![\"ESP8266](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/ESP8266-HTTPS-Requests.jpg?resize=1200%2C675&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nWe have a similar tutorial for the ESP32 board:<\/p>\n\n\n\n
- ESP32 HTTPS Requests<\/a><\/li><\/ul>\n\n\n\n
Table of Contents<\/strong><\/p>\n\n\n\n
Throughout this article, we’ll cover the following subjects:<\/p>\n\n\n\n
- What is HTTPS?<\/a>
- Why do you need HTTPS with the ESP8266?<\/a><\/li><\/ul><\/li>
- SSL\/TLS Certificates<\/a>
- Certificate Chain<\/a><\/li>
- Certificates Expiration Date<\/a><\/li><\/ul><\/li>
- Getting a Server’s Certificate using Google Chrome<\/a><\/li>
- HTTPS Requests with the ESP8266<\/a>
- ESP8266 HTTPS Requests – No certificate<\/a><\/li>
- ESP8266 HTTPS Requests – Fingerprint<\/a><\/li>
- ESP8266 HTTPS Requests – Root Certificate<\/a><\/li>
- ESP8266 HTTPS Requests – Root Store<\/a><\/li><\/ul><\/li><\/ul>\n\n\n\n
Introduction<\/h2>\n\n\n\n
To understand how to make HTTPS requests with the ESP8266, it’s better to be familiar with some fundamental concepts that we’ll explain next. We also recommend taking a look at the following article:<\/p>\n\n\n\n
- ESP32\/ESP8266 with HTTPS and SSL\/TLS Encryption: Basic Concepts<\/a><\/li><\/ul>\n\n\n\n
What is HTTPS?<\/h3>\n\n\n\n
HTTPS is the secure version of the HTTP protocol, hence the \u201cS\u201d, which stands for secure.<\/p>\n\n\n\n
HTTP is a protocol to transfer data over the internet. When that data is encrypted with SSL\/TLS, it\u2019s called HTTPS.<\/p>\n\n\n
\n![\"HTTP](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/HTTP-vs-HTTPS.png?resize=750%2C500&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nTo simplify, HTTPS is just the HTTP protocol but with encrypted data using SSL\/TLS.<\/p>\n\n\n\n
Why do you need HTTPS with the ESP8266?<\/h3>\n\n\n\n
Using HTTPS ensures the following:<\/p>\n\n\n\n
1) Encryption<\/strong>: all traffic between the ESP8266 and a server will be encrypted\u2014no one can spy on your requests and passwords, they will only see gibberish.<\/p>\n\n\n
\n![\"ESP8266](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/ESP8266-HTTPS-Encrypted-Communication_ESP8266-encryption-with-server.png?resize=750%2C308&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nWhen using the ESP8266 libraries to make HTTPS requests, they take care of encryption and decryption of the messages.<\/p>\n\n\n\n
2) Server trust (identification):<\/strong> when using HTTPS, via TLS\/SSL certificates, you ensure you are connected to the server you would expect\u2014this means, you always know to who you are connected to.<\/p>\n\n\n
\n![\"SSL\/TLS](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/SSL-TLS-certificate_SSL-certificate.png?resize=472%2C163&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nTo make sure we are connected to the right server, we need to check the server certificate on the ESP8266 or the server fingerprint. This means we need to download the server certificate or fingerprint and hard code it on our sketch so that we can check if we’re actually connected to the server we are expecting.<\/p>\n\n\n\n
TLS\/SSL Certificates<\/h3>\n\n\n\n
SSL certificates are issued by legitimate Certificate Authorities<\/strong>. One of the most known is LetsEncrypt. Certificate Authorities confirm the identity of the certificate owner and provide proof that the certificate is valid. The certificate also contains the server’s public key for asymmetrically encrypted communication with a client.<\/p>\n\n\n
