TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

Question

Hi Nordic team, 
 I'm using the nRF5340 + nRF7002 to securely connect to my backend over HTTPS using Wi-Fi and the native TLS support (mbedTLS). 
 
 What works:

I can successfully connect to my server using the Let's Encrypt R11 intermediate certificate , provisioned via tls_credential_add(..., TLS_CREDENTIAL_CA_CERTIFICATE, ...) .

The server sends the full certificate chain (leaf + intermediate), and verification succeeds.

What I want (but can't get to work):

I would like to provision only the ISRG Root X1 certificate (the root CA that signs all Let's Encrypt intermediates) to avoid reflashing devices whenever Let's Encrypt rotates intermediates (e.g., R10 to R11 to R14).

However, when I provision only the root certificate, TLS handshake fails , even though the server includes the full chain and the chain validates correctly in OpenSSL.

My assumption: 
 This suggests that mbedTLS (or Zephyr’s TLS socket layer) is not building the full chain from leaf → intermediate → root, and instead only validates the server certificate if its direct issuer is found in the trusted list. 
 
 What I’ve tried:

Provisioning only ISRG Root X1 → TLS fails

Provisioning ISRG Root X1 + R11 together → TLS succeeds (but device remains pinned to R11)

Verified that the server sends a valid full chain (checked via openssl s_client )

Attempted to find a config like CONFIG_MBEDTLS_CERTIFICATE_CHAIN_PARSING , but it doesn’t seem to exist in current NCS

Verified that TLS_PEER_VERIFY is set to REQUIRED

Using TLS_CREDENTIAL_CA_CERTIFICATE with correct sec_tag in both provisioning and socket setup

My goal: 
 I would like to trust only the ISRG Root X1 and have mbedTLS/Zephyr perform proper full-chain validation during handshake, as any standard TLS client would. 
 
 My questions:

Is there an official or recommended way to enable full chain validation in Zephyr on the nRF7002 Wi-Fi platform?

Does Zephyr’s net_tls or tls_credentials system support full certificate chain building?

Is mbedTLS in Zephyr expected to always require the direct issuer (intermediate) to be provisioned?

Would using raw mbedTLS APIs (not Zephyr sockets) resolve this limitation?

Are there any planned improvements to make the TLS client more robust for real-world deployments?

I’m happy to share logs, configuration, or a minimal test project if it helps. I'm trying to establish a long-term certificate provisioning strategy that doesn't break every time Let's Encrypt rotates intermediates. 
 Best regards

Håkon Alseth · Accepted Answer

Hi, 
 
 I downloaded the isrgrootx1 from here: 
 https://letsencrypt.org/certs/isrgrootx1.pem 
 Placed it in the https_client/certs folder. 
 
 This is my modifications to the sample: 
 diff --git a/samples/net/https_client/CMakeLists.txt b/samples/net/https_client/CMakeLists.txt
index 2a937786ed..1de98481a2 100644
--- a/samples/net/https_client/CMakeLists.txt
+++ b/samples/net/https_client/CMakeLists.txt
@@ -14,7 +14,7 @@ set(gen_dir ${CMAKE_CURRENT_BINARY_DIR}/certs)
 zephyr_include_directories(${gen_dir})
 generate_inc_file_for_target(
 app
- cert/DigiCertGlobalG2.pem
+ cert/isrgrootx1.pem
 ${gen_dir}/DigiCertGlobalG2.pem.inc
 )
 
diff --git a/samples/net/https_client/Kconfig b/samples/net/https_client/Kconfig
index 90ad33f42e..f56cd9fc19 100644
--- a/samples/net/https_client/Kconfig
+++ b/samples/net/https_client/Kconfig
@@ -15,7 +15,7 @@ config SAMPLE_TFM_MBEDTLS
 
 config HTTPS_HOSTNAME
 string "HTTPS hostname"
- default "example.com"
+ default "api.eversion.tech"
 
 endmenu
 
diff --git a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
index 9eb362cb16..bf6196291f 100644
--- a/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
+++ b/samples/net/https_client/boards/nrf7002dk_nrf5340_cpuapp_ns.conf
@@ -69,3 +69,11 @@ CONFIG_MBEDTLS_TLS_LIBRARY=y
 CONFIG_TFM_PROFILE_TYPE_SMALL=y
 CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0xc000
 CONFIG_PM_PARTITION_SIZE_TFM=0x20000
+CONFIG_PSA_WANT_RSA_KEY_SIZE_4096=y
+
+CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
+CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
+CONFIG_MBEDTLS_PEM_PARSE_C=y
+CONFIG_MBEDTLS_PEM_WRITE_C=y
+CONFIG_MBEDTLS_MPI_MAX_SIZE=2048
+CONFIG_NET_IPV6=n

And log output: 
 *** Booting nRF Connect SDK v2.9.1-60d0d6c8d42d ***
*** Using Zephyr OS v3.7.99-ca954a6216c9 ***
HTTPS client sample started
Bringing network interface up
Provisioning certificate
CA certificate already exists, sec tag: 42
Connecting to the network
[00:00:08.636,047] <inf> wifi_mgmt_ext: Connection requested
Network connectivity established and IP address assigned
Looking up api.eversion.tech
Resolved 194.164.55.211 (AF_INET)
Connecting to api.eversion.tech:443
Sent 67 bytes
Received 165 bytes

> HTTP/1.1 404 Not Found

Finished, closing socket.
Network connectivity lost
Disconnected from the network

Could you try this and see if you are able to connect as well? 
 PS: I have disabled ipv6 on my side due to my router being misconfigured / lacking proper ipv6 support from ISP. 
 
 Kind regards, 
 Håkon

TLS chain validation issue with ISRG Root X1 on nRF7002 using Zephyr

What works:

What I want (but can't get to work):

My assumption:

What I’ve tried:

My goal:

My questions:

Top Replies