[Ovmsdev] Urgent TLS root certificate issue (Let's Encrypt)

Michael Balzer dexter at expeedo.de
Tue Sep 28 21:07:57 HKT 2021 

We would need to bypass / shortcut the "eap" test phase.

But I agree, "master" is stable, I haven't had any issues or reports, so 
I think we could do that. The FreeRTOS timer issue I'm working on only 
affects very specific conditions, so not necessary to wait for that.

Should we remove the expiring DST certificate in that release then?

…uh oh: just tried removing the DST certificate: the module cannot 
connect to my server anymore…!?

I (490213) ovms-server-v2: Connection is ovms.dexters-web.de:6870 TEST1
I (490213) ovms-server-v2: Status: Connecting...
V (490723) ovms-server-v2: OvmsServerV2MongooseCallback(MG_EV_CONNECT=-3)
W (490723) ovms-server-v2: Connection failed
E (490723) ovms-server-v2: Status: Error: Connection failed
V (490723) ovms-server-v2: OvmsServerV2MongooseCallback(MG_EV_CLOSE)
I (490723) ovms-server-v2: Status: Disconnected




Am 28.09.21 um 14:32 schrieb Mark Webb-Johnson:
> Shall we release a full update? The last 3.2?
>
> What we have now in master seems stable.
>
> Mark
>
>> On 28 Sep 2021, at 5:39 PM, Michael Balzer <dexter at expeedo.de> wrote:
>>
>>  Everyone,
>>
>> the DST root certificate we include (DST Root CA X3) expires on 
>> September 30, i.e. in two days.
>>
>> OVMS# tls trust list
>> DST Root CA X3 length 1200 bytes
>> 1200 byte certificate: DST Root CA X3
>>   cert. version     : 3
>>   serial number     : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B
>>   issuer name       : O=Digital Signature Trust Co., CN=DST Root CA X3
>>   subject name      : O=Digital Signature Trust Co., CN=DST Root CA X3
>>   issued  on        : 2000-09-30 21:12:19
>> *  expires on        : 2021-09-30 14:01:15*
>>   signed using      : RSA with SHA1
>>   RSA key size      : 2048 bits
>>   basic constraints : CA=true
>>   key usage         : Key Cert Sign, CRL Sign
>>
>> AFAICT, this root certificate is currently used by the OVMS to 
>> validate Let's Encrypt certificates.
>>
>>   * https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>>   * https://letsencrypt.org/docs/certificate-compatibility/
>>
>> Unfortunately, we missed adding the followup LE root certificate 
>> "ISRG Root X1" in time.
>>
>> I've just added that certificate to our builtin certificate 
>> repository, but it's too late now to roll out a "main" update in time 
>> (isn't it?).
>>
>> So, to prevent losing TLS connectivity with LE servers, users need to 
>> manually add the ISRG Root X1 certificate to their TLS repositories.
>>
>> I've added a section on this to our user manual:
>>
>>   * https://docs.openvehicles.com/en/latest/userguide/ssltls.html
>>
>> If users contact you, point them to that page.
>>
>> We probably should also remove the expired DST root certificate after 
>> September 30.
>>
>> Regards,
>> Michael
>>
>> -- 
>> Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
>> Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
>> _______________________________________________
>> OvmsDev mailing list
>> OvmsDev at lists.openvehicles.com
>> http://lists.openvehicles.com/mailman/listinfo/ovmsdev
>
> _______________________________________________
> OvmsDev mailing list
> OvmsDev at lists.openvehicles.com
> http://lists.openvehicles.com/mailman/listinfo/ovmsdev

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20210928/5b619e97/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20210928/5b619e97/attachment-0001.sig>

More information about the OvmsDev mailing list