Hello Thinger.io Community,
I am working on connecting an Arduino device to a private Thinger server using IOTMP. I’ve set the THINGER_SERVER definition correctly. However, I encounter issues when implementing TLS/SSL security.
When I disable TLS by defining _DISABLE_TLS_
, the connection works without any issues. Yet, when I try to include TLS certificates, I face an SSL handshake error displayed as: ERR| error while handling SSL handshake: tlsv1 alert unknown ca (SSL routines)
I have downloaded the certificates using SSL Labs’ SSL Test and have attempted to include them in my project with thing.set_root_ca(SSL_CA_CERT);
SSL_CA_CERT is described as:
const char* SSL_CA_CERT = R"(
-----BEGIN CERTIFICATE-----
... (Server Certificate) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (Intermediate Certificate: R3) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (Root Certificate: ISRG Root X1) ...
-----END CERTIFICATE-----
)";
I also tried declaring single certificates only. Despite this, the device still fails to connect.
Could anyone assist me in troubleshooting this issue or provide guidance on how to correctly implement these certificates?
Thank you for your support!
Hello @aeromek
The thinger.io Arduino library already includes the necessary certificates to connect to our hosted public and private instances. And by default already uses the ISRG Root X1 Root certificate, which it seems thats the one you need from your code. Have you tried enabling TLS without explicitly setting the certificate?
Hi @jaimebs,
Yes, this is how I started. I have two accounts: one free and one with a subscription. When I connect the device to the free account, everything works fine. However, when I connect it to the subscription account, the only change I make in the code is adding: #define THINGER_SERVER "{custom_name}.aws.thinger.io"
. After this change, I encounter the following error: ERR| error while handling SSL handshake: tlsv1 alert unknown ca (SSL routines)
. I also tried setting the certificates directly in the code, but as mentioned earlier, this was unsuccessful.
Hi,
Some Arduino devices require SSL certificate installation via the Arduino IDE. This might be applicable in your situation. For detailed instructions, please refer to the following link:
How to Upload SSL Root Certificates
Could this be the issue you are experiencing?
Maybe his problem is similar to what happened to us with our GSM devices that use TSL 1.0 (ESP8266 + SIM800C).
After the February Thinger server update that implemented OpenSSL 3.0, TSLs 1.0 and 1.1 were retired.
Now, only devices with TSL 1.2 can connect.
@aeromek, which device are you trying to connect and through which connection (WiFi, GSM, Ethernet…)?
@George_Santiago I attempted to connect an unsupported device (Opta) over WiFi (since it’s similar to the Portenta). I’ll wait for official support.
Hi @aeromek,
I have a Portenta H7 Board (same chip than the Opta) and I was not able to connect it to the platform using TLS. After some digging (the info about these boards seems to be somewhat hidden), I found that it is possible to update the WiFi firmware, which also updates the TLS certificates on the board. The process is simple and involves loading the “WiFiFirmwareUpdater” from STM32h747_system:
You can then flash it and write ‘Y’ on the Serial Monitor when prompted. After the process is completed, you can flash the regular Thinger.io sketch and it will connect with TLS out of the box. I will add this info to the docs! I think it will be the same for Arduino Opta.
More details here:
Update Wi-Fi firmware on Portenta H7 boards
Thank you @alvarolb. I can confirm that updating the WiFi firmware resolved the issue, and now Opta can connect using TLS.
1 Like