Skip to content

ESP32 OTA via HTTPS Certificate Fails

DodaTech Updated 2026-06-26 1 min read

In this tutorial, you'll learn about ESP32 OTA via HTTPS Certificate Fails. We cover key concepts, practical examples, and best practices.

The Problem

ESP32 OTA update from HTTPS server fails due to SSL certificate errors.

Quick Fix

Wrong

WiFiClientSecure client;
client.setInsecure();  // Vulnerable to MITM
OTA succeeds but is insecure. Firmware could be intercepted.
WiFiClientSecure client;
client.setCACert(rootCA);
HTTPClient http;
http.begin(client, "https://ota.example.com/firmware.bin");
int code = http.GET();
if (code == 200) {
  Update.begin(http.getSize());
  Update.writeStream(http.getStream());
  if (Update.end()) {
    Serial.println("Secure OTA complete");
  }
}
Secure OTA complete
(Firmware downloaded over verified TLS connection)

Prevention

Use setCACert() with the server's CA certificate. Set RTC time via NTP before TLS handshake. Use Let's Encrypt for free trusted certificates. Verify certificate fingerprint for extra security. Roll back on verification failure.

DodaTech engineers apply these same patterns across Doda Browser, DodaZIP, and Durga Antivirus Pro for production IoT reliability.

FAQ

### Can I use mTLS for OTA?

Yes. Use client.setCertificate(clientCert) and client.setPrivateKey(privKey) for mutual TLS authentication.

Why does HTTPS OTA fail at TLS handshake?

Clock not set (certificate expiry check fails), missing CA cert, or server uses unsupported cipher.

How do I get the CA certificate?

Download from the server or extract with: openssl s_client -connect host:443 -showcerts

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro