Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generating x509_crt_bundle (IDFGH-5933) #7621

Closed
Typoception opened this issue Sep 30, 2021 · 28 comments
Closed

Generating x509_crt_bundle (IDFGH-5933) #7621

Typoception opened this issue Sep 30, 2021 · 28 comments
Labels
Resolution: Done Issue is done internally Status: Done Issue is done internally

Comments

@Typoception
Copy link

Hi. This issue keeps popping up. I'm no sure how to fix it. I've just installed VSCode and ESP-IDF extension. Tried the project examples (blink) and this appears.

Issue:
Generating x509_crt_bundle
FAILED: esp-idf/mbedtls/x509_crt_bundle
cmd.exe /C "cd /D C:\Users\yahsa\Desktop\NTU\FYP\ESP_Workspace\blink\build\esp-idf\mbedtls && C:\Users\yahsa\esp.espressif\python_env\idf4.3_py3.8_env\Scripts\python.exe C:/Users/yahsa/esp/esp-idf/components/mbedtls/esp_crt_bundle/gen_crt_bundle.py --input C:/Users/yahsa/esp/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem -q"
gen_crt_bundle.py: Invalid certificate in C:/Users/yahsa/esp/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem
Invalid certificate
ninja: build stopped: subcommand failed.

Anyone can guide me on how to solve this?
@espressif-bot espressif-bot added the Status: Opened Issue is new label Sep 30, 2021
@github-actions github-actions bot changed the title Generating x509_crt_bundle Generating x509_crt_bundle (IDFGH-5933) Sep 30, 2021
@AdityaHPatwardhan
Copy link
Collaborator

Hi @Typoception Thank you for the issue. The issue is because one of the certificates in the cacrt_all.pem file has been expired recently ( 30 sep ). That is causing the failure in build.
Can you please disable the following option and try again if it works.
(Top) > Component config > mbedTLS > Certificate Bundle->Enable trusted root certificate bundle

@Typoception
Copy link
Author

@AdityaHPatwardhan how do i do that? I'm new to vscode. cant seem to find the option.
SS

@Typoception
Copy link
Author

@AdityaHPatwardhan found it. thanks. finally works.

@ghada-sellami
Copy link

Hi @Typoception Thank you for the issue. The issue is because one of the certificates in the cacrt_all.pem file has been expired recently ( 30 sep ). That is causing the failure in build. Can you please disable the following option and try again if it works. (Top) > Component config > mbedTLS > Certificate Bundle->Enable trusted root certificate bundle

could you please tell me how to do this? I'm building on terminal on Linux

@Typoception Typoception reopened this Sep 30, 2021
@AStripsTR
Copy link

@AdityaHPatwardhan Thank you a lot!

@ghada-sellami in your sdkconfig file you can comment these lines :
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=y
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL=y

@tomasmcguinness tomasmcguinness mentioned this issue Sep 30, 2021
Closed
@bartezz32 bartezz32 mentioned this issue Sep 30, 2021
Closed
@italocjs
Copy link

@AdityaHPatwardhan found it. thanks. finally works.

Where is it?
If anyone is blind like me, it can be found here :)

image

@italocjs italocjs mentioned this issue Sep 30, 2021
Closed
@rashedtalukder rashedtalukder mentioned this issue Oct 1, 2021
Closed
rashedtalukder pushed a commit to m5stack/Core2-for-AWS-IoT-Kit that referenced this issue Oct 1, 2021
Temporary workaround for #75. Certificate expired as reported in espr…
6107235 
…essif/esp-idf#7621
rashedtalukder pushed a commit to m5stack/Core2-for-AWS-IoT-Kit that referenced this issue Oct 1, 2021
Temporary workaround for #75. Certificate expired as reported in espr…
5a60e7f 
…essif/esp-idf#7621
@kolipakakondal kolipakakondal mentioned this issue Oct 1, 2021
Closed
@felmue
Copy link

felmue commented Oct 1, 2021

Hello guys

I also thought the issue stems from the recently expired Let's Encrypt root certificate (DST Root CA X3), but removing it from cacrt_all.pem did not solve the issue for me.

Doing some debugging I found that the EC-ACC certificate (which has not yet expired) seem to be the culprit. Removing that certificate from cacrt_all.pem allows me to compile successfully again.

I have not dug further so I don't know exactly what is wrong with that certificate.

BTW: there are multiple certificates inside cacrt_all.pem which have expired.

