with the JWT generation. |
@raphael-bmec-co Thanks, Do you know what ESP core version they updated this in? I have also replaced the JWT with a hardware element. is this the cast? WiFiClientSecure& wifiClientSecure= static_cast<WiFiClientSecure&>(netClient); Does the get initalised in side the funtion or at declaration? |
If you roll back to 1.0.4 the issue should go away. That is the cast. I don't know the answer to your last question offhand. Sorry. |
I just run into this issue: error: invalid static_cast from type 'Client*' to type 'WiFiClientSecure&' Here is my code: void setupCloudIoT(){ setupWifi(); |
You already declared netClient as type WiFiClientSecure so why are you trying to cast it? |
Hello sir, I have the same error! Here is the debugger log (verbose)
My code on esp32-mqtt.h:
the main.ino
Im trying to connect to my config, I create the cert, my Pub/Sub is working (tested in node), but ESP32 can't connect it. |
@jmancillavalenzuela I can see that your certificate is verified so you probably have no issue on certificate side. Please make sure your private key is correct and please double check your other credentials. |
Please read all the steps mentioned above you have to make changes in other files as well like CloudIoTCoreMqtt.h and CloudIoTCoreMqtt.cpp for the cast to work, because the Client class type is declared there as well. Please read this |
@Yaaximus Sorry but I have a question, if I use the function |
@Alpha018 If you use "setInsecure" the you are ignoring Certificate verification but you are still using public and private key to establish a connection to Google Cloud IOT Core so there is a level of security. Incase you want to use Certificate the you will have to follow the steps mentioned above Initially you will have to Cast netClient as WiFiClientSecure Then you will have to get cetificate and add the certificate in variable root_cert in the file ciot_config.h |
Hi, Could you share a code example for this please? at least the conection |
I'm getting this error checking wifi...Connecting... |
Please make sure your private key is correct and please double check your other credentials in ciot_config.h file. Sometimes this can also happen if the internet connections is poor. And if you are using ESP8266 then please try the example ESP8266-lwmqtt |
@warshaa check your jwt token before send the request. |
already checked, nothing wrong with the JWT |
Fix worked great for me: #221 (comment) |
Fantastic. I had been stuck on this for a couple of days. Fix works great for me. Thanks guys ❤️ |
This works! Thanks a lot for figuring it out! Fyi, at the time of solving it, I was using Google Cloud IoT Core JWT library version 1.1.11 and MQTT (by Joel Gaehwiler) library version 2.4.7 |
Hmm. I came here because i have the same error. I notice I'm missing the line of code where SetCACert() is missing. I added the code mention in above. I can not compile the line for SetCACert(). I look in the WiFi101 library and notice that method is missing. I backroll to version 2.4.7 for MQTT. The Google Cloud IoT core JWT lib I am using is 1.1.11 as mentioned above. I realize MQTT is not the library defining setcacert but no worries. I'm just trying to match lib versions. I also tried to typecast as shown but I don't have a WiFiClientSecure class. Not sure where to get it. |
@netskink in case you didn't solve this yet the solution that worked for me is to add the second line in this following code:
on the Instead of Hope that works for you! |
Hello @nicosandller I have not tried this yet. I will. FWIW, I opened a new issue and did a follow-up here. I'm not a esp32/esp8266 user but it seems like a similar issue. I did post this to show what I've noticed via wireshark up to this point https://github.com/netskink/ssl_publy I'm using two different code samples. One is this one which seems to use the code to hard-code the private key as a series of bytes. The other sample uses the crypto chip for key management. They both do not connect. I do not currently understand how either works. I'm still working on it. Hence I am so happy to have your assistance. Many thanks! |
Hmm, @nicosandller comparing the esp32 example and MKR1000 sample (i'm using this one), the source is different. I don't have the code you reference. The code i am using uses Hmm, I'm looking for a routine similar to setCaRoot() in this class hierarchy. It looks like the examples use different stacks. Different processors imply different stacks. So no big deal. Starting from example code. esp32 example has:
mkr1000 example has:
#include <WiFiSSLClient.h> Anyway, looking at the WiFiClient.cpp which is the base class and also in WiFi101, is the connectSSL() implementation and its a connect call from the WiFiClient base class Client connect() with SSL socket flag set. I did not find the Client base class in any of the Arduino/Libraries folders, so I assume its comming from arduino-1.8.3, which I believe is in arduino-1.8.3/hardware/arduino/avr/cores/arduino/Client.h. However, that file defines Client::connect() with just two parameters, host and port. It does not have the option of a socket flags. I'm still learning arduino so I don't where the Client base class its using is defined.
Doing the same but looking for 'class Client The search continues. Perhaps this needs to be moved to WiFi101. |
Hi. I encountered the same problem with ESP32, and #221 (comment) helped me solve it. Thanks for sharing. |
This was able to connect to the library using an ESP32-C3. Thank you so much! |
With latest changes in the past few months in WIFIClientSecure library (https://github.com/espressif/arduino-esp32/tree/master/libraries/WiFiClientSecure) which is a prerequisite for getting ESP32-lwmqtt example functional.
The changes ensures that there is a root certificate or else it does not continue and return with an error code of "-1" as shown in code below from file ssl_client.cpp in WIFIClientSecure
What I have noticed is that as for now root certificate defined in ciotc_config.h file by the variable "root_cert" in line 63 is not used anywhere in the implementation which causes the secure connection to fail with the given error as shown from output below
Please let me know if my understanding is not right but if it is then Are we planning to use the root certificate in future?
For anyone else who is facing the same problem please revert back to the following commit on Jan 21, 2020 of WIFIClientSecure repository. Commit ID:"ed59ae6482f6b94dd36848c50f0c65727c26a02d" (https://github.com/espressif/arduino-esp32/tree/ed59ae6482f6b94dd36848c50f0c65727c26a02d/libraries/WiFiClientSecure)where the above mentioned changes are not made and at-least in my case with this commit I am able to establish connection with Clout IOT Core
The text was updated successfully, but these errors were encountered: