Tuya plugs suddenly stopped communicating

[dac2020]

Yesterday, I noticed all my remote (Tuya) plugs were no longer communicating while updating the letsencrypt SSL cert.
I had some locally so I tested and found that if I added a cipher to the broker config then ran SetOption132 1 (Enables fingerprint-based validation), on tasmota, the plugs could communicate with the broker again.

This is what I have in the broker (Mosquitto).

tls_version tlsv1.2
ciphers AES128-SHA:ECDHE-RSA-AES128-SHA

I proceeded to build a new version of tasmota and upgrade the local plugs.

I have two problems.
1: What caused the problem? Did something change in LE certs?
2: There is no way to reach the plugs that aren't local to me as I gave them to friends and family.
They do not have web enabled access either.

I am not sure how long these plugs were no longer communicating. Is there anything I can do on the broker side so that when the plugs are power cycled, maybe they can come back online so I can reach them again and also upgrade to the newer tasmota version.

[s-hadinger]

Letsencrypt CA changed (nothing we can do about it). So you need to update Tasmota to take into account the new CA.
If mqtt is down and web UI is down, I'm afraid your only option is serial

[dac2020]

I guess this confirms what happened, LE CA changed which is what I thought but was not sure.

The remote plugs aren't down, but the web admin is not enabled on them so I can't upgrade them from remote.
Just wondered if there might be a trick I can configure on the broker so that the clients can at least communicate on power cycle. That would give me a chance to remotely access it.

Not sure if there is a way to send the devices an update using the mqtt broker.

More importantly, how do you prevent this kind of thing from happening when a CA changes and plugs are remote?

[sfromis]

If MQTT-TLS does not work, it would be horribly bad security if you could replace security details via MQTT.

If you do not have http access (web browser), you need serial access (as already mentioned), or you could to a "factory reset" to initial Tasmota defaults, and reconfigure.

The only place you could have "tricks" would be on the remote device itself, to do "something" with lesser security if failing to get the regular communication working.

[dac2020]

They all have the non admin web access but I would still need to send them a command to allow web admin access.

There is no important information being exchanged so security is not much of an issue. The devices still need credentials authentication. I could lower security on the broker while monitoring, allowing the devices to reach the broker.
If that could be done, then I could send them the "SetOption132 1" command as a message and maybe even remotely upgrade them. Not sure about the upgrade because I have to use minimum first then my build.

[sfromis]

If you could lower security without doing it on the remote end, it would be fake "security". Having deploying them without a plan for how to handle trouble is no fun after it happened.

It is not Tasmota preventing you from doing something, but the inherent need for both the broker and the device to follow the same security protocol, without back doors.

[dac2020]

I had updated my message above just before yours came in.

Having deploying them without a plan for how to handle trouble is no fun after it happened.

Yes well, we don't all have the same level of experience and we learn from making mistakes so yes, I will try to learn from this so it doesn't happen again.

In the meantime, I still need to find a way to get them back online so I can send them the command so even without much if any security would be fine for a short while since I would be monitoring anyhow.

It is not Tasmota preventing you from doing something, but the inherent need for both the broker and the device
to follow the same security protocol, without back doors.

Indeed but none-the-less, I am looking for a way to recover the devices from remote otherwise, everyone has to send their devices back to me.

[sfromis]

I'm not aware of any back door to gain remote access circumventing the configured security. It would just mean useless "security".

Maybe you could guide "everyone" to do a full reset using normal device recovery features (if you did not cut off that option), and include a pre-prepared Backlog command to reconfigure. Of course, options also depends on what Tasmota image is flashed, and what config options may already be "baked in".