[Ovmsdev] Urgent TLS root certificate issue (Let's Encrypt)

Mark Webb-Johnson mark at webb-johnson.net
Tue Sep 28 20:32:23 HKT 2021 

Shall we release a full update? The last 3.2?

What we have now in master seems stable.

Mark

> On 28 Sep 2021, at 5:39 PM, Michael Balzer <dexter at expeedo.de> wrote:
> 
>  Everyone,
> 
> the DST root certificate we include (DST Root CA X3) expires on September 30, i.e. in two days.
> 
> OVMS# tls trust list 
> DST Root CA X3 length 1200 bytes
> 1200 byte certificate: DST Root CA X3
>   cert. version     : 3
>   serial number     : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B
>   issuer name       : O=Digital Signature Trust Co., CN=DST Root CA X3
>   subject name      : O=Digital Signature Trust Co., CN=DST Root CA X3
>   issued  on        : 2000-09-30 21:12:19
>   expires on        : 2021-09-30 14:01:15
>   signed using      : RSA with SHA1
>   RSA key size      : 2048 bits
>   basic constraints : CA=true
>   key usage         : Key Cert Sign, CRL Sign
> 
> AFAICT, this root certificate is currently used by the OVMS to validate Let's Encrypt certificates.
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
> https://letsencrypt.org/docs/certificate-compatibility/
> Unfortunately, we missed adding the followup LE root certificate "ISRG Root X1" in time.
> 
> I've just added that certificate to our builtin certificate repository, but it's too late now to roll out a "main" update in time (isn't it?).
> 
> So, to prevent losing TLS connectivity with LE servers, users need to manually add the ISRG Root X1 certificate to their TLS repositories.
> 
> I've added a section on this to our user manual:
> https://docs.openvehicles.com/en/latest/userguide/ssltls.html
> If users contact you, point them to that page.
> 
> We probably should also remove the expired DST root certificate after September 30.
> 
> Regards,
> Michael
> 
> -- 
> Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
> Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
> _______________________________________________
> OvmsDev mailing list
> OvmsDev at lists.openvehicles.com
> http://lists.openvehicles.com/mailman/listinfo/ovmsdev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20210928/41af75ff/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/octet-stream
Size: 203 bytes
Desc: not available
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20210928/41af75ff/attachment.obj>

More information about the OvmsDev mailing list