Merge pull request #177 from adafruit/6month-ssl-certs

tyeth · web-flow · commit dcd5af987a29 · 2026-04-15T01:24:01.000+01:00
docs(ssl): Update TLS/SSL certificate fingerprint instructions
diff --git a/src/AdafruitIO_Definitions.h b/src/AdafruitIO_Definitions.h
@@ -115,9 +115,13 @@ class AdafruitIOGroupCallback {
 #define AIO_ERROR_TOPIC "/errors"      ///< Adafruit IO Error MQTT Topic
 #define AIO_THROTTLE_TOPIC "/throttle" ///< Adafruit IO Throttle MQTT Topic
 
-// latest fingerprint can be generated with
-// echo | openssl s_client -connect io.adafruit.com:443 | openssl x509
-// -fingerprint -noout
+/* NOTE: io.adafruit.com TLS/SSL certificate changes every 6months, and pinning
+certificates is no longer recommended. Migrate to a larger MCU like ESP32
+which can accomodate root certificates and verify chains of trust.  */
+/* For older devices like ESP8266 you can generate the latest fingerprint with:
+echo | openssl s_client -connect io.adafruit.com:443 | openssl x509 -fingerprint
+-noout
+*/
 #define AIO_SSL_FINGERPRINT                                                    \
   "47 D2 CB 14 DF 38 97 59 C6 65 1A 1F 3E 00 1E 53 CC A5 17 E0" ///< Latest
                                                                 ///< Adafruit IO
diff --git a/src/wifi/AdafruitIO_ESP8266.h b/src/wifi/AdafruitIO_ESP8266.h
@@ -25,12 +25,13 @@
 /* NOTE - Projects that require "Secure MQTT" (TLS/SSL) also require a new
  * SSL certificate every year. If adding Secure MQTT to your ESP8266 project is
  * important  - please switch to using the modern ESP32 (and related models)
- * instead of the ESP8266 to avoid updating the SSL fingerprint every year.
+ * instead of the ESP8266 to avoid updating the SSL fingerprint every 6 months.
  *
  * If you've read through this and still want to use "Secure MQTT" with your
  * ESP8266 project, we've left the "WiFiClientSecure" lines commented out. To
  * use them, uncomment the commented out lines within `AdafruitIO_ESP8266.h` and
- * `AdafruitIO_ESP8266.cpp` and recompile the library.
+ * `AdafruitIO_ESP8266.cpp`, update fingerprint in `AdafruitIO_Definitions.h`,
+ *  and then recompile the library.
  */
 // #include "WiFiClientSecure.h"
 
