<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
I've tried adding the intermediate cert ("R3") and then also my site
certificate, that didn't help.<br>
<br>
Only adding the DST cert again fixes the connection.<br>
<br>
Any ideas?<br>
<br>
<br>
<font face="monospace">OVMS# tls trust list<br>
…<br>
ISRG Root X1 length 1939 bytes<br>
1939 byte certificate: ISRG Root X1<br>
cert. version : 3<br>
serial number :
82:10:CF:B0:D2:40:E3:59:44:63:E0:BB:63:82:8B:00<br>
issuer name : C=US, O=Internet Security Research Group,
CN=ISRG Root X1<br>
subject name : C=US, O=Internet Security Research Group,
CN=ISRG Root X1<br>
issued on : 2015-06-04 11:04:38<br>
expires on : 2035-06-04 11:04:38<br>
signed using : RSA with SHA-256<br>
RSA key size : 4096 bits<br>
basic constraints : CA=true<br>
key usage : Key Cert Sign, CRL Sign<br>
…<br>
dexter length 1972 bytes<br>
1972 byte certificate: dexter<br>
cert. version : 3<br>
serial number :
04:55:1D:F4:27:A3:7D:E9:E4:A8:5C:37:F6:A1:61:87:3C:E5<br>
issuer name : C=US, O=Let's Encrypt, CN=R3<br>
subject name : CN=dexter.shopdriver.de<br>
issued on : 2021-08-07 05:47:57<br>
expires on : 2021-11-05 05:47:55<br>
signed using : RSA with SHA-256<br>
RSA key size : 2048 bits<br>
basic constraints : CA=false<br>
subject alt name : dexter.shopdriver.de, dexters-web.de,
ovms.dexters-web.de, <a class="moz-txt-link-abbreviated" href="http://www.dexter.shopdriver.de">www.dexter.shopdriver.de</a>, <a class="moz-txt-link-abbreviated" href="http://www.dexters-web.de">www.dexters-web.de</a><br>
key usage : Digital Signature, Key Encipherment<br>
ext key usage : TLS Web Server Authentication, TLS Web
Client Authentication<br>
…<br>
r3 length 1826 bytes<br>
1826 byte certificate: r3<br>
cert. version : 3<br>
serial number :
91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A<br>
issuer name : C=US, O=Internet Security Research Group,
CN=ISRG Root X1<br>
subject name : C=US, O=Let's Encrypt, CN=R3<br>
issued on : 2020-09-04 00:00:00<br>
expires on : 2025-09-15 16:00:00<br>
signed using : RSA with SHA-256<br>
RSA key size : 2048 bits<br>
basic constraints : CA=true, max_pathlen=0<br>
key usage : Digital Signature, Key Cert Sign, CRL Sign<br>
ext key usage : TLS Web Client Authentication, TLS Web
Server Authentication<br>
</font><br>
<br>
<br>
<div class="moz-cite-prefix">Am 28.09.21 um 15:07 schrieb Michael
Balzer:<br>
</div>
<blockquote type="cite"
cite="mid:2de8041f-aa24-c8bb-b185-709993b0bb10@expeedo.de">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
We would need to bypass / shortcut the "eap" test phase.<br>
<br>
But I agree, "master" is stable, I haven't had any issues or
reports, so I think we could do that. The FreeRTOS timer issue I'm
working on only affects very specific conditions, so not necessary
to wait for that.<br>
<br>
Should we remove the expiring DST certificate in that release
then?<br>
<br>
…uh oh: just tried removing the DST certificate: the module cannot
connect to my server anymore…!?<br>
<br>
<font face="monospace">I (490213) ovms-server-v2: Connection is
ovms.dexters-web.de:6870 TEST1<br>
I (490213) ovms-server-v2: Status: Connecting...<br>
V (490723) ovms-server-v2:
OvmsServerV2MongooseCallback(MG_EV_CONNECT=-3)<br>
W (490723) ovms-server-v2: Connection failed<br>
E (490723) ovms-server-v2: Status: Error: Connection failed<br>
V (490723) ovms-server-v2:
OvmsServerV2MongooseCallback(MG_EV_CLOSE)<br>
I (490723) ovms-server-v2: Status: Disconnected</font><br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">Am 28.09.21 um 14:32 schrieb Mark
Webb-Johnson:<br>
</div>
<blockquote type="cite"
cite="mid:D612B1E5-EA64-4CC1-89DD-66EAE385A654@webb-johnson.net">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="ltr">Shall we release a full update? The last 3.2?</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">What we have now in master seems stable.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Mark</div>
<div dir="ltr"><br>
<blockquote type="cite">On 28 Sep 2021, at 5:39 PM, Michael
Balzer <a class="moz-txt-link-rfc2396E"
href="mailto:dexter@expeedo.de" moz-do-not-send="true"><dexter@expeedo.de></a>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
Everyone,<br>
<br>
the DST root certificate we include (DST Root CA X3) expires
on September 30, i.e. in two days.<br>
<br>
<font face="monospace">OVMS# tls trust list <br>
DST Root CA X3 length 1200 bytes<br>
1200 byte certificate: DST Root CA X3<br>
cert. version : 3<br>
serial number :
44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B<br>
issuer name : O=Digital Signature Trust Co.,
CN=DST Root CA X3<br>
subject name : O=Digital Signature Trust Co.,
CN=DST Root CA X3<br>
issued on : 2000-09-30 21:12:19<br>
<b> expires on : 2021-09-30 14:01:15</b><br>
signed using : RSA with SHA1<br>
RSA key size : 2048 bits<br>
basic constraints : CA=true<br>
key usage : Key Cert Sign, CRL Sign</font><br>
<br>
AFAICT, this root certificate is currently used by the OVMS
to validate Let's Encrypt certificates.<br>
<ul>
<li><a class="moz-txt-link-freetext"
href="https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/"
moz-do-not-send="true">https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/</a></li>
<li><a class="moz-txt-link-freetext"
href="https://letsencrypt.org/docs/certificate-compatibility/"
moz-do-not-send="true">https://letsencrypt.org/docs/certificate-compatibility/</a><br>
</li>
</ul>
Unfortunately, we missed adding the followup LE root
certificate "ISRG Root X1" in time.<br>
<br>
I've just added that certificate to our builtin certificate
repository, but it's too late now to roll out a "main"
update in time (isn't it?).<br>
<br>
So, to prevent losing TLS connectivity with LE servers,
users need to manually add the ISRG Root X1 certificate to
their TLS repositories.<br>
<br>
I've added a section on this to our user manual:<br>
<ul>
<li><a class="moz-txt-link-freetext"
href="https://docs.openvehicles.com/en/latest/userguide/ssltls.html"
moz-do-not-send="true">https://docs.openvehicles.com/en/latest/userguide/ssltls.html</a></li>
</ul>
If users contact you, point them to that page.<br>
<br>
We probably should also remove the expired DST root
certificate after September 30.<br>
<br>
Regards,<br>
Michael<br>
<br>
<pre class="moz-signature" cols="72">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26</pre>
<span>_______________________________________________</span><br>
<span>OvmsDev mailing list</span><br>
<span><a class="moz-txt-link-abbreviated"
href="mailto:OvmsDev@lists.openvehicles.com"
moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a></span><br>
<span><a class="moz-txt-link-freetext"
href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev"
moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></span><br>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26</pre>
</body>
</html>