[Ovmsdev] Urgent TLS root certificate issue (Let's Encrypt)

Michael Balzer dexter at expeedo.de
Tue Sep 28 21:34:40 HKT 2021


I've tried adding the intermediate cert ("R3") and then also my site 
certificate, that didn't help.

Only adding the DST cert again fixes the connection.

Any ideas?


OVMS# tls trust list
…
ISRG Root X1 length 1939 bytes
1939 byte certificate: ISRG Root X1
   cert. version     : 3
   serial number     : 82:10:CF:B0:D2:40:E3:59:44:63:E0:BB:63:82:8B:00
   issuer name       : C=US, O=Internet Security Research Group, CN=ISRG 
Root X1
   subject name      : C=US, O=Internet Security Research Group, CN=ISRG 
Root X1
   issued  on        : 2015-06-04 11:04:38
   expires on        : 2035-06-04 11:04:38
   signed using      : RSA with SHA-256
   RSA key size      : 4096 bits
   basic constraints : CA=true
   key usage         : Key Cert Sign, CRL Sign
…
dexter length 1972 bytes
1972 byte certificate: dexter
   cert. version     : 3
   serial number     : 04:55:1D:F4:27:A3:7D:E9:E4:A8:5C:37:F6:A1:61:87:3C:E5
   issuer name       : C=US, O=Let's Encrypt, CN=R3
   subject name      : CN=dexter.shopdriver.de
   issued  on        : 2021-08-07 05:47:57
   expires on        : 2021-11-05 05:47:55
   signed using      : RSA with SHA-256
   RSA key size      : 2048 bits
   basic constraints : CA=false
   subject alt name  : dexter.shopdriver.de, dexters-web.de, 
ovms.dexters-web.de, www.dexter.shopdriver.de, www.dexters-web.de
   key usage         : Digital Signature, Key Encipherment
   ext key usage     : TLS Web Server Authentication, TLS Web Client 
Authentication
…
r3 length 1826 bytes
1826 byte certificate: r3
   cert. version     : 3
   serial number     : 91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A
   issuer name       : C=US, O=Internet Security Research Group, CN=ISRG 
Root X1
   subject name      : C=US, O=Let's Encrypt, CN=R3
   issued  on        : 2020-09-04 00:00:00
   expires on        : 2025-09-15 16:00:00
   signed using      : RSA with SHA-256
   RSA key size      : 2048 bits
   basic constraints : CA=true, max_pathlen=0
   key usage         : Digital Signature, Key Cert Sign, CRL Sign
   ext key usage     : TLS Web Client Authentication, TLS Web Server 
Authentication



Am 28.09.21 um 15:07 schrieb Michael Balzer:
> We would need to bypass / shortcut the "eap" test phase.
>
> But I agree, "master" is stable, I haven't had any issues or reports, 
> so I think we could do that. The FreeRTOS timer issue I'm working on 
> only affects very specific conditions, so not necessary to wait for that.
>
> Should we remove the expiring DST certificate in that release then?
>
> …uh oh: just tried removing the DST certificate: the module cannot 
> connect to my server anymore…!?
>
> I (490213) ovms-server-v2: Connection is ovms.dexters-web.de:6870 TEST1
> I (490213) ovms-server-v2: Status: Connecting...
> V (490723) ovms-server-v2: OvmsServerV2MongooseCallback(MG_EV_CONNECT=-3)
> W (490723) ovms-server-v2: Connection failed
> E (490723) ovms-server-v2: Status: Error: Connection failed
> V (490723) ovms-server-v2: OvmsServerV2MongooseCallback(MG_EV_CLOSE)
> I (490723) ovms-server-v2: Status: Disconnected
>
>
>
>
> Am 28.09.21 um 14:32 schrieb Mark Webb-Johnson:
>> Shall we release a full update? The last 3.2?
>>
>> What we have now in master seems stable.
>>
>> Mark
>>
>>> On 28 Sep 2021, at 5:39 PM, Michael Balzer <dexter at expeedo.de> wrote:
>>>
>>>  Everyone,
>>>
>>> the DST root certificate we include (DST Root CA X3) expires on 
>>> September 30, i.e. in two days.
>>>
>>> OVMS# tls trust list
>>> DST Root CA X3 length 1200 bytes
>>> 1200 byte certificate: DST Root CA X3
>>>   cert. version     : 3
>>>   serial number     : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B
>>>   issuer name       : O=Digital Signature Trust Co., CN=DST Root CA X3
>>>   subject name      : O=Digital Signature Trust Co., CN=DST Root CA X3
>>>   issued  on        : 2000-09-30 21:12:19
>>> *  expires on        : 2021-09-30 14:01:15*
>>>   signed using      : RSA with SHA1
>>>   RSA key size      : 2048 bits
>>>   basic constraints : CA=true
>>>   key usage         : Key Cert Sign, CRL Sign
>>>
>>> AFAICT, this root certificate is currently used by the OVMS to 
>>> validate Let's Encrypt certificates.
>>>
>>>   * https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>>>   * https://letsencrypt.org/docs/certificate-compatibility/
>>>
>>> Unfortunately, we missed adding the followup LE root certificate 
>>> "ISRG Root X1" in time.
>>>
>>> I've just added that certificate to our builtin certificate 
>>> repository, but it's too late now to roll out a "main" update in 
>>> time (isn't it?).
>>>
>>> So, to prevent losing TLS connectivity with LE servers, users need 
>>> to manually add the ISRG Root X1 certificate to their TLS repositories.
>>>
>>> I've added a section on this to our user manual:
>>>
>>>   * https://docs.openvehicles.com/en/latest/userguide/ssltls.html
>>>
>>> If users contact you, point them to that page.
>>>
>>> We probably should also remove the expired DST root certificate 
>>> after September 30.
>>>
>>> Regards,
>>> Michael
>>>
>>> -- 
>>> Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
>>> Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
>>> _______________________________________________
>>> OvmsDev mailing list
>>> OvmsDev at lists.openvehicles.com
>>> http://lists.openvehicles.com/mailman/listinfo/ovmsdev
>>
>> _______________________________________________
>> OvmsDev mailing list
>> OvmsDev at lists.openvehicles.com
>> http://lists.openvehicles.com/mailman/listinfo/ovmsdev
>
> -- 
> Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
> Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
>
> _______________________________________________
> OvmsDev mailing list
> OvmsDev at lists.openvehicles.com
> http://lists.openvehicles.com/mailman/listinfo/ovmsdev

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20210928/2edccbb8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20210928/2edccbb8/attachment.sig>


More information about the OvmsDev mailing list