[Ovmsdev] UserTrust/AddTrust/Comodo root CA expiration
leres at xse.com
Sun May 31 08:53:16 HKT 2020
On 2020-05-30 17:44, Mark Webb-Johnson wrote:
> The AddTrust root CA certificate that our api.openvehicles.com
> <http://api.openvehicles.com> is signed by has expired (last night).
> This will impact TLS connections to api.openvehicles.com
> <http://api.openvehicles.com>. Our certificate itself is fine (and
> doesn’t expire until Feb 2022), but the root cert is was signed by (via
> intermediaries) has expired.
> Pretty irresponsible for AddTrust/UserTrust/Comodo to sign a certificate
> with a later expiration date than their own CA, imho. Also irresponsible
> for them not to inform the customers. Everybody can be expected to
> monitor their own certificate expiration date, but not that of their
> certificate authority.
> I’ve been up most of the night dealing with fallout from this (in other
> work and customer related systems), so not happy.
> Anyway, I’ve updated the trusted root certificate in edge now, and
> released that. AddTrust has become UserTrust.
> To connect via tls to api.openvehicles.com
> <http://api.openvehicles.com> now, you will either need to firmware
> update, or manually add the trusted ca to /store/trustedca/usertrust.crt
> (I have attached it here, for convenience).
> I have also taken this opportunity to change the server v2 and v3
> backoff retry times to 60 seconds (was 20 or 30).
We use incommon certs at work and the intermediate bundle they provided
included two certs that expired (10:48 GMT); this broke any clients
using openssl < 1.1.1. I was able to fix it by removing the expired
certs from the bundle leaving one that is similar to the one you attached.
Version: 3 (0x2)
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = US, ST = New Jersey, L = Jersey City, O = The
USERTRUST Network, CN = USERTrust RSA Certification Authority
Not Before: Oct 6 00:00:00 2014 GMT
Not After : Oct 5 23:59:59 2024 GMT
Subject: C = US, ST = MI, L = Ann Arbor, O = Internet2, OU =
InCommon, CN = InCommon RSA Server CA
More information about the OvmsDev