• State TI Thinks Resolved
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 299 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF: Problem with certificate to Github

Ingibergur Helgason
Prodigy 150 points
Part Number: CC3220SF
Other Parts Discussed in Thread: CC3200, UNIFLASH

Hi,

For approx. Three years ago we started developing for CC3220SF. We had already CC3200 running in production and because we prolonged our procuction we stopped developing for CC3220SF. Recently we started again as we where missing the safety features from CC3220SF. At the time we stoppen the development for CC3200SF we had more or less the core functionality up and running including OTA from Github.

Now when we ran the exact same software as when we stopped, we got a certificate error:

Så I assumed that the certificate had changed from ”DigiCert High Assurance EV Root CA” to ”DigiCert Global Root CA. So I changed the certificate in flash file and code. But I am still getting same certificat error. A help would be appreciated as I have been stucked for several days trying to figure this out.

ORIGINAL OTAUSER.H
==================

/* Github server info */
#define OTA_SERVER_NAME                 "api.github.com"
#define OTA_SERVER_IP_ADDRESS           0x00000000
#define OTA_SERVER_SECURED             1

/* Github vendor info */
#define OTA_VENDOR_ROOT_DIR             "/xxxxx/xxxxx/OTA"; Removed before posting to TI e2e
#define OTA_VENDOR_TOKEN              "SimpleLink"
#ifndef OTA_VENDOR_TOKEN
#error "Please define your personal cloud account token in OTA_VENDOR_TOKEN above"
#endif

#define OTA_SERVER_ROOT_CA_CERT         "DigiCertHighAssuranceEVRootCA.crt"
#define OTA_SERVER_AUTH_IGNORE_DATA_TIME_ERROR
#define OTA_SERVER_AUTH_DISABLE_CERT_STORE



LOGS WITH ORIGINAL CERTIFICATE
==============================

OtaInit: statistics = 0, 0, 0
OtaInit: call Ota_init
OTA_init: sizeof CdnClient=576, sizeof OtaArchive=4956
OTA_init: sizeof OtaLib_t=7736, sizeof OTA_memBlock=7800
OTA_init: OTA lib version = OTA_LIB_2.0.0.7
OtaArchive_Init: OTA archive version = OTA_ARCHIVE_2.0.0.4
OtaConfig: call OTA_set EXTLIB_OTA_SET_OPT_SERVER_INFO,ServerName=api.github.com
OtaConfig: call OTA_set EXTLIB_OTA_SET_OPT_VENDOR_ID, VendorDir=CC3220SF
OTA_run: call CdnClient_ConnectServer OTA server=api.github.com
CdnClient_ConnectServer: HttpClient_Connect api.github.com
HttpClient_Connect: IP_ADDR=140.82.121.5
SL_SOCKET_ASYNC_EVENT: ERROR - WRONG ROOT CA
Please install the following Root Certificate:
  DigiCert Global Root CA
HttpClient_Connect: ERROR Socket Connect, status=-688
CdnClient_ConnectServer: ERROR HttpClient_Connect, Status=-20304
OTA_run: ERROR CdnClient_ConnectServer, Status=-20304

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=1/5, return only WARNNING
OtaRunStep: WARNING Ota_run, Status=20006, continue fornext OTA retr



NEW OTAUSER.H
==================

/* Github server info */
#define OTA_SERVER_NAME                 "api.github.com"
#define OTA_SERVER_IP_ADDRESS           0x00000000
#define OTA_SERVER_SECURED             1

/* Github vendor info */
#define OTA_VENDOR_ROOT_DIR             "/xxxxx/xxxxx/OTA"; Removed before posting to TI e2e
#define OTA_VENDOR_TOKEN              "SimpleLink"
#ifndef OTA_VENDOR_TOKEN
#error "Please define your personal cloud account token in OTA_VENDOR_TOKEN above"
#endif

#define OTA_SERVER_ROOT_CA_CERT         "digicertglobalrootca.crt"
//#define OTA_SERVER_ROOT_CA_CERT         "DigiCertHighAssuranceEVRootCA.crt"
#define OTA_SERVER_AUTH_IGNORE_DATA_TIME_ERROR
#define OTA_SERVER_AUTH_DISABLE_CERT_STORE




LOGS WITH NEW CERTIFICATE
==============================

OtaInit: statistics = 0, 0, 0
OtaInit: call Ota_init
OTA_init: sizeof CdnClient=576, sizeof OtaArchive=4956
OTA_init: sizeof OtaLib_t=7736, sizeof OTA_memBlock=7800
OTA_init: OTA lib version = OTA_LIB_2.0.0.7
OtaArchive_Init: OTA archive version = OTA_ARCHIVE_2.0.0.4
OtaConfig: call OTA_set EXTLIB_OTA_SET_OPT_SERVER_INFO,ServerName=api.github.com
OtaConfig: call OTA_set EXTLIB_OTA_SET_OPT_VENDOR_ID, VendorDir=CC3220SF
OTA_run: call CdnClient_ConnectServer OTA server=api.github.com
CdnClient_ConnectServer: HttpClient_Connect api.github.com
HttpClient_Connect: IP_ADDR=140.82.121.5
SL_SOCKET_ASYNC_EVENT: ERROR - WRONG ROOT CA
Please install the following Root Certificate:
  DigiCert Global Root CA
HttpClient_Connect: ERROR Socket Connect, status=-688
CdnClient_ConnectServer: ERROR HttpClient_Connect, Status=-20304
OTA_run: ERROR CdnClient_ConnectServer, Status=-20304

_OtaCheckConsecutiveErrors: ConsecutiveOtaErrors=1/5, return only WARNNING
OtaRunStep: WARNING Ota_run, Status=20006, continue fornext OTA retry

  • 0
    TI__Guru 63006 points

    Please check the content of the certificate file in the file system. 

    According to the error log the server chain was signed by "DigiCert Global Root CA" but you are not verifying with some other certificate.

    I understand that by editing the otauser.h and changing the CA file you were trying to do just that, but it seems that the content of the file is different.

    (i have never seen error -688 when the right certificate is in place).

  • 0 in reply to Kobi Leibovitch
    Prodigy 150 points

    Hi Kobi,

    I downloaded the certificate from Uniflash, but the content is right as I can see it. Please see below:

  • 0 in reply to Ingibergur Helgason
    TI__Guru 63006 points

    Did you rebuild the ota library following the otauser.h update?

    Make sure to build the library and that verify that the newly created lib file is linked with the application.

    .

  • 0 in reply to Kobi Leibovitch
    Prodigy 150 points

    I switched to the new SDK and got it to work. For me it seems that the issue was that it needed support for two certificates which is introduced in the new SDK. BTW I think TI should check if documents should be updated when releasing new SDK. I.e. the OTA document for CC3220SF does not reflect the instructions in Simplelink Academy. And in the Simplelink Academy the latest SDK is 6.10 while the latest SDK released is 7.10.

  • 0 in reply to Ingibergur Helgason
    TI__Guru 63006 points

    It is not that 2 certificates are needed for the connection, but the new SDK allows (Actually from 6.10) you to set 2 root CAs so the OTA_IF module can try both (try to connect with the first and if it fails it will retry with the 2nd). It was made specifically for supporting a transition period when the server may switch to a new certificate (so temporarily you need both the old and new root CA). 

    We know that the SL Academy was not updated with the recent SDK. I currently can't commit to a date in which it will be updated. 

    For now (until the SL Academy is updated) the Readme of the MQTTClient example is the best resource of information.