TLS-Chain with letsencrypt #159
-
|
Hi everyone and thanks for the cool project, I will receive a NOAH 2000 in the next week and today prepared my existing mosquitto-container with traefik to support mqtts. This works flawless as I can verify with MQTTX from my desktop. Now is stumbled upon https://github.com/robertzaage/GroBro/blob/main/CERTIFICATES.md an wonder, why there is the tutorial for extending the chain from letsencrypt (which contains my cert and the intermediate CA) to a full chain by adding the root CA, when it also lists "ISRG Root X1" and "ISRG Root X2" as "Supported Root Certificates"? Were these two root CAs added as "supported by Growatt" after this tutorial was written? Or ist the list of supported root-CAs simply wrong? Thanks and reagards, Florian |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Good question! 😊 The root CAs are trusted by the device - the list is correct. The issue is how TLS chain verification works on Growatt devices. Most TLS clients (like browsers) can complete a partial chain on their own if they already have the root CA in their trust store. The Growatt dataloggers (ESP32-based) don't do this. We observed that they need the server to present the entire chain during the TLS handshake - from your certificate through the intermediate all the way to the root. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the explanation @robertzaage |
Beta Was this translation helpful? Give feedback.
Good question! 😊 The root CAs are trusted by the device - the list is correct.
The issue is how TLS chain verification works on Growatt devices. Most TLS clients (like browsers) can complete a partial chain on their own if they already have the root CA in their trust store. The Growatt dataloggers (ESP32-based) don't do this. We observed that they need the server to present the entire chain during the TLS handshake - from your certificate through the intermediate all the way to the root.