ESP32 Issues with certificates (error=Unknown certificate authority [537])

Software TeddyCloud
1

Hello,

First of all, I love this project and what is made possible with TeddyCloud, we switched from Tonuino to Teddycloud.

I am a newbie and got everything running, except for the boxine connection (codeword owl). I found out that the chances are high I messed up with the certificates. However, I have issues to find the best way to resolve it. What I did so far:

  • Installed Teddycloud (Docker) on Synology Diskstation with the wrong ports
  • Downloaded the unpatched firmware and the patched firmware as a backup on my PC
  • Got the issues with port 443, so that my box could not connect to teddycloud
  • Flashed the Toniebox with the unpatched firmware (everything was working fine again)
  • Deleted the old container and created a new container.
  • Flashed the Toniebox again (due to connection loss, I needed to repeat it)
  • Everything works fine except for the Boxine connection. I get the codeword owl and follwing details are stored in the log:

INFO |handler_cloud.c:0724:handleCloudContent| Serve cloud content from /v2/content/43567e1d500304e0
INFO |cloud_request.c:0200:web_request| Connecting to HTTP server prod.de.tbs.toys:443…
INFO |cloud_request.c:0252:web_request| trying IP: 18.156.186.144
ERROR|cloud_request.c:0262:web_request| Failed to connect to HTTP server! HTTP=Unknown HTTP Status Code error=Unknown certificate authority [537]

Reading in this forum I think due to the multiple patchings and deleting the first container, there seems to be a mess-up with the certificates. (Like in https://forum.revvox.de/t/stuck-at-accessing-esp32/593)

What I do not get are following questions:

  • As the box worked fine after patching again the unpatched firmware, can I assume that the original certificates are saved there?
  • How/Can I get the certificates from the initial unpatched firmware?
  • Is there a way without patching 2 times again?
  • Is there a easy way to check the certificates?
2

Have a look into the legacy approach. IIRC you can extract the certificates also from the backup.

You could also use the certificate check script what was posted here in the forum lately in various troubleshootings

3

Yes and yes.

Most probably your client certificate is wrong, it’s from Teddy, not from Boxine (because you patched an already patched box). This can be fixed inside your teddycloud container. No need to reflash the box.

You can fix this by doing the following:

  1. connect to your teddycloud container:
    docker exec -it teddycloud bash

  2. download Boxine CA certificate (one line):

echo "" | openssl s_client -host prod.de.tbs.toys -port 443 -showcerts | awk '/BEGIN CERTIFICATE/ {p=1} ; p==1; /END CERTIFICATE/ {p=0}' | awk '$0=="-----BEGIN CERTIFICATE-----" {n++} n>2' | openssl x509 -outform der -out /tmp/ca.der
  1. copy Boxine CA to teddycloud client folder and all subfolders (2 commands):
cp /tmp/ca.der /teddycloud/certs/client/ca.der
for d in /teddycloud/certs/client/*/; do cp /tmp/ca.der "$d"; done
  1. Check if your certificates are corrrect by running this one-liner:
curl -s "https://gist.githubusercontent.com/marco79cgn/9709b218fec5608a3ed6b2892d600aed/raw/dc059ce3ab0f728994f43ada5c4f033d743c21ec/check-tc-certificates.sh" -o /tmp/check-certs.sh && chmod +x /tmp/check-certs.sh && /tmp/check-certs.sh
1 Like
4

Thank you 1000 times! This helped a lot - it is working now :slight_smile:

Just as short question this test script shows following:

Checking teddyCloud certificates…

Server:

ca.der: OK
ca-key.pem: OK
ca-root.pem: OK
ca-root.srl: File not found!
teddy-cert.pem: OK
teddy-key.csr: File not found!
teddy-key.pem: OK

Client (default):

ca.der: OK
client.der: OK
private.der: OK

Client per box:

744dXXXXXXXX/ca.der: OK
744dXXXXXXXX/client.der: OK
744dXXXXXXXX/private.der: OK

Can you or somebody else explain what these two files do and if it is an issue that they were not found? (As everything is working at the moment, I am just wondering).

And once again thanks a lot!

5

Thanks for the feedback.

These two missing files are not mandatory. They are created when using the gencert.sh script (manually), but obviously not in case of the automatic generation. I will exclude those two files in the next update.

1 Like