Thanks
Felix

@limpens limpens mentioned this issue Oct 1, 2021
Closed
@felmue
Copy link

felmue commented Oct 2, 2021

Hi guys

the issue seems to be that the EC-ACC certificate is using a negative serial number...

7631

Thanks
Felix

amirgon added a commit to lvgl/lv_micropython that referenced this issue Oct 2, 2021
@amirgon
ports/esp32/boards/sdkconfig.base: bugfix
554440f 
Attempt to fix 'gen_crt_bundle.py: Invalid certificate in /home/runner/work/lv_micropython/lv_micropython/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem' error on build_idf43 test. This happens since the certificate expired.

This fix is based on the suggested workaround espressif/esp-idf#7621 (comment)
@chegewara chegewara mentioned this issue Oct 2, 2021
Closed
@igrr igrr mentioned this issue Oct 5, 2021
Closed
@Mair Mair mentioned this issue Oct 7, 2021
Closed
@espressif-bot espressif-bot added Status: In Progress Work is in progress Resolution: Done Issue is done internally Status: Done Issue is done internally and removed Status: Opened Issue is new Status: In Progress Work is in progress labels Oct 8, 2021
@ua100k ua100k mentioned this issue Oct 11, 2021
Closed
AdriZ added a commit to AdriZ/ESP-ADF_Components_Test that referenced this issue Oct 11, 2021
@AdriZ
x509_crt_bundle error
b014365 
Error: x509_crt_bundle not found.
Due to a certificat expiration
espressif/esp-idf#7621 (comment)
PlatformIO tab (on the left), Project Tasks > esp32dev > Platform > Run Menuconfig
Then: Component config > mbedTLS > Certificate Bundle->Enable trusted root certificate bundle
Deactivate the option.
@DwangDNguyen
Copy link

I build in ESP-IDF 4.2 powershell. How to do this?

@italocjs
Copy link

I build in ESP-IDF 4.2 powershell. How to do this?

Try running idf.py menuconfig
or editing the config file with a text editor in the project directory (preferably not notepad, maybe vscode or notepad++)

@DwangDNguyen
Copy link

I build in ESP-IDF 4.2 powershell. How to do this?

Try running idf.py menuconfig or editing the config file with a text editor in the project directory (preferably not notepad, maybe vscode or notepad++)

i running idf.py menuconfig before running idf.py build but still failed

@AdityaHPatwardhan
Copy link
Collaborator

Hi @DwangDNguyen , can you try adding CONFIG_MBEDTLS_CERTIFICATE_BUNDLE= line in your project's sdkconfig.defaults or sdkconfig file. That will disable the esp_crt_bundle by default.
Just to note here- The fix is already part of the release/v4.2 branch of the esp-idf. You may just update your esp-idf and it should be fixed.
Thanks

@DwangDNguyen
Copy link

Hi @DwangDNguyen , can you try adding CONFIG_MBEDTLS_CERTIFICATE_BUNDLE= line in your project's sdkconfig.defaults or sdkconfig file. That will disable the esp_crt_bundle by default. Just to note here- The fix is already part of the release/v4.2 branch of the esp-idf. You may just update your esp-idf and it should be fixed. Thanks

Thanks

@askdesigners
Copy link

For anyone else getting stuck on this, you need to disable the option in the UI menu if you're in VSCode, as the sdkconfig file gets written automatically on build and will nuke your changes.
Also, I just installed this all from scratch today and hit the same error, so I don't think it's fixed in v4.2

@mahavirj
Copy link
Member

@askdesigners

so I don't think it's fixed in v4.2

Fix is already available on release/v4.2 branch. I would request to check more details on this from #7631 (comment).

Kindly let us know if you are still facing any issues.

@ttdever
Copy link

ttdever commented Oct 23, 2021

For people, who still have this problem:

You can manualy delete EC-ACC certificate from cacrt_all.pem.

  1. Go to ...\esp-idf\components\mbedtls\esp_crt_bundle
  2. Open cacrt_all.pem with any text editor.
  3. Find "EC-ACC"
  4. Delete evrything from "EC-ACC" to "END CERTIFICATE" (like here 4e45f13)

This solved my problem with building 'hello_world' example (I am using release/v4.4)

@hoskam-l
Copy link

@ttdever Thank you for being so specific.

@f0rdprefect f0rdprefect mentioned this issue Oct 25, 2021
Closed
@olsonap
Copy link

olsonap commented Nov 1, 2021

What worked for me was:
idf.py menuconfig
Component config --->
mbedTLS --->
Certificate Bundle ---> (directly below [ ] Enable mbedTLS debudding)
Uncheck [ ] Enable trusted root certificate bundle

@askdesigners
Copy link

Yes this issue still persists in the latest version, but following the directions above to disable the cert works to get builds working again.

