https://osmocom.org/https://osmocom.org/favicon.ico?16647414092021-10-12T19:17:21ZOpen Source Mobile CommunicationsOsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=226832021-10-12T19:17:21Zlaforge
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>Assignee</strong> changed from <i>4368</i> to <i>laforge</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>20</i></li></ul><p>tried to resolve it for 201705-nightly in:<br /><pre>
commit 8d3ccdf0eb5c555684287f4fb51bba51dc2ed4f3
Author: Harald Welte <laforge@osmocom.org>
Date: Tue Oct 12 21:13:03 2021 +0200
ca-certificates: Migrate from DST_X3 to ISRG_X1
Closes: OS#5259
</pre><br /><a class="external" href="https://git.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/commit/8d3ccdf0eb5c555684287f4fb51bba51dc2ed4f3">https://git.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/commit/8d3ccdf0eb5c555684287f4fb51bba51dc2ed4f3</a></p>
<p>let's see if that works and then introduce the change to 201705 next.</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=227032021-10-14T07:50:25Zlaforge
<ul></ul><p>It seems like adding the new cert to a package is insufficient, we also need to remove<br />the expired one from the ca-certificates package.</p>
<p>I'm currently doing a local build of OE with a new ca-certificates package from 2021, hoping<br />this will fix it.</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=227052021-10-14T08:10:54Zlaforge
<ul><li><strong>File</strong> <i>sysmocom-nitb-image-sysmobts-v2-20211014074622.rootfs.ubi</i> added</li><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>Assignee</strong> changed from <i>laforge</i> to <i>keith</i></li><li><strong>Priority</strong> changed from <i>Low</i> to <i>High</i></li><li><strong>% Done</strong> changed from <i>20</i> to <i>70</i></li></ul><p>please test the attached image if it resolves the problem. thanks!</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=227812021-10-19T20:04:55Zkeith
<ul></ul><p>Unfortunately on booting the test image we still get:</p>
<pre>
root@sysmobts-v2:/etc# opkg update
Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/all/Packages.gz.
Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/armv5te/Packages.gz.
Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/sysmobts_v2/Packages.gz.
Collected errors:
* opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/all/Packages.gz, wget returned 5.
* opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/armv5te/Packages.gz, wget returned 5.
* opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/sysmobts_v2/Packages.gz, wget returned 5.
root@sysmobts-v2:/etc# wget -O - https://autoupdate:***@feeds.sysmocom.de/
--2021-10-19 19:58:03-- https://autoupdate:*password*@feeds.sysmocom.de/
Resolving feeds.sysmocom.de... 136.243.0.173, 2a01:4f8:211:1a1e::2
Connecting to feeds.sysmocom.de|136.243.0.173|:443... connected.
ERROR: The certificate of 'feeds.sysmocom.de' is not trusted.
ERROR: The certificate of 'feeds.sysmocom.de' has expired.
root@sysmobts-v2:/etc# date
Tue Oct 19 19:58:08 UTC 2021
root@sysmobts-v2:/etc# grep X3 ca-certificates.conf
mozilla/DST_Root_CA_X3.crt
root@sysmobts-v2:/etc# sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf && update-ca-certificates -f
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
openssl:Error: 'rehash' is an invalid command. [Hmm. Another issue? ..openssl help output removed...]
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@sysmobts-v2:/etc# wget -O - https://autoupdate:***@feeds.sysmocom.de/
--2021-10-19 20:00:38-- https://autoupdate:*password*@feeds.sysmocom.de/
Resolving feeds.sysmocom.de... 136.243.0.173, 2a01:4f8:211:1a1e::2
Connecting to feeds.sysmocom.de|136.243.0.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 219 [text/html]
Saving to: 'STDOUT'
[...]
2021-10-19 20:00:40 (8.87 MB/s) - written to stdout [219/219]
</pre> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=228802021-11-02T16:15:08Zlaforge
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>New</i></li><li><strong>Assignee</strong> changed from <i>keith</i> to <i>osmith</i></li><li><strong>% Done</strong> changed from <i>70</i> to <i>50</i></li></ul><p>asssigning to <a class="user active" href="https://osmocom.org/users/301771">osmith</a> for further investigation and hopefully resolution</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=228922021-11-04T15:36:43Zosmith
<ul><li><strong>% Done</strong> changed from <i>50</i> to <i>60</i></li></ul><p>I've flashed the test image and was able to reproduce what keith reported above.</p>
<p>Installed cert packages:<br /><pre>
# opkg list | grep cert
ca-cacert-rootcert - 1.0-r7.0
ca-certificates - 20210119-r0.1
</pre></p>
<ul>
<li>ca-cacert-rootcert - 1.0-r7.0: looks like the expected version based on Harald's patch above</li>
<li>ca-certificates - 20210119-r0.1: this is weird, why is it not "20120623", from <a href="https://git.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/src/branch/laforge/nightly/recipes-extra/ca-certificates/ca-certificates_20120623.bb" class="external">here</a>? Does it get installed from another repository?</li>
</ul>
<p>DST_Root_CA_X3.crt is not in ca-cacert-rootcert (as expected with Haralds patch):<br /><pre>
root@sysmobts-v2:~# opkg files ca-cacert-rootcert
Package ca-cacert-rootcert (1.0-r7.0) is installed on root and has the following files:
/usr/lib/ssl/certs/4042bcee.0
/usr/lib/ssl/certs/cacert.org.pem
/usr/lib/ssl/certs/99d0fa06.0
/usr/lib/ssl/certs/ISRG_Root_X1.pem
/usr/lib/ssl/certs/
/usr/lib/ssl/certs/e5662767.0
/usr/lib/ssl/certs/5ed36f99.0
/usr/lib/ssl/
</pre></p>
<p>DST_Root_CA_X3.crt is in the <em>ca-certificates</em> package:<br /><pre>
root@sysmobts-v2:~# opkg files ca-certificates | grep DST
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
root@sysmobts-v2:~# opkg search /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
ca-certificates - 20210119-r0.1
</pre></p>
<p>The ca-certificates.conf is in ca-certificates, too:<br /><pre>
opkg search /etc/ca-certificates.conf
ca-certificates - 20210119-r0.1
</pre></p>
<p><a class="user active" href="https://osmocom.org/users/7">laforge</a>: do you know where the ca-certificates "20210119-r0.1" package comes from? The description from your uploaded image is "test build image with ca-certificates package 20210119", maybe you did another test commit that bumped the ca-certificates version? If so, we probably only need to adjust the package recipe in meta-sysmocom-bsp.git to drop that certificate too.</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=229042021-11-05T10:00:51Zlaforge
<ul><li><strong>File</strong> <a href="/attachments/4730">0001-upgrade-ca-certificates-to-latest-version.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/4730/0001-upgrade-ca-certificates-to-latest-version.patch">0001-upgrade-ca-certificates-to-latest-version.patch</a> added</li><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>The updated ca-certificates package is from the attached patch which I backported from upstream OE</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=229062021-11-05T11:45:08Zosmith
<ul><li><strong>% Done</strong> changed from <i>60</i> to <i>90</i></li></ul><p>Meanwhile upstream has updated the package to a new version, from 2021-01-19 -> 2021-10-16:<br /><a class="external" href="https://lists.openembedded.org/g/openembedded-core/message/157722">https://lists.openembedded.org/g/openembedded-core/message/157722</a></p>
<p>This containts the following commit, which explicitly blacklists "DST Root CA X3":<br /><a class="external" href="https://salsa.debian.org/debian/ca-certificates/-/commit/5b83fd984706ea03101dbb011846e60364c3a149">https://salsa.debian.org/debian/ca-certificates/-/commit/5b83fd984706ea03101dbb011846e60364c3a149</a></p>
<p>When running make in ca-certificates.git current master (the commit that's packaged in OE 2021-10-16), it says:</p>
<blockquote>
<p>Certificate "DST Root CA X3" blacklisted, ignoring.</p>
</blockquote>
<p>So it should work now when backporting this version.</p>
<p><a class="user active" href="https://osmocom.org/users/7">laforge</a>: please review: <a class="external" href="https://gitea.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/pulls/2">https://gitea.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/pulls/2</a></p>
<p>Note that I didn't try to build this, I just copied the files from the upstream repository, hardknott branch assuming that it should then build in our OE image too.</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=229072021-11-05T11:49:19Zosmith
<ul><li><strong>File</strong> deleted (<del><i>sysmocom-nitb-image-sysmobts-v2-20211014074622.rootfs.ubi</i></del>)</li></ul> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=229082021-11-05T11:50:40Zlaforge
<ul></ul><p>osmith wrote in <a href="#note-8">#note-8</a>:</p>
<blockquote>
<p><a class="user active" href="https://osmocom.org/users/7">laforge</a>: please review: <a class="external" href="https://gitea.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/pulls/2">https://gitea.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/pulls/2</a></p>
</blockquote>
<p>thanks, merged. I'll do a manual build right now in a private environment</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=229092021-11-05T12:27:33Zlaforge
<ul><li><strong>File</strong> <i>sysmocom-nitb-image-sysmobts-v2-20211105115934.rootfs.ubi</i> added</li></ul><p>updated build attached for testing</p>
<p>attachment:sysmocom-nitb-image-sysmobts-v2-20211105115934.rootfs.ubi</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=229102021-11-05T12:48:32Zosmith
<ul></ul><p>happy to report that it's fixed in this test image :)</p> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=229112021-11-05T12:53:10Zosmith
<ul><li><strong>File</strong> deleted (<del><i>sysmocom-nitb-image-sysmobts-v2-20211105115934.rootfs.ubi</i></del>)</li></ul> OsmoBTS - Bug #5259: sysmoBTS: fix ca-certificateshttps://osmocom.org/issues/5259?journal_id=229122021-11-05T12:53:20Zosmith
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>90</i> to <i>100</i></li></ul>