\n![\"TLS](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/TLS-SSL-Certificate-Public-Key.png?resize=351%2C163&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nWhen a Certificate Authority issues a certificate, it signs the certificate with its root certificate. This root certificate should be on the database of trusted certificates called a root store<\/strong>. Your browser and the operating system contain a database of root certificates that they can trust (root store). The following screenshot shows some of the trusted root certificates.<\/p>\n\n\n
\n![\"trusted](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/trusted-root-certificates.png?resize=505%2C467&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nSo, when you connect to a website using your browser, it checks if its certificate was signed by a root certificate that belongs to its root store. New root certificates are added or deleted to the root store with each browser update.<\/p>\n\n\n
\n![\"client](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/HTTPS-browser-valid-certificate.png?resize=750%2C468&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nWhen you’re using an ESP8266, you need to upload the certificates that you trust to your board. Usually, you’ll add only the certificate for the server you’ll want to connect to. <\/p>\n\n\n
\n![\"ESP8266](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/ESP8266-check-server-certificate_ESP8266-check-server-certificate.png?resize=750%2C354&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nBut, it’s also possible to upload a root store to your board to have more options, and don’t have to worry about searching for a specific website’s certificate.<\/p>\n\n\n\n
Certificate Chain<\/h3>\n\n\n\n
An SSL certificate is part of an SSL certificate chain. What is a certificate chain?<\/strong><\/p>\n\n\n\n
A certificate chain includes the following:<\/p>\n\n\n\n
- root certificate (from a Certificate Authority);<\/li>
- one or more intermediate certificates;<\/li>
- the server certificate.<\/li><\/ul>\n\n\n\n
The server certificate is what makes your browser show a secure padlock icon when you visit a website. It means the server has a valid<\/strong> SSL\/TLS certificate and all the connections with the website are encrypted. A valid SSL\/TLS certificate is a certificate trusted by your browser. What makes it trustable?<\/p>\n\n\n\n
As we’ve mentioned previously, SSL\/TLS certificates are issued by Certificate Authorities. However, these authorities don’t issue certificates directly to websites. They use intermediates that will issue the server certificate (Certificate Authority<\/strong> > intermediate certificate<\/strong> > server certificate<\/strong>). The following screenshot shows an example for the Github website. You can see the certificate hierarchy highlighted with a red rectangle.<\/p>\n\n\n
\n![\"SSL](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/certificate-hierarchy-github.png?resize=546%2C669&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nYour browser checks this certificate chain until it finds the root certificate. If that certificate is in the browser’s root store, then it considers the certificate to be valid. In this case, the DigiCert Global Root CA is in the browser’s root store. So, it will display the “secure” icon on the browser bar.<\/p>\n\n\n
\n![\"github](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/github-secure-icon.png?resize=456%2C134&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nThe following diagram shows a high-level overview of how it works.<\/p>\n\n\n
\n![\"certificate](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/12\/certificate-chain-f_certificate-chain.png?resize=750%2C395&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nIn summary:<\/strong><\/p>\n\n\n\n
