Bug #5259
closedsysmoBTS: fix ca-certificates
100%
Description
Since the LetEncrypt Root CA expiry fiasco a sysmobts is unable to use https, not least to access the sysmocom repos.
This script will disable the X3 cert and add the new LE root.
#!/bin/bash grep isrgrootx1.pem /etc/ca-certificates.conf && exit wget -q --no-check-certificate https://letsencrypt.org/certs/isrgrootx1.pem -O /usr/share/ca-certificates/isrgrootx1.pem sed -i '/^mozilla\/AffirmTrust_Commercial.crt/i isrgrootx1.pem' /etc/ca-certificates.conf sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf update-ca-certificates
Maybe we can also somehow update the yocto/poky opkg package "ca-certificates"?
Files
Updated by laforge over 2 years ago
- Status changed from New to In Progress
- Assignee changed from 4368 to laforge
- % Done changed from 0 to 20
tried to resolve it for 201705-nightly in:
commit 8d3ccdf0eb5c555684287f4fb51bba51dc2ed4f3 Author: Harald Welte <laforge@osmocom.org> Date: Tue Oct 12 21:13:03 2021 +0200 ca-certificates: Migrate from DST_X3 to ISRG_X1 Closes: OS#5259
https://git.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/commit/8d3ccdf0eb5c555684287f4fb51bba51dc2ed4f3
let's see if that works and then introduce the change to 201705 next.
Updated by laforge over 2 years ago
It seems like adding the new cert to a package is insufficient, we also need to remove
the expired one from the ca-certificates package.
I'm currently doing a local build of OE with a new ca-certificates package from 2021, hoping
this will fix it.
Updated by laforge over 2 years ago
- File sysmocom-nitb-image-sysmobts-v2-20211014074622.rootfs.ubi added
- Status changed from In Progress to Feedback
- Assignee changed from laforge to keith
- Priority changed from Low to High
- % Done changed from 20 to 70
please test the attached image if it resolves the problem. thanks!
Updated by keith over 2 years ago
Unfortunately on booting the test image we still get:
root@sysmobts-v2:/etc# opkg update Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/all/Packages.gz. Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/armv5te/Packages.gz. Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/sysmobts_v2/Packages.gz. Collected errors: * opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/all/Packages.gz, wget returned 5. * opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/armv5te/Packages.gz, wget returned 5. * opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/sysmobts_v2/Packages.gz, wget returned 5. root@sysmobts-v2:/etc# wget -O - https://autoupdate:***@feeds.sysmocom.de/ --2021-10-19 19:58:03-- https://autoupdate:*password*@feeds.sysmocom.de/ Resolving feeds.sysmocom.de... 136.243.0.173, 2a01:4f8:211:1a1e::2 Connecting to feeds.sysmocom.de|136.243.0.173|:443... connected. ERROR: The certificate of 'feeds.sysmocom.de' is not trusted. ERROR: The certificate of 'feeds.sysmocom.de' has expired. root@sysmobts-v2:/etc# date Tue Oct 19 19:58:08 UTC 2021 root@sysmobts-v2:/etc# grep X3 ca-certificates.conf mozilla/DST_Root_CA_X3.crt root@sysmobts-v2:/etc# sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf && update-ca-certificates -f Clearing symlinks in /etc/ssl/certs... done. Updating certificates in /etc/ssl/certs... openssl:Error: 'rehash' is an invalid command. [Hmm. Another issue? ..openssl help output removed...] 0 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... done. root@sysmobts-v2:/etc# wget -O - https://autoupdate:***@feeds.sysmocom.de/ --2021-10-19 20:00:38-- https://autoupdate:*password*@feeds.sysmocom.de/ Resolving feeds.sysmocom.de... 136.243.0.173, 2a01:4f8:211:1a1e::2 Connecting to feeds.sysmocom.de|136.243.0.173|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 219 [text/html] Saving to: 'STDOUT' [...] 2021-10-19 20:00:40 (8.87 MB/s) - written to stdout [219/219]
Updated by laforge over 2 years ago
- Status changed from Feedback to New
- Assignee changed from keith to osmith
- % Done changed from 70 to 50
asssigning to osmith for further investigation and hopefully resolution
Updated by osmith over 2 years ago
- % Done changed from 50 to 60
I've flashed the test image and was able to reproduce what keith reported above.
