[Ovmsdev] Urgent TLS root certificate issue (Let's Encrypt)
Craig Leres
leres at xse.com
Wed Sep 29 01:38:32 HKT 2021
On 9/28/21 2:39 AM, Michael Balzer wrote:
> the DST root certificate we include (DST Root CA X3) expires on
> September 30, i.e. in two days.
>
> OVMS# tls trust list
> DST Root CA X3 length 1200 bytes
> 1200 byte certificate: DST Root CA X3
> cert. version : 3
> serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B
> issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3
> subject name : O=Digital Signature Trust Co., CN=DST Root CA X3
> issued on : 2000-09-30 21:12:19
> * expires on : 2021-09-30 14:01:15*
> signed using : RSA with SHA1
> RSA key size : 2048 bits
> basic constraints : CA=true
> key usage : Key Cert Sign, CRL Sign
>
> AFAICT, this root certificate is currently used by the OVMS to validate
> Let's Encrypt certificates.
>
> * https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
> * https://letsencrypt.org/docs/certificate-compatibility/
>
> Unfortunately, we missed adding the followup LE root certificate "ISRG
> Root X1" in time.
As I understand it the problem is with the let's encrypt cert you are
currently using on your server; would switching to a commercial cert
that validates with one of the "trustedca" certs already in deployed
ovms make this problem go away? Then months down the road switch your
server back to a let's encrypt cert?
Craig
More information about the OvmsDev
mailing list