OTA update with JFrog Bintray - Certificate issue

[xvinny-zz]

I watched the video about JFrog Bintray and tried to make it work here. Follow the steps that I did:

1. Created an account on Bintray
2. Created a repository called WStation
3. Created a package called bintray-secure-ota
4. Cloned your sample code
5. Changed platformio.ini to:

[bintray]
user = 
repository = WStation
package = bintray-secure-ota
api_token =

[wifi]
ssid = 
password =

release_version = 1
…

When env_default setting (in platformio.ini) is set to release, it uploads the code to bintray. It is working. When I set the env_default to debug and uploaded the firmware to the ESP32, the terminal shows the following log:

Device version: v.0
Connecting to … connected!
IP address: 192.168.100.126
[E][ssl_client.cpp:33] handle_error(): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
[E][ssl_client.cpp:35] handle_error(): MbedTLS message code: -9984
[E][WiFiClientSecure.cpp:109] connect(): start_ssl_client: -9984
GET request failed, error, connection refused
Error: Could not parse JSON!
Could not load info about the latest firmware, so nothing to update. Continue …

How can I handle this issue?

[ivankravets]

@valeros could you provide instruction here how to update certificates?

[cyberman54]

Bintray.com changed root certificates. Please take a look at my pull request which should solve this issue, but not the root cause.

[ivankravets]

@cyberman54 Oh, I didn't see it. Sorry! I've just merged https://github.com/platformio/bintray-secure-ota/pull/6

@xvinny Please re-download this repo.

[xvinny-zz]

@ivankravets thank you for the efficient response! I'm gonna test it.

[cyberman54]

Be aware, that this is not a solution. It works until bintray does next change of certificates, or the current certificate expires.

[xvinny-zz]

Hi @ivankravets, I could make the solution work with the certificate update, but as @cyberman54 told, how we deal with the root cause since the certificate can be changed? Thanks in advance.

[cyberman54]

If certificates can change and we need certificate to change it on the node, this means we need a backdoor to install it. I think the only solution is to get in control over certificate management, what means to have own server side certificates.

[S2Doc]

Has there been any progress on this issue?

Am I correct that, without server-side certificates, if I deploy 10,000 units in the field, then BinTray changes its certificate, I can no longer do OTA on those devices?

[cyberman54]

@s2doc yes, that would be the problem, if you don't have a side channel to load the new certificates on your clients.

[S2Doc]

This seems like a paradox. If I had a side channel to load info onto all the remote MCUs, I probably wouldn't need OTA in the first place.

All the OTA libraries I'm finding seem to require an ESP8266 or ESP32 MCU. Do you know of any way to do OTA on a large number of remote uses with M4 (SAMD51) processors?

[cyberman54]

Yes, it's paradox, but could work in private cloud where you (not a 3rd party) hold the certificates. If there is a need to change the certicate on server side you can have an application on your nodes which first fetch and install the new certificate, then change certificate on server. Is still a delicate change, but is possible to do.

[S2Doc]

That's a clever way around the problem, but I foresee a problem. Some of my nodes may be offline for unknown periods of time (stored in warehouse waiting to be installed, power failure, etc.). If they were not online in time to get the new certificate before the server changes over, they would never be able to connect.

[cyberman54]

You could use a bootstrap routine in this case, which uses a second certificate to connect to an update server, which provides the production certificate and code.

[xvinny-zz]

After struggling with these problems, I developed my own platform in order to store the firmwares, manage the devices and allow the download of firmware updates. The JFrog Bintray is too expensive to use. My service allows me to download the firmwares through WiFi or GSM :-)

[cyberman54]

@xvinny is your code open source?

[xvinny-zz]

@cyberman54 unfortunately no.. it is private :-|

[S2Doc]

Some approaches to doing this are discussed in this thread of the PlatformIO forums: https://community.platformio.org/t/how-to-do-ota-using-remote-pio/9010