openssl command in examples doesn't output full certificate chain (IDFGH-1300)

[will-emmerson]

Environment

• IDF version (run git describe --tags to find it):
  // v4.0-dev-728-g826ff7186

Problem Description

The openssl command to get certificates from a server doesn't retrieve full certificate chain.
This then causes an ssl error when connecting through e.g. mqtts, https.

Expected Behavior

Command should retrieve full certificate chain.

Actual Behavior

Command only retrieves first certificate.

Steps to reproduce

1. HOST=letsencrypt.org
2. openssl s_client -showcerts -connect $HOST </dev/null 2>/dev/null|openssl x509 -outform PEM > cert.pem -> only outputs first certificate

Unfortunately I can't find a one liner which gives the correct behaviour but the following command shows the full chain which can then be extracted and copied into a file:

openssl s_client -showcerts -connect $HOST -servername $HOST

This also fixes issue #2867 for servers using SNI.

[david-cermak]

Hi @will-emmerson

Thanks for raising this issue, indeed there's a problem with some openssl commands in README.md for mqtt examples (the reason
is that iot.eclipse.org updated their certificates) and documentation for examples has to be updated, too.

In general, I do not think there is a universal openssl oneliner to output ROOT certificate. The example command you've provided
openssl s_client -showcerts -connect $HOST -servername $HOST should work in most cases, however there's no guarantee for the chain
to contain the root certificate (In that case one needs to find it by other means, usually in CA's webpage).

I will update the command in README files for the specific hosts used in examples.