- root certificate<\/strong>: it’s a self-signed certificate issued by a Certificate Authority. The private key of this certificate is used to sign the next certificate in the hierarchy of certificates. Root certificates are loaded in the trust stores of browsers and operating systems.<\/li><\/ul>\n\n\n\n
- intermediate certificate<\/strong>: it’s signed by the private key of the root certificate. The public key of the intermediate certificate is the one that signs the server certificate. There can be more than one intermediate certificate.<\/li><\/ul>\n\n\n\n
- server certificate<\/strong>: this certificate is issued to a specific domain name on a server. It’s signed by the intermediate certificate public key. If it is valid (trustable certificate chain), the browser displays a secure padlock badge on the search bar next to the website domain.<\/li><\/ul>\n\n\n\n
With the ESP8266, to check the validity of a server, you can load any of those certificates: root, intermediate, or server certificate. Instead of the certificate, you can also check the certificate fingerprint. The fingerprint is a hash of the certificate (a unique identifier of the certificate generated from the certificate information).<\/p>\n\n\n\n
Certificates Expiration Date<\/h3>\n\n\n\n
SSL\/TLS certificates have an expiry date. You can check on a browser the expiry date of the certificate for a particular server. The server’s certificate usually has a short-term validity and the fingerprint validity is even shorter.<\/p>\n\n\n\n
So, if you want to use them in your ESP8266 projects, you’ll need to update your code quite frequently. If you want your code to run for years without worrying, you can use the website’s root certificate, which usually has a validity of five to ten years or more. However, using the fingerprint might be useful for testing purposes or might be a good option depending on the application.<\/p>\n\n\n\n
Getting a Server’s Certificate<\/h2>\n\n\n\n
There are different ways to get the server’s certificate. One of the easiest ways is to download the certificate directly from your browser. You can also use OpenSSL <\/a>and get all the certificate information you need using the command line (we won’t cover this method in this tutorial). <\/p>\n\n\n\n
In this section, you’ll learn how to get the server’s certificate. We’ll generally use the root certificate, but you can use any of the other certificates on the certificate chain\u2014you just need to be aware of the certificate expiry date.<\/p>\n\n\n\n
Getting a Server’s Certificate using Google Chrome<\/h3>\n\n\n\n
In this section, we’ll show you how to get the certificate for a server using Google Chrome (that’s the web browser we use more often). Instructions for other web browsers should be similar.<\/p>\n\n\n\n
The examples we’ll use later show how to make an HTTPS request to the howmyssl.com website. So, for demonstration purposes, we’ll show you how to get its root certificate. It is similar for other websites.<\/p>\n\n\n\n
How to Get Websites’s Certificate using Google Chrome?<\/strong><\/p>\n\n\n\n
- Go to the website that you want to get the certificate for.<\/li><\/ol>\n\n\n\n
- Click on the padlock icon and then click on Show connection details<\/strong>.<\/li><\/ol>\n\n\n\n
![\"Google](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/google-chrome-get-website-certificate-1.png?resize=719%2C372&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\n- Then, click on Show certificate<\/strong>.<\/li><\/ol>\n\n\n\n
