The AddTrust root CA certificate that our api.openvehicles.com <http://api.openvehicles.com/> is signed by has expired (last night). This will impact TLS connections to api.openvehicles.com <http://api.openvehicles.com/>. Our certificate itself is fine (and doesn’t expire until Feb 2022), but the root cert is was signed by (via intermediaries) has expired. Pretty irresponsible for AddTrust/UserTrust/Comodo to sign a certificate with a later expiration date than their own CA, imho. Also irresponsible for them not to inform the customers. Everybody can be expected to monitor their own certificate expiration date, but not that of their certificate authority. I’ve been up most of the night dealing with fallout from this (in other work and customer related systems), so not happy. Anyway, I’ve updated the trusted root certificate in edge now, and released that. AddTrust has become UserTrust. To connect via tls to api.openvehicles.com <http://api.openvehicles.com/> now, you will either need to firmware update, or manually add the trusted ca to /store/trustedca/usertrust.crt (I have attached it here, for convenience). I have also taken this opportunity to change the server v2 and v3 backoff retry times to 60 seconds (was 20 or 30). Regards, Mark.
On 2020-05-30 17:44, Mark Webb-Johnson wrote:
The AddTrust root CA certificate that our api.openvehicles.com <http://api.openvehicles.com> is signed by has expired (last night). This will impact TLS connections to api.openvehicles.com <http://api.openvehicles.com>. Our certificate itself is fine (and doesn’t expire until Feb 2022), but the root cert is was signed by (via intermediaries) has expired.
Pretty irresponsible for AddTrust/UserTrust/Comodo to sign a certificate with a later expiration date than their own CA, imho. Also irresponsible for them not to inform the customers. Everybody can be expected to monitor their own certificate expiration date, but not that of their certificate authority.
I’ve been up most of the night dealing with fallout from this (in other work and customer related systems), so not happy.
Anyway, I’ve updated the trusted root certificate in edge now, and released that. AddTrust has become UserTrust.
To connect via tls to api.openvehicles.com <http://api.openvehicles.com> now, you will either need to firmware update, or manually add the trusted ca to /store/trustedca/usertrust.crt (I have attached it here, for convenience).
I have also taken this opportunity to change the server v2 and v3 backoff retry times to 60 seconds (was 20 or 30).
We use incommon certs at work and the intermediate bundle they provided included two certs that expired (10:48 GMT); this broke any clients using openssl < 1.1.1. I was able to fix it by removing the expired certs from the bundle leaving one that is similar to the one you attached. Craig Certificate: Data: Version: 3 (0x2) Serial Number: 47:20:d0:fa:85:46:1a:7e:17:a1:64:02:91:84:63:74 Signature Algorithm: sha384WithRSAEncryption Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority Validity Not Before: Oct 6 00:00:00 2014 GMT Not After : Oct 5 23:59:59 2024 GMT Subject: C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
Hi, I finally got my module in these Covid times (took 2 shipments and almost 3 months) and got it set up for the first time and after I got logged in via ssh, I also got the new certificate installed after a few minutes of orienting myself with the file system commands. It might be worth mentioning that the “trustedca” directory doesn’t actually exist by default. So basically, you need to do: OVMS# vfs mkdir /store/trustedca and then from a laptop terminal prompt: scp -c aes128-cbc usertrust.crt omvs@192.168.4.1:/store/trustedca/usertrust.crt I’m not sure if the cipher needs to be specified and the module seemed to need a reboot to read the certificate, but I then finally did get a connection. There was still some noise from mongoose about SSL, but it didn’t seem to affect the v2 server connection. Overall, it was pretty easy to setup and much more transparent than my old V2 module. I guess I should start looking at the Volt/Ampere code to see if this pre-heat option is real and app accessible. Yada, yada, Shaun (via the iPad thingamajigg)
On 31 May 2020, at 02:45, Mark Webb-Johnson <mark@webb-johnson.net> wrote:
The AddTrust root CA certificate that our api.openvehicles.com is signed by has expired (last night). This will impact TLS connections to api.openvehicles.com. Our certificate itself is fine (and doesn’t expire until Feb 2022), but the root cert is was signed by (via intermediaries) has expired.
Pretty irresponsible for AddTrust/UserTrust/Comodo to sign a certificate with a later expiration date than their own CA, imho. Also irresponsible for them not to inform the customers. Everybody can be expected to monitor their own certificate expiration date, but not that of their certificate authority.
I’ve been up most of the night dealing with fallout from this (in other work and customer related systems), so not happy.
Anyway, I’ve updated the trusted root certificate in edge now, and released that. AddTrust has become UserTrust.
To connect via tls to api.openvehicles.com now, you will either need to firmware update, or manually add the trusted ca to /store/trustedca/usertrust.crt (I have attached it here, for convenience).
I have also taken this opportunity to change the server v2 and v3 backoff retry times to 60 seconds (was 20 or 30).
Regards, Mark.
<usertrust.crt> _______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev
Mark, It appears that my email host, imap.sonic.net, was bit by the same AddTrust root CA certificate expiration. My email application just complained. -- Steve On Sun, 31 May 2020, Mark Webb-Johnson wrote:
The AddTrust root CA certificate that our api.openvehicles.com <http://api.openvehicles.com/> is signed by has expired (last night). This will impact TLS connections to api.openvehicles.com <http://api.openvehicles.com/>. Our certificate itself is fine (and doesn’t expire until Feb 2022), but the root cert is was signed by (via intermediaries) has expired.
Pretty irresponsible for AddTrust/UserTrust/Comodo to sign a certificate with a later expiration date than their own CA, imho. Also irresponsible for them not to inform the customers. Everybody can be expected to monitor their own certificate expiration date, but not that of their certificate authority.
I’ve been up most of the night dealing with fallout from this (in other work and customer related systems), so not happy.
Anyway, I’ve updated the trusted root certificate in edge now, and released that. AddTrust has become UserTrust.
To connect via tls to api.openvehicles.com <http://api.openvehicles.com/> now, you will either need to firmware update, or manually add the trusted ca to /store/trustedca/usertrust.crt (I have attached it here, for convenience).
I have also taken this opportunity to change the server v2 and v3 backoff retry times to 60 seconds (was 20 or 30).
Regards, Mark.
participants (4)
-
Craig Leres -
Mark Webb-Johnson -
Shaun Jurrens -
Stephen Casner