I've tried adding the intermediate cert ("R3") and then also my site certificate, that didn't help.
Only adding the DST cert again fixes the connection.
Any ideas?
OVMS# tls trust list
…
ISRG Root X1 length 1939 bytes
1939 byte certificate: ISRG Root X1
cert. version : 3
serial number : 82:10:CF:B0:D2:40:E3:59:44:63:E0:BB:63:82:8B:00
issuer name : C=US, O=Internet Security Research Group, CN=ISRG Root X1
subject name : C=US, O=Internet Security Research Group, CN=ISRG Root X1
issued on : 2015-06-04 11:04:38
expires on : 2035-06-04 11:04:38
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
…
dexter length 1972 bytes
1972 byte certificate: dexter
cert. version : 3
serial number : 04:55:1D:F4:27:A3:7D:E9:E4:A8:5C:37:F6:A1:61:87:3C:E5
issuer name : C=US, O=Let's Encrypt, CN=R3
subject name : CN=dexter.shopdriver.de
issued on : 2021-08-07 05:47:57
expires on : 2021-11-05 05:47:55
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : dexter.shopdriver.de, dexters-web.de, ovms.dexters-web.de, www.dexter.shopdriver.de, www.dexters-web.de
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
…
r3 length 1826 bytes
1826 byte certificate: r3
cert. version : 3
serial number : 91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A
issuer name : C=US, O=Internet Security Research Group, CN=ISRG Root X1
subject name : C=US, O=Let's Encrypt, CN=R3
issued on : 2020-09-04 00:00:00
expires on : 2025-09-15 16:00:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
ext key usage : TLS Web Client Authentication, TLS Web Server Authentication
Am 28.09.21 um 15:07 schrieb Michael Balzer:
We would need to bypass / shortcut the "eap" test phase.
But I agree, "master" is stable, I haven't had any issues or reports, so I think we could do that. The FreeRTOS timer issue I'm working on only affects very specific conditions, so not necessary to wait for that.
Should we remove the expiring DST certificate in that release then?
…uh oh: just tried removing the DST certificate: the module cannot connect to my server anymore…!?
I (490213) ovms-server-v2: Connection is ovms.dexters-web.de:6870 TEST1
I (490213) ovms-server-v2: Status: Connecting...
V (490723) ovms-server-v2: OvmsServerV2MongooseCallback(MG_EV_CONNECT=-3)
W (490723) ovms-server-v2: Connection failed
E (490723) ovms-server-v2: Status: Error: Connection failed
V (490723) ovms-server-v2: OvmsServerV2MongooseCallback(MG_EV_CLOSE)
I (490723) ovms-server-v2: Status: Disconnected
Am 28.09.21 um 14:32 schrieb Mark Webb-Johnson:
Shall we release a full update? The last 3.2?
What we have now in master seems stable.
Mark
On 28 Sep 2021, at 5:39 PM, Michael Balzer <dexter@expeedo.de> wrote:
Everyone,
the DST root certificate we include (DST Root CA X3) expires on September 30, i.e. in two days.
OVMS# tls trust list
DST Root CA X3 length 1200 bytes
1200 byte certificate: DST Root CA X3
cert. version : 3
serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B
issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3
subject name : O=Digital Signature Trust Co., CN=DST Root CA X3
issued on : 2000-09-30 21:12:19
expires on : 2021-09-30 14:01:15
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
AFAICT, this root certificate is currently used by the OVMS to validate Let's Encrypt certificates.
Unfortunately, we missed adding the followup LE root certificate "ISRG Root X1" in time.
- https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
- https://letsencrypt.org/docs/certificate-compatibility/
I've just added that certificate to our builtin certificate repository, but it's too late now to roll out a "main" update in time (isn't it?).
So, to prevent losing TLS connectivity with LE servers, users need to manually add the ISRG Root X1 certificate to their TLS repositories.
I've added a section on this to our user manual:
If users contact you, point them to that page.
We probably should also remove the expired DST root certificate after September 30.
Regards,
Michael
-- Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal Fon 02333 / 833 5735 * Handy 0176 / 206 989 26_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev
_______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev
-- Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
_______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev
-- Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
_______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev
-- Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal Fon 02333 / 833 5735 * Handy 0176 / 206 989 26