OTA suddenly stopped working

Good day.

Problem: OTA suddenly stopped working - the firmware from my site is not being downloaded. This has never happened, and here it is again :frowning:

I use my site to remotely update microcontrollers based on ESP32. I send a link to the firmware file to a specific topic, the controller downloads and updates it. Everything worked fine on Wednesday. On Friday it suddenly stopped. What is the reason - I do not understand. The SSL certificate is installed on the site and has not expired yet. The root certificate is registered on the controller (by the way, it is used to connect to another site and everything works there!). The file is downloaded from the site perfectly fine, and the controller issues this crap:

18:43:42 [I] OTA :: Start of firmware upgrade from "https://kotyara12.ru/ota/village_garage/formware.bin", attempt 1
E (114790662) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700
E (114790662) esp-tls: Failed to open new connection
E (114790662) TRANS_SSL: Failed to open a new connection
E (114790672) esp_https_ota: Failed to open HTTP connection: ESP_ERR_HTTP_CONNECT
E (114790682) esp_https_ota: Failed to establish HTTP connection
18:43:43 [E] OTA :: Firmware upgrade failed: -1!

I have already checked everything 100,500 times. I suspect that espressiff has changed something in esp-tls-mbedtls or esp-tls.

Btw, which OTA tool are you using?

Thank you.
Regards, Ciro.

Shouldn’t it be “firmware.bin”?

No. Just build, then upload the firmware to the site via FTP and send the link to the device. This worked great until Friday.

You are correct, but correcting the letter does nothing. Everything is exactly the same

I am specifying the root certificate for the site as ISRG root X1. It is he who stands at the very top of the certificate chain for my site and some others. So - for other sites everything works fine now. And for OTA, it suddenly stopped.
Error -0x2700 seems to indicate that the CA name in the certificate does not match. Doesn’t match what? Name of my site ??? It shouldn’t! This is the root certificate.
And by the way, the skip_cert_common_name_check = true flag seems to have stopped working in OTA, for some reason

esp_http_client_config_t cfgOTA;
cfgOTA.cert_pem = (char *) ota_pem_start;
cfgOTA.skip_cert_common_name_check = true;

@kotyara12 please, what OTA tool are you using?

I haven’t been successful with any OTA tool I’ve been trying. I’m looking for trying other ones.

Thank you.

I don’t use tools. I upload the firmware to my hosting via FTP and drop the link to the file via MQTT or telegram to the device. This is not difficult.

By the way, I just solved the problem. The problem was really
cfgOTA.skip_cert_common_name_check = true;
After changing to
cfgOTA.skip_cert_common_name_check = false;
everything worked

I guess this will be too hard for me to understand now.

But don’t you use any library?
Isn’t there any docs repository for what you’ve been using?

Thank you.

Of course, I use the library.

  1. ESP-IDF has a ready-made library “esp_https_ota.h”, it contains all the necessary functions.
  2. But for convenience, I wrote my own “wrapper”, which accepts an HTTPS link to the update file as input and tries to download and install it - GitHub - kotyara12/reOTA: OTA update in the context of a specially created task