Project

General

Profile

Bug #5259

sysmoBTS: fix ca-certificates

Added by keith 14 days ago. Updated 7 days ago.

Status:
Feedback
Priority:
High
Assignee:
Category:
-
Target version:
-
Start date:
10/12/2021
Due date:
% Done:

70%

Spec Reference:

Description

Since the LetEncrypt Root CA expiry fiasco a sysmobts is unable to use https, not least to access the sysmocom repos.

This script will disable the X3 cert and add the new LE root.

#!/bin/bash

grep isrgrootx1.pem /etc/ca-certificates.conf && exit

wget -q --no-check-certificate https://letsencrypt.org/certs/isrgrootx1.pem -O /usr/share/ca-certificates/isrgrootx1.pem
sed -i '/^mozilla\/AffirmTrust_Commercial.crt/i isrgrootx1.pem' /etc/ca-certificates.conf
sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf
update-ca-certificates

Maybe we can also somehow update the yocto/poky opkg package "ca-certificates"?

sysmocom-nitb-image-sysmobts-v2-20211014074622.rootfs.ubi sysmocom-nitb-image-sysmobts-v2-20211014074622.rootfs.ubi 36.4 MB test build image with ca-certificates package 20210119 laforge, 10/14/2021 08:10 AM

History

#1 Updated by laforge 14 days ago

  • Status changed from New to In Progress
  • Assignee changed from sysmocom to laforge
  • % Done changed from 0 to 20

tried to resolve it for 201705-nightly in:

commit 8d3ccdf0eb5c555684287f4fb51bba51dc2ed4f3
Author: Harald Welte <laforge@osmocom.org>
Date:   Tue Oct 12 21:13:03 2021 +0200

    ca-certificates: Migrate from DST_X3 to ISRG_X1

    Closes: OS#5259

https://git.sysmocom.de/sysmo-bts/meta-sysmocom-bsp/commit/8d3ccdf0eb5c555684287f4fb51bba51dc2ed4f3

let's see if that works and then introduce the change to 201705 next.

#2 Updated by laforge 13 days ago

It seems like adding the new cert to a package is insufficient, we also need to remove
the expired one from the ca-certificates package.

I'm currently doing a local build of OE with a new ca-certificates package from 2021, hoping
this will fix it.

#3 Updated by laforge 13 days ago

please test the attached image if it resolves the problem. thanks!

#4 Updated by keith 7 days ago

Unfortunately on booting the test image we still get:

root@sysmobts-v2:/etc# opkg update                                                                                                                                        
Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/all/Packages.gz.
Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/armv5te/Packages.gz.
Downloading https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/sysmobts_v2/Packages.gz.
Collected errors:
 * opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/all/Packages.gz, wget returned 5.
 * opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/armv5te/Packages.gz, wget returned 5.
 * opkg_download_backend: Failed to download https://autoupdate:***@feeds.sysmocom.de/generic/sysmobts/201705/ipk/sysmobts_v2/Packages.gz, wget returned 5.

root@sysmobts-v2:/etc# wget -O - https://autoupdate:***@feeds.sysmocom.de/                                                                                                
--2021-10-19 19:58:03--  https://autoupdate:*password*@feeds.sysmocom.de/
Resolving feeds.sysmocom.de... 136.243.0.173, 2a01:4f8:211:1a1e::2
Connecting to feeds.sysmocom.de|136.243.0.173|:443... connected.
ERROR: The certificate of 'feeds.sysmocom.de' is not trusted.
ERROR: The certificate of 'feeds.sysmocom.de' has expired.

root@sysmobts-v2:/etc# date
Tue Oct 19 19:58:08 UTC 2021

root@sysmobts-v2:/etc# grep X3 ca-certificates.conf 
mozilla/DST_Root_CA_X3.crt

root@sysmobts-v2:/etc# sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf && update-ca-certificates -f
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
openssl:Error: 'rehash' is an invalid command. [Hmm. Another issue?  ..openssl help output removed...]

0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

root@sysmobts-v2:/etc# wget -O - https://autoupdate:***@feeds.sysmocom.de/         
--2021-10-19 20:00:38--  https://autoupdate:*password*@feeds.sysmocom.de/
Resolving feeds.sysmocom.de... 136.243.0.173, 2a01:4f8:211:1a1e::2
Connecting to feeds.sysmocom.de|136.243.0.173|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 219 [text/html]
Saving to: 'STDOUT'
[...]
2021-10-19 20:00:40 (8.87 MB/s) - written to stdout [219/219]

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)