On 9/28/21 2:39 AM, Michael Balzer wrote:
the DST root certificate we include (DST Root CA X3) expires on September 30, i.e. in two days.
OVMS# tls trust list DST Root CA X3 length 1200 bytes 1200 byte certificate: DST Root CA X3 cert. version : 3 serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 subject name : O=Digital Signature Trust Co., CN=DST Root CA X3 issued on : 2000-09-30 21:12:19 * expires on : 2021-09-30 14:01:15* signed using : RSA with SHA1 RSA key size : 2048 bits basic constraints : CA=true key usage : Key Cert Sign, CRL Sign
AFAICT, this root certificate is currently used by the OVMS to validate Let's Encrypt certificates.
* https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ * https://letsencrypt.org/docs/certificate-compatibility/
Unfortunately, we missed adding the followup LE root certificate "ISRG Root X1" in time.
As I understand it the problem is with the let's encrypt cert you are currently using on your server; would switching to a commercial cert that validates with one of the "trustedca" certs already in deployed ovms make this problem go away? Then months down the road switch your server back to a let's encrypt cert? Craig