![\"Google](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/google-chrome-get-website-certificate-2.png?resize=719%2C372&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\n- A new window will open with all the information about the website’s certificate. Click on the Details<\/strong> tab, make sure you select the root certificate (that’s what we’re looking for in this example), then click on Export…<\/strong><\/li><\/ol>\n\n\n\n
![\"Google](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/google-chrome-get-website-certificate-3.png?resize=546%2C668&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\n- Select a place on your computer to save the certificate. Save it on the default format: Base64-encoded ASCII, single certificate (*.pem, .crt)<\/span>. And that’s it. <\/li><\/ol>\n\n\n\n
You can double-click on the certificate file to check its details, including the expiration date.<\/p>\n\n\n
\n![\"Google](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/certificate-information.png?resize=405%2C515&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nOpen the certificate using Notepad or other similar software. You should get something similar as shown below.<\/p>\n\n\n
\n![\"SSL](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/root-certificate-notepad.png?resize=615%2C805&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nHow to Get a Website’s Fingerprint using Google Chrome?<\/strong><\/p>\n\n\n\n
Getting a website’s certificate fingerprint is straightforward. Follow the next instructions:<\/p>\n\n\n\n
- Go to the website that you want to get the fingerprint.<\/li><\/ol>\n\n\n\n
- Click on the padlock icon and then click on Show connection details<\/strong>.<\/li><\/ol>\n\n\n\n<\/figure><\/div>\n\n\n
- Then, click on Show certificate<\/strong>.<\/li><\/ol>\n\n\n\n<\/figure><\/div>\n\n\n
- A new window will open with all the information about the website’s certificate, including the fingerprints. For the ESP8266 examples, you’ll use the SHA-1 fingerprint.<\/li><\/ol>\n\n\n\n
![\"website](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/website-fingerprint-example.png?resize=547%2C668&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nHTTPS Requests with the ESP8266 NodeMCU<\/h2>\n\n\n\n
Now that you know all the major important aspects of certificates and how to get a server’s certificate, let’s finally take a look at how to make HTTPS requests with the ESP8266 using the Arduino core. We’ll cover different methods: without a certificate, with the website fingerprint, and with the server’s root certificate.<\/p>\n\n\n
\n![\"HTTPS](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/ESP8266-HTTPS-Requests.png?resize=750%2C320&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nYou can find different examples showing how to make HTTPS requests with the ESP8266 in the Arduino IDE examples section.<\/p>\n\n\n\n
- Basic HTTPS Client (ESP8266HTTPClient<\/span> library): File <\/strong>> Examples<\/strong> > ESP8266HTTPClient <\/strong>> BasicHTTPSClient<\/a><\/strong><\/li>
- Basic HTTPS Client (WiFiClientSecure<\/span> library): File <\/strong>> Examples <\/strong>> ESP8266WiFi <\/strong>> HTTPSRequest <\/a><\/strong><\/li><\/ul>\n\n\n\n
You\u2019ll need to update the certificates and fingerprints to make the examples work. We created several examples based on those. All examples presented make a request to the www.howsmyssl.com\/a\/check<\/a> website. It returns some information regarding how secure the HTTPS connection is. Let’s take a look at them.<\/p>\n\n\n\n
ESP8266 NodeMCU HTTPS Requests – No Certificate<\/h3>\n\n\n\n
