Add instructions
This commit is contained in:
parent
9468622c3e
commit
5ea20415d6
1 changed files with 25 additions and 0 deletions
25
README.md
25
README.md
|
@ -1,3 +1,28 @@
|
|||
This firmware is intended to run on a NodeMCU with a relatively recent version of Arduino and its according [ESP8266 core](https://github.com/esp8266/Arduino) with BearSSL support (introduced in 2.4.2).
|
||||
|
||||
It can be used against any server implementing the ESPhttpUpdate-"protocol" from the [Arduino ESP8266 project](https://arduino-esp8266.readthedocs.io/en/latest/ota_updates/readme.html#http-server). This template is developed against the [esp-ota-update-server](https://git.geekify.de/sqozz/esp-ota-update-server) written in python which sits behind an nginx webserver for encryption with TLS1.2.
|
||||
|
||||
It also uses [tzapu’s WiFiManager](https://github.com/tzapu/WiFiManager) to avoid exposing wifi access data in public hosted firmware binaries.
|
||||
|
||||
The CA certificate store needs to be fetched and generated at the inital setup. You can either use [ESP8266 cores script](https://github.com/esp8266/Arduino/blob/945535ae78cad0586e5539f01335ff6bd3e6695f/libraries/ESP8266WiFi/examples/BearSSL_CertStore/certs-from-mozilla.py) to fetch the whole mozilla database (not tested) or create your own store which only trusts certain CAs.
|
||||
For my use, I rely on certificates issues by [https://letsencrypt.org](https://letsencrypt.org). To extract their CA you can use `openssl` against your domain which will host the firmware later on. I use `letsencrypt.org` here as example since it works too:
|
||||
|
||||
```
|
||||
openssl s_client -showcerts -servername letsencrypt.org -connect letsencrypt.org:443 </dev/null
|
||||
```
|
||||
|
||||
Grab the according certificate and paste it into a text file. I used `le_x3_11_2018.pem`.
|
||||
|
||||
```
|
||||
cat le_x3_11_2018.pem | openssl x509 -inform PEM -outform DER -out data/ca_le.der
|
||||
ar q data/certs.ar data/ca_le.der
|
||||
```
|
||||
|
||||
The firmware will check on bootup if at least one CA is uploaded and will report the ammount over serial.
|
||||
The WiFiManger will only start up if a password for its configuration wlan is supplied - again, to avoid leakage over publicly hosted binaries, this password is stored out-of-band in the ESPs SPIFF flash storage and needs to be uploaded over USB once.
|
||||
|
||||
Make sure to not include extra trailing characters since the firmware reads this file byte by byte:
|
||||
|
||||
```
|
||||
echo -n "ChangeMe!2§" | data/config_password.txt
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue