[Ovmsdev] UserTrust/AddTrust/Comodo root CA expiration

Craig Leres leres at xse.com
Sun May 31 08:53:16 HKT 2020


On 2020-05-30 17:44, Mark Webb-Johnson wrote:
> The AddTrust root CA certificate that our api.openvehicles.com
> <http://api.openvehicles.com> is signed by has expired (last night).
> This will impact TLS connections to api.openvehicles.com
> <http://api.openvehicles.com>. Our certificate itself is fine (and
> doesn’t expire until Feb 2022), but the root cert is was signed by (via
> intermediaries) has expired.
> 
> Pretty irresponsible for AddTrust/UserTrust/Comodo to sign a certificate
> with a later expiration date than their own CA, imho. Also irresponsible
> for them not to inform the customers. Everybody can be expected to
> monitor their own certificate expiration date, but not that of their
> certificate authority.
> 
> I’ve been up most of the night dealing with fallout from this (in other
> work and customer related systems), so not happy.
> 
> Anyway, I’ve updated the trusted root certificate in edge now, and
> released that. AddTrust has become UserTrust.
> 
> To connect via tls to api.openvehicles.com
> <http://api.openvehicles.com> now, you will either need to firmware
> update, or manually add the trusted ca to /store/trustedca/usertrust.crt
> (I have attached it here, for convenience).
> 
> I have also taken this opportunity to change the server v2 and v3
> backoff retry times to 60 seconds (was 20 or 30).

We use incommon certs at work and the intermediate bundle they provided
included two certs that expired (10:48 GMT); this broke any clients
using openssl < 1.1.1. I was able to fix it by removing the expired
certs from the bundle leaving one that is similar to the one you attached.

		Craig

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            47:20:d0:fa:85:46:1a:7e:17:a1:64:02:91:84:63:74
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, ST = New Jersey, L = Jersey City, O = The
USERTRUST Network, CN = USERTrust RSA Certification Authority
        Validity
            Not Before: Oct  6 00:00:00 2014 GMT
            Not After : Oct  5 23:59:59 2024 GMT
        Subject: C = US, ST = MI, L = Ann Arbor, O = Internet2, OU =
InCommon, CN = InCommon RSA Server CA


More information about the OvmsDev mailing list