You can make HTTPS requests with the ESP8266 without a certificate and without a fingerprint. The connection will be encrypted, but you’ll skip the SSL server certificate verification. This means that you won’t be sure if the server you’re connected to is really who it claims to be. This situation is useful for testing purposes or to make HTTPS requests to local servers inside your network.<\/p>\n\n\n\n
The following code was based on the BasicHttpsClient example<\/a>.<\/p>\n\n\n\n
To test the code, simply insert your network credentials and upload the code to your board.<\/p>\n\n\n
\/*\r\n Complete project details: https:\/\/RandomNerdTutorials.com\/esp8266-nodemcu-https-requests\/ \r\n Based on the BasicHTTPSClient.ino Created on: 20.08.2018 (ESP8266 examples)\r\n*\/\r\n\r\n#include <Arduino.h>\r\n#include <ESP8266WiFi.h>\r\n#include <ESP8266HTTPClient.h>\r\n#include <WiFiClientSecureBearSSL.h>\r\n\r\n\/\/ Replace with your network credentials\r\nconst char* ssid = "REPLACE_WITH_YOUR_SSID";\r\nconst char* password = "REPLACE_WITH_YOUR_PASSWORD";\r\n\r\nvoid setup() {\r\n Serial.begin(115200);\r\n \/\/Serial.setDebugOutput(true);\r\n\r\n Serial.println();\r\n Serial.println();\r\n Serial.println();\r\n\r\n \/\/Connect to Wi-Fi\r\n WiFi.mode(WIFI_STA);\r\n WiFi.begin(ssid, password);\r\n Serial.print("Connecting to WiFi ..");\r\n while (WiFi.status() != WL_CONNECTED) {\r\n Serial.print('.');\r\n delay(1000);\r\n }\r\n}\r\n\r\nvoid loop() {\r\n \/\/ wait for WiFi connection\r\n if ((WiFi.status() == WL_CONNECTED)) {\r\n\r\n std::unique_ptr<BearSSL::WiFiClientSecure>client(new BearSSL::WiFiClientSecure);\r\n\r\n \/\/ Ignore SSL certificate validation\r\n client->setInsecure();\r\n \r\n \/\/create an HTTPClient instance\r\n HTTPClient https;\r\n \r\n \/\/Initializing an HTTPS communication using the secure client\r\n Serial.print("[HTTPS] begin...\\n");\r\n if (https.begin(*client, "https:\/\/www.howsmyssl.com\/a\/check")) { \/\/ HTTPS\r\n Serial.print("[HTTPS] GET...\\n");\r\n \/\/ start connection and send HTTP header\r\n int httpCode = https.GET();\r\n \/\/ httpCode will be negative on error\r\n if (httpCode > 0) {\r\n \/\/ HTTP header has been send and Server response header has been handled\r\n Serial.printf("[HTTPS] GET... code: %d\\n", httpCode);\r\n \/\/ file found at server\r\n if (httpCode == HTTP_CODE_OK || httpCode == HTTP_CODE_MOVED_PERMANENTLY) {\r\n String payload = https.getString();\r\n Serial.println(payload);\r\n }\r\n } else {\r\n Serial.printf("[HTTPS] GET... failed, error: %s\\n", https.errorToString(httpCode).c_str());\r\n }\r\n\r\n https.end();\r\n } else {\r\n Serial.printf("[HTTPS] Unable to connect\\n");\r\n }\r\n }\r\n Serial.println();\r\n Serial.println("Waiting 2min before the next round...");\r\n delay(120000);\r\n}\r\n<\/code><\/pre>\n\tView raw code<\/a><\/p>\n\n\n\n
How does the Code Work?<\/h4>\n\n\n\n
First, you need to include the required libraries. You need the WiFiClientSecureBearSSL<\/span> library to make HTTPS requests.<\/p>\n\n\n\n
#include <Arduino.h>\n#include <ESP8266WiFi.h>\n#include <ESP8266HTTPClient.h>\n#include <WiFiClientSecureBearSSL.h><\/code><\/pre>\n\n\n\nInsert your network credentials in the following lines.<\/p>\n\n\n\n
\/\/ Replace with your network credentials\nconst char* ssid = \"REPLACE_WITH_YOUR_SSID\";\nconst char* password = \"REPLACE_WITH_YOUR_PASSWORD\";<\/code><\/pre>\n\n\n\nIn the setup()<\/span>, initialize the Serial Monitor and connect the board to your Wi-Fi network.<\/p>\n\n\n\n
void setup() {\n Serial.begin(115200);\n \/\/ Serial.setDebugOutput(true);\n\n Serial.println();\n Serial.println();\n Serial.println();\n\n \/\/Connect to Wi-Fi\n WiFi.mode(WIFI_STA);\n WiFi.begin(ssid, password);\n Serial.print(\"Connecting to WiFi ..\");\n while (WiFi.status() != WL_CONNECTED) {\n Serial.print('.');\n delay(1000);\n }\n<\/code><\/pre>\n\n\n\nThe following line creates a new WiFiClientSecure<\/span> instance called client<\/span>.<\/p>\n\n\n\n
std::unique_ptr<BearSSL::WiFiClientSecure>client(new BearSSL::WiFiClientSecure);<\/code><\/pre>\n\n\n\nIn case you don’t want to verify the server certificate, use the setInsecure()<\/span> method on the client<\/span>.<\/p>\n\n\n\n
\/\/ Ignore SSL certificate validation\nclient->setInsecure();<\/code><\/pre>\n\n\n\nCreate an HTTPClient<\/span> instance called https<\/span>.<\/p>\n\n\n\n
\/\/create an HTTPClient instance\nHTTPClient https;<\/code><\/pre>\n\n\n\nInitialize the https<\/span> client on the host specified using the begin()<\/span> method. In this case, we’re making a request on the following URL: https:\/\/www.howsmyssl.com\/a\/check<\/span>.<\/p>\n\n\n\n
if (https.begin(*client, \"https:\/\/www.howsmyssl.com\/a\/check\")) { \/\/ HTTPS<\/code><\/pre>\n\n\n\nGet the server response code.<\/p>\n\n\n\n
int httpCode = https.GET();<\/code><\/pre>\n\n\n\nIf the response code is a positive number, it means the connection was established successfully, so we can read the response payload using the getString()<\/span> method on the https<\/span> object. Then, we can print the payload in the Serial Monitor. In a practical application, you can do whatever task you need with the ESP8266 depending on the received payload.<\/p>\n\n\n\n
if (https.begin(*client, \"https:\/\/www.howsmyssl.com\/a\/check\")) { \/\/ HTTPS\n Serial.print(\"[HTTPS] GET...\\n\");\n \/\/ start connection and send HTTP header\n int httpCode = https.GET();\n \/\/ httpCode will be negative on error\n if (httpCode > 0) {\n \/\/ HTTP header has been send and Server response header has been handled\n Serial.printf(\"[HTTPS] GET... code: %d\\n\", httpCode);\n \/\/ file found at server\n if (httpCode == HTTP_CODE_OK || httpCode == HTTP_CODE_MOVED_PERMANENTLY) {\n String payload = https.getString();\n Serial.println(payload);\n }<\/code><\/pre>\n\n\n\nIf the response code is a negative number, it means we have an error. We’ll print the error code.<\/p>\n\n\n\n
else {\n Serial.printf(\"[HTTPS] GET... failed, error: %s\\n\", https.errorToString(httpCode).c_str());\n}<\/code><\/pre>\n\n\n\nFinally, close the HTTPS connection using the end()<\/span> method:<\/p>\n\n\n\n
https.end();<\/code><\/pre>\n\n\n\nThis specific example makes a request every two minutes. You should change it depending on your project requirements.<\/p>\n\n\n\n
Serial.println(\"Waiting 2min before the next round...\");\ndelay(120000);<\/code><\/pre>\n\n\n\nDemonstration<\/h4>\n\n\n\n
After uploading the code, open the Serial Monitor at a baud rate of 115200. Press the on-board RST button to start running the newly uploaded code. <\/p>\n\n\n\n
You should get something similar as shown in the picture below.<\/p>\n\n\n
\n![\"ESP8266](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/ESP8266-HTTPS-Request-Serial-Monitor-1.png?resize=601%2C292&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nYou get the response code 200, which means everything is fine with the request.<\/p>\n\n\n\n
If you scroll to the right, you’ll get the result of how secure the connection is. You should get a “Probably Okay”.<\/p>\n\n\n
\n![\"ESP8266](\"https:\/\/i0.wp.com\/randomnerdtutorials.com\/wp-content\/uploads\/2022\/11\/ESP8266-HTTPS-Request-Serial-Monitor-2.png?resize=601%2C381&quality=100&strip=all&ssl=1\")
<\/figure><\/div>\n\n\nYour connection is still encrypted, but with this example, it will skip SSL verification.<\/p>\n\n\n\n
