| Re: [mosquitto-dev] odd TLS errors [SOLVED] |
Greg Troxel <gdt@xxxxxxxxxx> writes: > I am seeing strange SSL errors on connections from a nodemcu sensor: > > 1620579609: OpenSSL Error[0]: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error What was going on was: I had a letsencrypt renewal, and now they are providing two chain certificates. One is from Identrust to the letsencrypt root, and the next from the letsencrypt root to the letsencrypt R3, which signs the end entity cert. That way if you trust the letsencrypt root, as up-to-date systems do, you can validate from that, and if you don't and the identrust one isn't expired yet, you can validate from that. The combination of 3 certs was kind of big, about 5.5K in the pem file. nodemcu's TLS implementation is documented to only work if the server response fits in a 4K buffer. [I changed the chain to be just the identrust to R3, as was in the previous cert 9 weeks ago. I will try just letsencrypt next.] Now my nodemcu device works. Obviously it was crashing and restarting, and OpenSSL was getting EOF from the reset on next boot and failing on that. The only maybe bug in openssl is printing the wrong error; it probably should have been "peer closed connection during negotiation". My advice to check if your IOT devices are still working stands.
Attachment:
signature.asc
Description: PGP signature