I have some IoT devices connecting to an nginx server periodically, using ssl.
The server is configured with a letsencrypt certificate and configured with:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
This was running for years without a problem.
However my devices can't connect anymore since the server got the newes letsencrypt certificate today: 2021-06-01
If I change to an older certificate, it works again (OK i get a warning the certificate is not valid but the communication is working)
Any help ?
It is an embedded SSL library for the esp8266 that was available at that time and I have no details or specifications. The client is using ssl because that is wat the server is using , which means there is no specific security issues involved. however the same server is also supports desktop browsers so it is important that the certificate is up to date. The devices are using a slightly different domain name so I might be able to configure the server to use update certificates for desktop browsers and old certificate for the IoT devices. Not sure it is possible. the other option is to update the IoT devices to support the new certificate.
This will be lots of work.
What have been changed in the cert. between 2021-05-31 to 2021-06-01 ?
Do you have better ideas ?
The default certificate chain that Let's Encrypt uses changed on May 4th (see here). If this is the first time your certificate renewed since that date, then I would guess your issue is related to that event.
I think, things depend on how you have programmed the SSL library on the ESP8266 device. From reading some documents, it doesn't look like these devices have a set of CAs that they trust. Would you be able to answer the question: what CA certificates do you have your devices set to trust?
These IoT devices are using an old (ESP8266_NONOS_SDK_V1.5.3_16_04_16) espressif libssl.a
which is a close code so I have no way to debug it. Also I do not get any error message.My devices just reboot after emitting: client handshake start.
Next i get: Fatal exception 29(StoreProhibitedCause):
and the device reboot
It's weird that you would get a crash because of the chain change, if you are not even doing verification.
I wonder if the tiny memory on these devices is too little to deal with the 3 certificates in the chain. If you temporarily remove the last certificate in the chain on the webserver side (the "ISRG Root X1" one), do your devices still crash?
Ok well that throws a bit of a spanner in the works. My initial guess is that your new certificate chain is somehow too long for a buffer on the old sdk and is crashing. However, I can't find any sources for an that sdk or even one close to that old, so it's all just guess work.
How are you obtaining your current certificate, what acme client software are you using? You may be able to obtain an alternate chain path and try installing that on your web server to test a shorter chain.
If you temporarily remove the last certificate in the chain on the webserver side (the "ISRG Root X1" one),
Not sure how to do it
The certificate used is fullchain.pem. There is also one caled chain.pem If I specify chain.pem I get an error (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
I havnet try to delete the last cert from the fullchain.pem file