esp-idf: FAILED: esp-idf/mbedtls/x509_crt_bundle (Invalid certificate) (IDFGH-3345)
INSTRUCTIONS
Environment
- Build System: [idf.py]
- Operating System: [Windows]
- (Windows only) environment type: [Plain Command Prompt].
- Using an IDE?: [No]
Problem Description
//Detailed problem description goes here. When i build in IDF4.0 do not have this problem.
but when i build in IDF4.2 it happend.
Is there anyone know how to solve this problem?
Expected Behavior
Just helloworld…
Actual Behavior
[601/796] Generating x509_crt_bundle FAILED: esp-idf/mbedtls/x509_crt_bundle cmd.exe /C “cd /D D:\esp23\esp-idf\workspace\blink\build\esp-idf\mbedtls && D:\esp23.espressif2\python_env\idf4.0_py3.8_env\Scripts\python.exe D:/esp23/esp-idf/components/mbedtls/esp_crt_bundle/gen_crt_bundle.py --input D:/esp23/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem -q” gen_crt_bundle.py: Invalid certificate in D:/esp23/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem Invalid certificate
Steps to reproduce
- clone master
- idf.py it compiler it
Code to reproduce this issue
the origial helloworld.
Debug Logs
[601/796] Generating x509_crt_bundle
FAILED: esp-idf/mbedtls/x509_crt_bundle
cmd.exe /C "cd /D D:\esp23\esp-idf\workspace\blink\build\esp-idf\mbedtls && D:\esp23\.espressif2\python_env\idf4.0_py3.8_env\Scripts\python.exe D:/esp23/esp-idf/components/mbedtls/esp_crt_bundle/gen_crt_bundle.py --input D:/esp23/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem -q"
gen_crt_bundle.py: Invalid certificate in D:/esp23/esp-idf/components/mbedtls/esp_crt_bundle/cacrt_all.pem
Invalid certificate
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 40 (3 by maintainers)
Commits related to this issue
- FAILED: esp-idf/mbedtls/x509_crt_bundle (Invalid certificate) (IDFGH-3345) #5322. Remove the EC-ACC certificate. — committed to ewpa/esp-idf by ewpa 3 years ago
A possible hackish workaround for us was to downgrade the cryptography package (35.0.0 was just released, the previous version seems to ‘work’):
substituting the correct path (it seems esp tools at least for us do not use the host pip packages directly)
Hi Guys, This was not obvious to me at first but this is what I did to fix this error on Ubuntu:
That should solve the issue without having to check all pip cryptography stuff.
Hope this helps someone.
I found this - https://github.com/espressif/esp-idf/issues/7621
The certificates have expired today. This explains how to disable the certificates.
Same issue. ESP-IDF v4.3.1 running ubuntu 20.04. cacrt_all.zip
I was able to build by disabling the “certificate bundle” in the menuconfig as mentioned above.
For anyone using Visual Code on Win10 and following the Getting Started guide, and ends up on this page 😃
Select: View->Command Palette Enter: ESP-IDF SDK Configuration Editor (menuconfig) In the search box on the menuconfig page, enter: “Certificate Bundle” Change setting for “Default certificate bundle options” from “Use the full default certificate bundle” to “Use only the most common certificates from the default bundles”
Voila! Thanks all for the above suggestions!
I have submitted a fix here
To be more precisely, the EC-ACC certificate is invalid. It works after I removed it.
You can do it with
idf.py menuconfigas follows: Navigate toComponent config --> mbedTLS --> Certificate Bundle --> Default certificate bundle optionsand chooseuse only most common certificates, then build again. Good luck!The EC-ACC certificate contains a negative serial number:
According the the cryptography release doc those values are prohibited.
@ZeRico I had same issue until if fixed the spacing at the beginning to look more like the other lines
I was doing:
I changed it to:
THANKS DUDE, IT WORKS !!!
IFAIK the sdkconfig file is the same, you can edit it with any text editor, or run a command on esp-idf cmd that opens a configuration GUI, not sure which command as i never used it.
you can also download the changed file from this commit and paste it into you pc. it will also fix this