Installed cert packages:
# opkg list | grep cert ca-cacert-rootcert - 1.0-r7.0 ca-certificates - 20210119-r0.1
- ca-cacert-rootcert - 1.0-r7.0: looks like the expected version based on Harald's patch above
- ca-certificates - 20210119-r0.1: this is weird, why is it not "20120623", from here? Does it get installed from another repository?
DST_Root_CA_X3.crt is not in ca-cacert-rootcert (as expected with Haralds patch):
root@sysmobts-v2:~# opkg files ca-cacert-rootcert Package ca-cacert-rootcert (1.0-r7.0) is installed on root and has the following files: /usr/lib/ssl/certs/4042bcee.0 /usr/lib/ssl/certs/cacert.org.pem /usr/lib/ssl/certs/99d0fa06.0 /usr/lib/ssl/certs/ISRG_Root_X1.pem /usr/lib/ssl/certs/ /usr/lib/ssl/certs/e5662767.0 /usr/lib/ssl/certs/5ed36f99.0 /usr/lib/ssl/
DST_Root_CA_X3.crt is in the ca-certificates package:
root@sysmobts-v2:~# opkg files ca-certificates | grep DST /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt root@sysmobts-v2:~# opkg search /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt ca-certificates - 20210119-r0.1
The ca-certificates.conf is in ca-certificates, too:
opkg search /etc/ca-certificates.conf ca-certificates - 20210119-r0.1
laforge: do you know where the ca-certificates "20210119-r0.1" package comes from? The description from your uploaded image is "test build image with ca-certificates package 20210119", maybe you did another test commit that bumped the ca-certificates version? If so, we probably only need to adjust the package recipe in meta-sysmocom-bsp.git to drop that certificate too.
Updated by laforge over 2 years ago
- File 0001-upgrade-ca-certificates-to-latest-version.patch 0001-upgrade-ca-certificates-to-latest-version.patch added
- Status changed from New to In Progress
The updated ca-certificates package is from the attached patch which I backported from upstream OE
Updated by osmith over 2 years ago
- % Done changed from 60 to 90
Meanwhile upstream has updated the package to a new version, from 2021-01-19 -> 2021-10-16:
https://lists.openembedded.org/g/openembedded-core/message/157722
This containts the following commit, which explicitly blacklists "DST Root CA X3":
https://salsa.debian.org/debian/ca-certificates/-/commit/5b83fd984706ea03101dbb011846e60364c3a149
When running make in ca-certificates.git current master (the commit that's packaged in OE 2021-10-16), it says:
Certificate "DST Root CA X3" blacklisted, ignoring.
So it should work now when backporting this version.
laforge: please review: https://gitea.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/pulls/2
Note that I didn't try to build this, I just copied the files from the upstream repository, hardknott branch assuming that it should then build in our OE image too.
Updated by osmith over 2 years ago
- File deleted (
sysmocom-nitb-image-sysmobts-v2-20211014074622.rootfs.ubi)
Updated by laforge over 2 years ago
osmith wrote in #note-8:
laforge: please review: https://gitea.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/pulls/2
thanks, merged. I'll do a manual build right now in a private environment
Updated by laforge over 2 years ago
- File sysmocom-nitb-image-sysmobts-v2-20211105115934.rootfs.ubi added
updated build attached for testing
attachment:sysmocom-nitb-image-sysmobts-v2-20211105115934.rootfs.ubi
Updated by osmith over 2 years ago
happy to report that it's fixed in this test image :)
Updated by osmith over 2 years ago
- File deleted (
sysmocom-nitb-image-sysmobts-v2-20211105115934.rootfs.ubi)
Updated by osmith over 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100