Toradex Easy Installer - SSL Handshake Failure

We have a web server in our company intranet which hosts Tezi images for installation on Colibri iMX6. Some days ago we modified that web server to offer access to all contents through HTTPS instead of HTTP, using an SSL certificate signed by a private root CA.

Now the Toradex Easy Installer running on the Colibri modules fails to load the image list from the web server. Apparently it follows the redirection from HTTP to HTTPS, but then it reports an SSL handshake failure.

Is there any possibility to tell the Toradex Easy Installer that it shall trust our private root CA or that it simply skips the validation of the certificate chain? Preferably by means of a configuration setting in tezi_config.json? Or can I add the root CA certificate to the SD card where tezi_config.json is stored, too?

Dear @jvo, thanks for reaching out with support!

Could you please share with us more details about your issue?

  • Which version of Toradex Easy Installer do you have on your modules?
  • Do you get any error log when you try to check the image list? What’s written with the SSL Handshake?
  • Can you see anything on the serial console while trying to fetch the image list from your server?
  • Is your module connected to the internet or just to your internal network to access the feeds?
  • Which kind of server are you using? Is it a local web server? Is it announced with Zeroconf? Detailed Manual | Toradex Developer Center

Best regards,

Thanks for your reply. These are my answers to your questions:

  • Toradex Easy Installer has version 1.8 (g9bc7d7b), built Oct 19, 2018
  • The displayed error message is: “Error downloading image ist: SSL handshake failed. URL: https:///toradex/image_list.json”
  • There is no additional information printed on the serial console, and I don’t know where to find any relevant logfiles.
  • My modules uses only the internal server. The access to public internet sites is switched off in tezi_config.json.
  • The server is a Linux server (Ubuntu 20 LTS) with Apache 2.4.41. It has been configured to redirect all HTTP requests to HTTPS.
  • The server is not announced with zeroconf.

Hello @jvo,
Tezi doesn’t support connecting to servers with self signed certificates. The idea of having a self signed certificate kind of defeats the purpose of having https in the first place, unless you are only worried about man-in-the-middle attacks inside your intranet.
Is that the case?

If you cannot use your server as pure http, I would suggest you install a certificate from letsencrypt (https://letsencrypt.org/) on the server, that way you will have properly signed (and free) certificates but beware that Tezi 1.8 might not accept these either because of this.
In this case you’ll need to test and see if it works.

Best regards,
Rafael

1 Like

Hello Rafael,

thanks for your explanation. I think I’ll stay with http in that case.

Best regards