ESP8266 NodeMCU HTTPS Requests – Fingerprint<\/h3>\n\n\n\n
You can make HTTPS requests with the ESP8266, and check the server authenticity using the server fingerprint. One of the biggest downsides of using a fingerprint is that its validity is usually pretty short. So, you’ll need to update your sketch quite often.<\/p>\n\n\n\n
Here’s an example using server verification with the fingerprint. This example is based on the BasicHttpsClient example<\/a>. Because the fingerprint changes quite often, you may need to modify the code with the website’s current fingerprint\u2014check this section to learn how to get the fingerprint<\/a>.<\/p>\n\n\n
\/*\r\n Complete project details: https:\/\/RandomNerdTutorials.com\/esp8266-nodemcu-https-requests\/\r\n Based on the BasicHTTPSClient.ino Created on: 20.08.2018 (ESP8266 examples)\r\n*\/\r\n\r\n#include <Arduino.h>\r\n#include <ESP8266WiFi.h>\r\n#include <ESP8266HTTPClient.h>\r\n#include <WiFiClientSecureBearSSL.h>\r\n\r\n\/\/ Replace with your network credentials\r\nconst char* ssid = "REPLACE_WITH_YOUR_SSID";\r\nconst char* password = "REPLACE_WITH_YOUR_PASSWORD";\r\n\r\n\/\/ Fingerprint (might need to be updated)\r\nconst uint8_t fingerprint[20] = {0x76, 0x99, 0x2e, 0x6f, 0x04, 0xf4, 0xad, 0x19, 0xba, 0x54, 0xf5, 0x92, 0x50, 0x51, 0x56, 0x2b, 0x86, 0x8b, 0x5a, 0x92};\r\n\r\nvoid setup() {\r\n Serial.begin(115200);\r\n \/\/Serial.setDebugOutput(true);\r\n\r\n Serial.println();\r\n Serial.println();\r\n Serial.println();\r\n\r\n \/\/Connect to Wi-Fi\r\n WiFi.mode(WIFI_STA);\r\n WiFi.begin(ssid, password);\r\n Serial.print("Connecting to WiFi ..");\r\n while (WiFi.status() != WL_CONNECTED) {\r\n Serial.print('.');\r\n delay(1000);\r\n }\r\n}\r\n\r\nvoid loop() {\r\n \/\/ wait for WiFi connection\r\n if ((WiFi.status() == WL_CONNECTED)) {\r\n\r\n std::unique_ptr<BearSSL::WiFiClientSecure>client(new BearSSL::WiFiClientSecure);\r\n\r\n client->setFingerprint(fingerprint);\r\n \/\/ Or, if you happy to ignore the SSL certificate, then use the following line instead:\r\n \/\/ client->setInsecure();\r\n\r\n HTTPClient https;\r\n\r\n Serial.print("[HTTPS] begin...\\n");\r\n if (https.begin(*client, "https:\/\/www.howsmyssl.com\/a\/check")) { \/\/ HTTPS\r\n\r\n Serial.print("[HTTPS] GET...\\n");\r\n \/\/ start connection and send HTTP header\r\n int httpCode = https.GET();\r\n\r\n \/\/ httpCode will be negative on error\r\n if (httpCode > 0) {\r\n \/\/ HTTP header has been send and Server response header has been handled\r\n Serial.printf("[HTTPS] GET... code: %d\\n", httpCode);\r\n\r\n \/\/ file found at server\r\n if (httpCode == HTTP_CODE_OK || httpCode == HTTP_CODE_MOVED_PERMANENTLY) {\r\n String payload = https.getString();\r\n Serial.println(payload);\r\n }\r\n } else {\r\n Serial.printf("[HTTPS] GET... failed, error: %s\\n", https.errorToString(httpCode).c_str());\r\n }\r\n\r\n https.end();\r\n } else {\r\n Serial.printf("[HTTPS] Unable to connect\\n");\r\n }\r\n }\r\n\r\n Serial.println();\r\n Serial.println("Waiting 2min before the next round...");\r\n delay(120000);\r\n}\r\n<\/code><\/pre>\n\tView raw code<\/a><\/p>\n\n\n\n
How does the Code Work?<\/h4>\n\n\n\n
The code in this example is very similar to the previous one but adds the necessary lines to check the server fingerprint. We’ll just take a quick look at the lines relevant for this example. For a more detailed explanation, check the previous example<\/a>.<\/p>\n\n\n\n
First, you need to include the required libraries. You need the WiFiClientSecureBearSSL<\/span> library to make HTTPS requests.<\/p>\n\n\n\n
