FAILED: esp-idf/mbedtls/x509_crt_bundle (IDFGH-5972)

[Mair]

Environment

• Development Kit: ALL
• IDF version (4.3.1 | Master):
• Build System: idf.py
• Operating System: Windows (although probably all OS's
• Using an IDE?: Yes

Problem Description

Fresh install does not compile and breaks at step +- 633

[633/1003] Generating x509_crt_bundle
FAILED: esp-idf/mbedtls/x509_crt_bundle
cmd.exe /C "cd /D C:\esp\esp-idf\examples\get-started\hello_world\build\esp-idf\mbedtls && C:\esp\tools.espressif\python_env\idf4.4_py3.8_env\Scripts\python.exe C:/esp/esp-idf/components/mbedtls/esp_crt_bundle/gen_crt_bundle.py --input C:/esp/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem -q"
gen_crt_bundle.py: Invalid certificate in C:/esp/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem
Invalid certificate
ninja: build stopped: subcommand failed.
ninja failed with exit code 1

Expected Behavior

fresh installs should compile

Actual Behavior

Brocken build

Steps to reproduce

1. use install wizard or IDF VS code extension to get a fresh copy of the IDF
2. idf.py build

from #7621

Hi @Typoception Thank you for the issue. The issue is because one of the certificates in the cacrt_all.pem file has been expired recently ( 30 sep ). That is causing the failure in build.
Can you please disable the following option and try again if it works.
(Top) > Component config > mbedTLS > Certificate Bundle->Enable trusted root certificate bundle

Originally posted by @AdityaHPatwardhan in #7621 (comment)

However that issue is marked as closed. I can confirm that doing a clean install with 4.3 or master gives the exact same error.
Sure, I know how to hack it to get it to work but, I have a lot of people I train on the ESP32 relying on the process being simple. Newcomers get stuck and go into despair pretty quickly. I was hoping for an update on when the issue would be resolved

[mahavirj]

@Mair

Can you please try fix from #7632? We are integrating this fix (till v4.2 release) internally.

Please see #7631 (comment) for more details.

[Mair]

@mahavirj Thank you for responding, Do you have a TM when it will be available on V4.2 then V4.3?

[mahavirj]

@Mair

Do you have a TM when it will be available on V4.2 then V4.3?

Fix has been merged internally till v4.2 branch, it shall appear on github in next few days. Process to sync with github is automated based on successful CI pass event but in case it takes longer we will consider an option to manually push out the fix.

[mahavirj]

Fix is available on github now (till v4.2), following are commit-ids:

master branch: 4e45f13
release/v4.3: caafeff
release/v4.2: b41f432

[Sn0wfreezeDev]

I tested it with the release tagged with v4.3.1 and the issue still occurs.
Switching to the release/v4.3 resolves it. It would be great to have a release is also able to build

[igrr]

@Sn0wfreezeDev Definitely, the fix will be included in the next bugfix release of each branch, in this case 4.3.2. Our QA is currently testing 4.3.2 and we plan to release it as soon as the testing is finished.

[aguaviva]

I tried getting the latest certdata.txt and converted it with mk-ca-bundle, still gen_crt_bundle.py fails. I noticed that the cert #43 is the one making the script fail.

                if count!=43:
                    self.certificates.append(x509.load_pem_x509_certificate(crt.encode(), default_backend()))

Adding this "if" worked around the problem