SSL certificate verification: [Cert not yet valid] despite using RTC clock #5022
Description
Basic Infos
- This issue complies with the issue POLICY doc.
- I have read the documentation at readthedocs and the issue is not addressed there.
- I have tested that the issue is present in current master branch (aka latest git).
- I have searched the issue tracker for a similar issue.
- [?] If there is a stack dump, I have decoded it.
- I have filled out all fields below.
Platform
- Hardware: [ESP 8266 (Adafruit Feather Huzzah)]
- Core Version: [2.4.1]
- Development Env: [Arduino IDE]
- Operating System: [Ubuntu]
Settings in IDE
-
Module: [Adafruit Feather HUZZAH ESP8266]
-
Flash Mode: [?]
-
Flash Size: [4MB]
-
lwip Variant: [v2 Lower Memory]
-
Reset Method: [?]
-
Flash Frequency: [40Mhz]
-
CPU Frequency: [80Mhz]
-
Upload Using: [SERIAL]
-
Upload Speed: [921600] (serial upload only)
-
Erase Flash: All Flash Contents
Problem Description
I cannot get the Verify Cert Chain to properly work. It complains about the certificate not being yet valid,
even though it is.
I am using a RTC to get realtime, and it works, but still ssl_verify_cert fails.
When commented out, the connection works without problem.
I have not found any documentation regarding SSL certificate verification.
Side note: The documentation claims TLSv1.2 is not supported, yet it works here (tested with wireshark)
is that a bug, or is the documentation outdated?
The code I provide is shortened to the relevant parts, as it is quite long. Feel free to ask for the entirety if
necessary.
Parts of the DEBUG message (Names, Company names etc) have been removed for confidentiality reasons, I have the absolute certainty they are valid, as they have been tested in other circumstances.
MCVE Sketch
#include <SPI.h>
#include <Adafruit_BME280.h>
#include <ESP8266WiFi.h>
#include <PubSubClient.h>
#include <ArduinoOTA.h>
#include <certificates.h>
#include "RTClib.h"
RTC_PCF8523 rtc;
char daysOfTheWeek[7][12] = {"Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"};
#define BME_CS 16 // Chip select pin
Adafruit_BME280 bme(BME_CS); // You must connect the BME280 on the SPI standard hardware ports
// Update these with values suitable for your network.
const char* ssid = "devRSU";
const char* password = "Wifi4Dev007";
const char* mqtt_server = "192.168.0.113";
WiFiClientSecure espClient; // Opens secure network
PubSubClient client(espClient);
void wifi() {
WiFi.begin(ssid, password);
WiFi.mode(WIFI_STA);
while (WiFi.status() != WL_CONNECTED) { // Waits for connection
Serial.print(".");
// wait 1 second for re-trying
delay(1000);
}
}
void reconnect() {
// Loop until we're reconnected
while (!client.connected()) {
//espClient.setCertificate(esp8266_bin_crt, esp8266_bin_crt_len);
//espClient.setPrivateKey(esp8266_bin_key, esp8266_bin_key_len);
//espClient.setCACert(ca_bin_crt, ca_bin_crt_len);
Serial.print("Attempting MQTT connection...");
if (client.connect("ESP8266Client")) {
Serial.println("connected");
client.subscribe("/password"); // Once connected, publish an announcement...
if (espClient.verifyCertChain(mqtt_server)) {
Serial.println("Server certificate verified");
} else {
Serial.println("ERROR: certificate verification failed! Halting execution");
while (1)
yield();
}
} else {
Serial.print("failed, rc=");
// Serial.print(client.state());
Serial.println(" try again in 5 seconds");
delay(5000);
}
}
}
void setup() {
Serial.begin(57600);
if (! rtc.begin()) {
Serial.println("Couldn't find RTC");
while (1);
}
if (! rtc.initialized()) {
Serial.println("RTC is NOT running!");
rtc.adjust(DateTime(F(__DATE__), F(__TIME__)));
}
DateTime now = rtc.now();
Serial.print(now.year(), DEC);
Serial.print('/');
Serial.print(now.month(), DEC);
Serial.print('/');
Serial.print(now.day(), DEC);
Serial.print(" (");
Serial.print(daysOfTheWeek[now.dayOfTheWeek()]);
Serial.print(") ");
Serial.print(now.hour(), DEC);
Serial.print(':');
Serial.print(now.minute(), DEC);
Serial.print(':');
Serial.print(now.second(), DEC);
Serial.println();
wifi();
espClient.setCertificate(esp8266_bin_crt, esp8266_bin_crt_len);
espClient.setPrivateKey(esp8266_bin_key, esp8266_bin_key_len);
espClient.setCACert(ca_bin_crt,ca_bin_crt_len);
client.setServer(mqtt_server, 8883);
client.setCallback(callback);
bme.begin();
}
void loop() {
if (!client.connected()) {
reconnect();
}
client.loop();
}
Debug Messages
connected with devRSU, channel 1
dhcp client start...
wifi evt: 0
ip:192.168.0.111,mask:255.255.255.0,gw:192.168.0.1
wifi evt: 3
Attempting MQTT connection...[hostByName] Host: 192.168.0.113 is a IP!
:ref 1
:ref 2
State: sending Client Hello (1)
:wr 94 94 0
:wrc 94 94 0
:sent 94
:rn 536
:rd 5, 536, 0
:rdi 536, 5
:rd 74, 536, 5
:rdi 531, 74
State: receiving Serv:rch 536, 536
:rch 1072, 536
:rch 1608, 358
er Hello (2)
:rd 5, 1966, 79
:rdi 457, 5
:rd 1826, 1966, 84
:rdi 452, 452
:c 452, 536, 1966
:rdi 536, 536
:c 536, 536, 1430
:rdi 536, 536
:c 536, 536, 894
:rdi 358, 302
State: receiving Certificate (11)
=== CERTIFICATE ISSUED TO ===
Common Name (CN):
Organization (O):
Organizational Unit (OU):
Location (L):
Country (C):
State (ST):
=== CERTIFICATE ISSUED BY ===
Common Name (CN):
Organization (O):
Organizational Unit (OU):
Location (L):
Country (C):
State (ST):
Not Before: Wed Jul 18 07:04:12 2018
Not After: Sat Jul 13 07:04:12 2019
RSA bitsize: 2048
Sig Type: SHA256
=== CERTIFICATE ISSUED TO ===
Common Name (CN):
Organization (O):
Organizational Unit (OU):
Location (L):
Country (C):
State (ST):
Basic Constraints: critical, CA:TRUE, pathlen:10000
=== CERTIFICATE ISSUED BY ===
Common Name (CN): S
Organization (O):
Organizational Unit (OU):
Location (L):
Country (C):
State (ST):
Not Before: Wed Jul 18 07:02:24 2018
Not After: Tue Jul 18 07:02:24 2023
RSA bitsize: 2048
Sig Type: SHA256
:rd 5, 358, 302
:rdi 56, 5
:rd 42, 358, 307
:rdi 51, 42
State: receiving Certificate Request (13)
:rd 5, 358, 349
:rdi 9, 5
:rd 4, 358, 354
:rdi 4, 4
:c0 4, 358
State: receiving Server Hello Done (14)
State: sending Certificate (11)
:wr 876 876 0
:wrc 256 876 0
:wrc 256 620 0
:wrc 256 364 0
:wrc 108 108 0
:sent 536
:sent 340
State: sending Client Key Exchange (16)
:wr 267 267 0
:wrc 256 267 0
:wrc 11 11 0
:sent 267
pm open,type:2 0
State: sending Certificate Verify (15)
:wr 269 269 0
:wrc 256 269 0
:wrc 13 13 0
:wr 6 6 0
:wrc 6 6 0
State: sending Finished (16)
:wr 85 85 0
:wrc 85 85 0
:sent 269
:sent 91
:rn 91
:rd 5, 91, 0
:rdi 91, 5
:rd 1, 91, 5
:rdi 86, 1
:rd 5, 91, 6
:rdi 85, 5
:rd 80, 91, 11
:rdi 80, 80
:c0 80, 91
State: receiving Finished (16)
:wr 85 85 0
:wrc 85 85 0
:sent 85
:rn 69
:rd 5, 69, 0
:rdi 69, 5
:rd 64, 69, 5
:rdi 64, 64
:c0 64, 69
:wcs ra 4
connected
:wr 85 85 0
:wrc 85 85 0
=== CERTIFICATE :sent 85
:rn 69
ISSUED TO ===
Common Name (CN):
Organization (O):
Organizational Unit (OU):
Location (L):
Country (C):
State (ST):
=== CERTIFICATE ISSUED BY ===
Common Name (CN):
Organization (O):
Organizational Unit (OU):
Location (L):
Country (C):
State (ST):
Not Before: Wed Jul 18 07:04:12 2018
Not After: Sat Jul 13 07:04:12 2019
RSA bitsize: 2048
Sig Type: SHA256
Verify: Cert is not yet valid
=== CERTIFICATE ISSUED TO ===
Common Name (CN):
Organization (O):
Organizational Unit (OU):
Location (L):
Country (C):
State (ST):
Basic Constraints: critical, CA:TRUE, pathlen:10000
=== CERTIFICATE ISSUED BY ===
Common Name (CN):
Organization (O):
Organizational Unit (OU):
Location (L):
Country (C):
State (ST):
Not Before: Wed Jul 18 07:02:24 2018
Not After: Tue Jul 18 07:02:24 2023
RSA bitsize: 2048
Sig Type: SHA256
Verify: Cert is not yet valid
ssl_verify_cert returned -516
Error: Cert is not yet valid
ERROR: certificate verification failed! Halting execution
:rch 69, 69
:rcl
:abort