#include <Arduino.h>\n#include <ESP8266WiFi.h>\n#include <ESP8266HTTPClient.h>\n#include <WiFiClientSecureBearSSL.h><\/code><\/pre>\n\n\n\nInsert your network credentials in the following lines:<\/p>\n\n\n\n
\/\/ Replace with your network credentials\nconst char* ssid = \"REPLACE_WITH_YOUR_SSID\";\nconst char* password = \"REPLACE_WITH_YOUR_PASSWORD\";<\/code><\/pre>\n\n\n\nInsert the server fingerprint in the following line:<\/p>\n\n\n\n
\/\/ Fingerprint for demo URL (might need to be updated)\nconst uint8_t fingerprint[20] = {0x76, 0x99, 0x2e, 0x6f, 0x04, 0xf4, 0xad, 0x19, 0xba, 0x54, 0xf5, 0x92, 0x50, 0x51, 0x56, 0x2b, 0x86, 0x8b, 0x5a, 0x92};<\/code><\/pre>\n\n\n\nIn a previous section, we’ve seen that the fingerprint for the URL we’ll make the request is:<\/p>\n\n\n\n
76 99 2E 6F 04 F4 AD 19 BA 54 F5 92 50 51 56 2B 86 8B 5A 92<\/pre>\n\n\n
\n<\/figure><\/div>\n\n\nSo, you must insert it in your code like this:<\/p>\n\n\n\n
const uint8_t fingerprint[20] = {0x76, 0x99, 0x2e, 0x6f, 0x04, 0xf4, 0xad, 0x19, 0xba, 0x54, 0xf5, 0x92, 0x50, 0x51, 0x56, 0x2b, 0x86, 0x8b, 0x5a, 0x92};<\/code><\/pre>\n\n\n\n - Basic HTTPS Client (WiFiClientSecure<\/span> library): File <\/strong>> Examples <\/strong>> ESP8266WiFi <\/strong>> HTTPSRequest <\/a><\/strong><\/li><\/ul>\n\n\n\n
- Basic HTTPS Client (ESP8266HTTPClient<\/span> library): File <\/strong>> Examples<\/strong> > ESP8266HTTPClient <\/strong>> BasicHTTPSClient<\/a><\/strong><\/li>
- A new window will open with all the information about the website’s certificate, including the fingerprints. For the ESP8266 examples, you’ll use the SHA-1 fingerprint.<\/li><\/ol>\n\n\n
- Then, click on Show certificate<\/strong>.<\/li><\/ol>\n\n\n
- Click on the padlock icon and then click on Show connection details<\/strong>.<\/li><\/ol>\n\n\n
- Go to the website that you want to get the fingerprint.<\/li><\/ol>\n\n\n\n
- Select a place on your computer to save the certificate. Save it on the default format: Base64-encoded ASCII, single certificate (*.pem, .crt)<\/span>. And that’s it. <\/li><\/ol>\n\n\n\n
- A new window will open with all the information about the website’s certificate. Click on the Details<\/strong> tab, make sure you select the root certificate (that’s what we’re looking for in this example), then click on Export…<\/strong><\/li><\/ol>\n\n\n
- Then, click on Show certificate<\/strong>.<\/li><\/ol>\n\n\n
- Click on the padlock icon and then click on Show connection details<\/strong>.<\/li><\/ol>\n\n\n
- Go to the website that you want to get the certificate for.<\/li><\/ol>\n\n\n\n
- server certificate<\/strong>: this certificate is issued to a specific domain name on a server. It’s signed by the intermediate certificate public key. If it is valid (trustable certificate chain), the browser displays a secure padlock badge on the search bar next to the website domain.<\/li><\/ul>\n\n\n\n
- intermediate certificate<\/strong>: it’s signed by the private key of the root certificate. The public key of the intermediate certificate is the one that signs the server certificate. There can be more than one intermediate certificate.<\/li><\/ul>\n\n\n\n
- root certificate<\/strong>: it’s a self-signed certificate issued by a Certificate Authority. The private key of this certificate is used to sign the next certificate in the hierarchy of certificates. Root certificates are loaded in the trust stores of browsers and operating systems.<\/li><\/ul>\n\n\n\n
- ESP8266 HTTPS Requests – Fingerprint<\/a><\/li>
- Certificates Expiration Date<\/a><\/li><\/ul><\/li>
- SSL\/TLS Certificates<\/a>
- Why do you need HTTPS with the ESP8266?<\/a><\/li><\/ul><\/li>
- What is HTTPS?<\/a>