@AdityaHPatwardhan
Copy link
Collaborator

Hi @askdesigners, Can you please mention which branch and which commit id you are using, thanks.

@rtheil
Copy link

rtheil commented Nov 9, 2021

This issue still exists in 4.3.1. Brand new install. None of the above suggestions work.

@AdityaHPatwardhan
Copy link
Collaborator

AdityaHPatwardhan commented Nov 10, 2021
edited
Loading

@rtheil Yes, the release v4.3.1 was released on 9 sep and the issue came around 30 sep ( after a newer version of cryptography module was released). The fix should be a part of the v4.3.2 release.
To fix the problem:

  • I would recommend you to checkout to the release/v4.3 branch which contains the respective fix.

If that is not possible then as a temporary workaround you can do one of the following steps.
( Please note that below option are temporary and is not recommended for any production env)
Temp Workaround:

  1. You can revert back to earlier version of cryptography (<35) for the time being, refer this change.
  2. You can remove the EC-ACC manually from esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem.
    you can refer this change.

@askdesigners
Copy link

@AdityaHPatwardhan TBH I'm not really sure as I just installed it all according to the tutorial related to the VSCode extension.

@AdityaHPatwardhan
Copy link
Collaborator

@askdesigners No issues, I think you are using v4.3.1 as it is the latest release. Please refer to my earlier comment for possible solutions.
Thanks

@rtheil
Copy link

rtheil commented Nov 10, 2021
edited
Loading

Thanks for the suggestions.

  • I would recommend you to checkout to the release/v4.3 branch which contains the respective fix.

I've gone through the automated setup in VS Code, and while I attempted to force check out release/v4.3, that results in an error when building
image

You can revert back to earlier version of cryptography (<35) for the time being, refer this change.

Reverting to cryptography <35 still results in the error, and the compiler seems to continue, but in the end it does not generate the blink.bin file as expected.
image

You can remove the EC-ACC manually from esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem.
you can refer this change.

After making this change, the project does build, so it seems like you must do both, not just one.

In addition, this change causes this error when setting the device target

image

( Please note that below option are temporary and is not recommended for any production env)

I am working on projects that will go into production, so building in this way isn't acceptable. What am I to do until a fix is in place?

@AdityaHPatwardhan
Copy link
Collaborator

Hi @rtheil
While on release/v4.3

  1. Please make sure that you have removed build, sdkconfig, sdkconfig.old from the blink example folder.
  2. After checking out to the release/v4.3 branch, please ensure that you have updated all the submodules ( There must be some option in VS code to do that).

To remove the last error that you mentioned.
Can you please run the necessary install.bat command to install required dependancies, the part of the fix is to lock the cryptography version.

If you are still facing some issue after this then as a last resort you can do following.

  • perform a clean install of the latest idf version. That should be v4.3.1 ( which still contains the bug ).

a)If you are not using crt_bundle in your project, then please follow this comment to disable crt_bundle for your project. That should fix the issue.
Alternatively,
b) Follow this comment to remove the invalid certificate.

I hope this helps, thanks

cmumford added a commit to cmumford/cap-touch-starter that referenced this issue Nov 13, 2021
@cmumford
Disabled mbedTLS trusted root certificate bundle.
70052c1 
Certificate bundle has expired/invalid certs, so disabled as per:
See espressif/esp-idf#7621

This should be temporary once ESP-IDF is updated.
@paullaffitte
Copy link

Why is this issue closed? It's still not fixed.

@rtheil
Copy link

rtheil commented Nov 16, 2021

Why is this issue closed? It's still not fixed.

I believe it's referenced here: UncleRus/esp-idf-lib#251

cmumford added a commit to jack-mumford/display-keyboard that referenced this issue Nov 23, 2021
@cmumford
Disabled mbedTLS trusted root certificate bundle.
6ff7270 
Certificate bundle has expired/invalid certs, so disabled as
per espressif/esp-idf#7621

This should be temporary once ESP-IDF is updated. At present using
ESP-IDF 4.3.1.
This was referenced Dec 22, 2021
Closed
Closed
@binhla binhla mentioned this issue May 4, 2022
Closed
@washishi washishi mentioned this issue Mar 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Resolution: Done Issue is done internally Status: Done Issue is done internally
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests