Update certificate for https://login.microsoftonline.com, set insecure() option for DISABLECERTCHECK==1

nmtoblum · nmtoblum · commit dae37ca78c05 · 2025-11-09T20:12:01.000+01:00
diff --git a/src/main.cpp b/src/main.cpp
@@ -41,9 +41,9 @@
 #ifndef DISABLECERTCHECK
 // Tool to get certs: https://projects.petrucci.ch/esp32/
 
-// certificate for https://graph.microsoft.com and https://login.microsoftonline.com
+// certificate for https://graph.microsoft.com
 // DigiCert Global Root CA, valid until Mon Sep 23 2030, size: 1761 bytes 
-const char* rootCACertificate = \
+const char* rootCACertificateGraph = \
 "-----BEGIN CERTIFICATE-----\n" \
 "MIIE6DCCA9CgAwIBAgIQAnQuqhfKjiHHF7sf/P0MoDANBgkqhkiG9w0BAQsFADBh\n" \
 "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" \
@@ -75,9 +75,44 @@ const char* rootCACertificate = \
 "-----END CERTIFICATE-----\n" \
 "";
 
-// Use the same cert for login and graph
-const char* rootCACertificateLogin = rootCACertificate;
-const char* rootCACertificateGraph = rootCACertificate;
+// certificate for https://login.microsoftonline.com
+//  1 s:C = US, O = Microsoft Corporation, CN = Microsoft Azure RSA TLS Issuing CA 04
+//    i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
+const char* rootCACertificateLogin = \
+"-----BEGIN CERTIFICATE-----\n" \
+"MIIFrDCCBJSgAwIBAgIQCfluwpVVXyR0nq8eXc7UnTANBgkqhkiG9w0BAQwFADBh\n" \
+"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" \
+"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n" \
+"MjAeFw0yMzA2MDgwMDAwMDBaFw0yNjA4MjUyMzU5NTlaMF0xCzAJBgNVBAYTAlVT\n" \
+"MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xLjAsBgNVBAMTJU1pY3Jv\n" \
+"c29mdCBBenVyZSBSU0EgVExTIElzc3VpbmcgQ0EgMDQwggIiMA0GCSqGSIb3DQEB\n" \
+"AQUAA4ICDwAwggIKAoICAQDBeUy13eRZ/QC5bN7/IOGxodny7Xm2BFc88d3cca3y\n" \
+"HyyVx1Y60+afY6DAo/2Ls1uzAfbDfMzAVWJazPH4tckaItDv//htEbbNJnAGvZPB\n" \
+"4VqNviwDEmlAWT/MTAmzXfTgWXuUNgRlzZbjoFaPm+t6iJ6HdvDpWQAJbsBUZCga\n" \
+"t257tM28JnAHUTWdiDBn+2z6EGh2DA6BCx04zHDKVSegLY8+5P80Lqze0d6i3T2J\n" \
+"J7rfxCmxUXfCGOv9iQIUZfhv4vCb8hsm/JdNUMiomJhSPa0bi3rda/swuJHCH//d\n" \
+"wz2AGzZRRGdj7Kna4t6ToxK17lAF3Q6Qp368C9cE6JLMj+3UbY3umWCPRA5/Dms4\n" \
+"/wl3GvDEw7HpyKsvRNPpjDZyiFzZGC2HZmGMsrZMT3hxmyQwmz1O3eGYdO5EIq1S\n" \
+"W/vT1yShZTSusqmICQo5gWWRZTwCENekSbVX9qRr77o0pjKtuBMZTGQTixwpT/rg\n" \
+"Ul7Mr4M2nqK55Kovy/kUN1znfPdW/Fj9iCuvPKwKFdyt2RVgxJDvgIF/bNoRkRxh\n" \
+"wVB6qRgs4EiTrNbRoZAHEFF5wRBf9gWn9HeoI66VtdMZvJRH+0/FDWB4/zwxS16n\n" \
+"nADJaVPXh6JHJFYs9p0wZmvct3GNdWrOLRAG2yzbfFZS8fJcX1PYxXXo4By16yGW\n" \
+"hQIDAQABo4IBYjCCAV4wEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUO3DR\n" \
+"U+l2JZ1gqMpmD8abrm9UFmowHwYDVR0jBBgwFoAUTiJUIBiV5uNu5g/6+rkS7QYX\n" \
+"jzkwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD\n" \
+"AjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj\n" \
+"ZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t\n" \
+"L0RpZ2lDZXJ0R2xvYmFsUm9vdEcyLmNydDBCBgNVHR8EOzA5MDegNaAzhjFodHRw\n" \
+"Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290RzIuY3JsMB0G\n" \
+"A1UdIAQWMBQwCAYGZ4EMAQIBMAgGBmeBDAECAjANBgkqhkiG9w0BAQwFAAOCAQEA\n" \
+"o9sJvBNLQSJ1e7VaG3cSZHBz6zjS70A1gVO1pqsmX34BWDPz1TAlOyJiLlA+eUF4\n" \
+"B2OWHd3F//dJJ/3TaCFunjBhZudv3busl7flz42K/BG/eOdlg0kiUf07PCYY5/FK\n" \
+"YTIch51j1moFlBqbglwkdNIVae2tOu0OdX2JiA+bprYcGxa7eayLetvPiA77ynTc\n" \
+"UNMKOqYB41FZHOXe5IXDI5t2RsDM9dMEZv4+cOb9G9qXcgDar1AzPHEt/39335zC\n" \
+"HofQ0QuItCDCDzahWZci9Nn9hb/SvAtPWHZLkLBG6I0iwGxvMwcTTc9Jnb4Flysr\n" \
+"mQlwKsS2MphOoI23Qq3cSA==\n" \
+"-----END CERTIFICATE-----\n" \
+"";
 #endif
 
 
diff --git a/src/request_handler.h b/src/request_handler.h
@@ -23,8 +23,11 @@ boolean requestJsonApi(JsonDocument& doc, String url, String payload = "", size_
 	} else {
 		client->setCACert(rootCACertificateLogin);
 	}
+	#else
+	client->setInsecure();
 	#endif
 
+
 	// HTTPClient
 	HTTPClient https;
 
