Shall we release a full update? The last 3.2? What we have now in master seems stable. Mark
On 28 Sep 2021, at 5:39 PM, Michael Balzer <dexter@expeedo.de> wrote:
Everyone,
the DST root certificate we include (DST Root CA X3) expires on September 30, i.e. in two days.
OVMS# tls trust list DST Root CA X3 length 1200 bytes 1200 byte certificate: DST Root CA X3 cert. version : 3 serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 subject name : O=Digital Signature Trust Co., CN=DST Root CA X3 issued on : 2000-09-30 21:12:19 expires on : 2021-09-30 14:01:15 signed using : RSA with SHA1 RSA key size : 2048 bits basic constraints : CA=true key usage : Key Cert Sign, CRL Sign
AFAICT, this root certificate is currently used by the OVMS to validate Let's Encrypt certificates. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ https://letsencrypt.org/docs/certificate-compatibility/ Unfortunately, we missed adding the followup LE root certificate "ISRG Root X1" in time.
I've just added that certificate to our builtin certificate repository, but it's too late now to roll out a "main" update in time (isn't it?).
So, to prevent losing TLS connectivity with LE servers, users need to manually add the ISRG Root X1 certificate to their TLS repositories.
I've added a section on this to our user manual: https://docs.openvehicles.com/en/latest/userguide/ssltls.html If users contact you, point them to that page.
We probably should also remove the expired DST root certificate after September 30.
Regards, Michael
-- Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal Fon 02333 / 833 5735 * Handy 0176 / 206 989 26 _______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev