Everyone,

the DST root certificate we include (DST Root CA X3) expires on September 30, i.e. in two days.

OVMS# tls trust list
DST Root CA X3 length 1200 bytes
1200 byte certificate: DST Root CA X3
  cert. version     : 3
  serial number     : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B
  issuer name       : O=Digital Signature Trust Co., CN=DST Root CA X3
  subject name      : O=Digital Signature Trust Co., CN=DST Root CA X3
  issued  on        : 2000-09-30 21:12:19
  expires on        : 2021-09-30 14:01:15
  signed using      : RSA with SHA1
  RSA key size      : 2048 bits
  basic constraints : CA=true
  key usage         : Key Cert Sign, CRL Sign

AFAICT, this root certificate is currently used by the OVMS to validate Let's Encrypt certificates.

• https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
• https://letsencrypt.org/docs/certificate-compatibility/
  

Unfortunately, we missed adding the followup LE root certificate "ISRG Root X1" in time.

I've just added that certificate to our builtin certificate repository, but it's too late now to roll out a "main" update in time (isn't it?).

So, to prevent losing TLS connectivity with LE servers, users need to manually add the ISRG Root X1 certificate to their TLS repositories.

I've added a section on this to our user manual:

• https://docs.openvehicles.com/en/latest/userguide/ssltls.html

If users contact you, point them to that page.

We probably should also remove the expired DST root certificate after September 30.

Regards,
Michael

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev