mbedtls_x509_crt_parse returned -0x2180 (CA-293)

[zhichunlee]

Hi
I used thing_shadow example of esp-aws-iot-202210.01-LTS-release to connect AWS IoT, and got follows error info:
esp-tls-mbedtls: mbedtls_x509_crt_parse returned -0x2180
esp-tls-mbedtls: Failed to set client pki context
esp-tls-mbedtls: Failed to set client configurations, returned [0x8015] (ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED)

The Root CA certificate and client key are downloaded from AWS and worked in old version SDK(perhapse 202203).
Why can't these certificates and keys work with the latest SDK？ What are the differences in certificate and Key management between the latest SDK and the previous version？How do I apply the certificate and key obtained from the SDK of an earlier version to the latest version？

[Stencht]

hi @zhichunlee ,

Did you found a solution?
I'm hitting the same error.

[aidiaz]

Bumped this submodule of our repo to newer release and having the same behaviour. Tested certificates with older project and working just fine :(

[zhichunlee]

hi Stencht
Unfortunately, I haven't found a solution yet, so I can only use the old version first.

[Aldo-GomezCL]

Having the exact same problem, good to know that it was already reported, but concerning that the issue is not being looked at.

[aidiaz]

This issue is due the absence of certificate length definitions, now the length must passed afterwards the certificate in the network contex structure. Somewhere in the examples a certificate is defined in the code and its length passed to the netwrok context.

[monkeytronics]

@aidiaz I'm having exact same issue. I noticed that the null termination appears to be missing when I retrieve the cert from NVS. I'm needing to add + 1 onto the len of any string pulled out of nvs... And now it works. NB, I get the endpoint and rootCA from local binary files.

    /* EndPt & Port into network context. */
    xNetworkContext.pcHostname = (const char *) endpoint_txt_start;
    xNetworkContext.xPort = 8883;

    /* Device Cert into network context. */
    xNetworkContext.pcClientCert = (const char *) cert;
    xNetworkContext.pcClientCertSize = strlen(cert) + 1;

    /* Device Key into network context. */
    xNetworkContext.pcClientKey = (const char *) priv_key; 
    xNetworkContext.pcClientKeySize = strlen(priv_key) + 1;
    
    /* Root CA certificate into network context. */
    xNetworkContext.pcServerRootCA =  (const char *) aws_root_ca_pem_start; 
    xNetworkContext.pcServerRootCASize = aws_root_ca_pem_end - aws_root_ca_pem_start;

On the downside, I immediately run into another error. But that's generally how it works, isn't it?!

E (20053) coreMQTT: A single byte was not read from the transport: transportStatus=-1.
E (20053) coreMQTT: CONNACK recv failed with status = MQTTRecvFailed.
E (20063) coreMQTT: MQTT connection failed with status = MQTTRecvFailed.

[amitabhskrishworks]

I am using the 202210.01-LTS version and facing the same errors, when trying to run the examples/mqtt/tls_mutual_auth example.
Anyone got any kind of solution?
Can anyone of you share the old version which has everything running smoothly?

[zhangkehan]

I'm having the same problem when I'm running the examples/mqtt/mqtt_demo_mutual_auth under the master branch.
I actually had this problem last year with esp32-c3 but it can run in the version 202012.04-LTS.
But since versions 202012.04-LTS do not support esp32-s3 with IDF v5.1,now I had to use the master branch.
So the problem remains unsolved?