Jump to content

Recommended Posts

Posted (edited)

We have experienced a nasty bug on ShellyPlus 1PM with FW versions 1.3.1 or 1.3.2, that prevents the Shelly registering on the MQTT Broker due to problems with the SSL certificate.

The behavior is: the device try to connect to the MQTT Broker, fails doing so, and resets itself. Then again the same in an infinite loop. You can see them connecting/disconnecting in a loop to the WIFI due to these resets. Problem is that doing so interrupts the Switch, so the device that was being controlled (On/Off) by the Shelly, powers down as a result on each reset cycle.

Note that previous FW 1.3.0 and next FW 1.3.3 both work OK.

And even the nasty ones: 1.3.1 and 1.3.2, in our case were previously working OK, until one day the Broker certificate updated, and Booom!!!, seemingly due to a change in the SSL certificate format (more bits or something like that on a more modern certificate).

 

Updating the affected devices to FW 1.3.3 solves the issue. Sadly, we have  lot of them on field, that has totally lost connectivity becasue of this. We are going to try to update the broker SSL certificate to al older format to see if they recover connectivity.

NOTE: there is no explicit mention I could see to this problem as "fixed" in the changelog for the FW 1.3.3, but it was indeed fixed in this version.

Edited by Alejandro
Posted

I reply myself updating:

I have seen a note in changelog for FW 1.3.3 that may be relevant:

https://shelly-api-docs.shelly.cloud/gen2/changelog/

  • shelly_cloud.pem: Add roots for popular cloud service provider

This may be have something to with the fact that 1.3.3. solves the issue.

Also, I have just noted than on a Shelly that has the affected version 1.3.1, if I change the MQTT setting from "DefaultTLS" (and it cannot connect to MQTT) to "TLS no validation", now it can connect without updating firmware.

Posted (edited)

UPDATE:

Solved. The bug is that FW 1.3.1 and 1.3.2 do not work with SSL certificates of type ECDSA (256 bits elipitical).

Let's encrypt started issuing that certificates from certain date, and defaut certbot config obtains that type.

 

I have changed my certbot script to explicitly ask for a RSA 4096 certificate type, adding these commadn line flags:

--rsa-key-size 4096  --key-type rsa

I regenerated the certificate, restarted Mosquitto MQTT Broker and Voilá!!! my Shellys have recovered connectivity 🙂

 

Edited by Alejandro

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...