I ran the Espressif HTTPS Server example, with the provided certificates. I was able to successfully connect to the server accepting the warning in my browser (as expected).
Then, following the instructions contained in the above README file I issued in the certs folder:
openssl req -newkey rsa:2048 -nodes -keyout prvtkey.pem -x509 -days 3650 -out cacert.pem -subj "/CN=My own certificate"
and uploaded the new firmware to the ESP32. Now, I can't connect anymore. Firefox says:
SEC_ERROR_BAD_SIGNATURE
while Chrome says:
ERR_SSL_PROTOCOL_ERROR
on server side I get the following messages:
E (1059558) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x7780
E (1059558) esp_https_server: esp_tls_create_server_session failed
E (1059558) httpd: httpd_accept_conn: session creation failed
W (1059568) httpd: httpd_server: error accepting new connection
I RFTM and followed their instruction. What could prevent the creation of the secure connection with the certificate I generate using openssl?
Both certificates (mine and those provided by Expressif) are equal in lengths and headers.
After reading the comment of user President James K. Polk, I went deeper about the files generated by openssl and I discovered that the official docs of Expressif are wrong.
The README reports:
openssl req -newkey rsa:2048 -nodes -keyout prvtkey.pem -x509 -days 3650 -out cacert.pem -subj "/CN=ESP32 HTTPS server example"
but the CMakeLists.txt of the project contains:
idf_component_register(SRCS "main.c"
INCLUDE_DIRS "."
EMBED_TXTFILES "certs/servercert.pem"
"certs/prvtkey.pem")
in fact, also the cert directories contains those files.
Hence openssl created cacert.pem instead of servercert.pem.
The right command to issue is:
openssl req -newkey rsa:2048 -nodes -keyout prvtkey.pem -x509 -days 3650 -out servercert.pem -subj "/CN=ESP32 HTTPS server example"
This leads to the expected behavior.