Use letsencrypt ISRG_Root_X1 certificate instead of R3 #21352
Conversation
|
Why do we need 5 certificates. This is a big size increase |
|
r3 can be removed about 6th of September 2024. Ass all certificates, issued by letsencrypt have a max expiration length 3 months. according to this picture, only r10 and r11 will be used, but it is not clear, whether we really need r>11. |
good catch. Let me check. |
|
@s-hadinger thank you for the hint! It really works. I am updating the merge request. |
According to the blog post [1] new intermediate certificates will be deployed. Thus R3 certificate, used now will not allow to setup a secure connection. This root certificate is valid till 2035/06
gladk
force-pushed
the
add_letsencrypt_r10-r14_certificates
branch
from
815db46 to
783ecc4
Compare
gladk
changed the title
|
Hold on, I had second thoughts and I'm surprised it's working at all since we don't have the full cert chaon |
|
The main problem is here that the devices flashed with R3 will probably stop working soon, because certificate check will fail. |
|
I understand. My initial thought was to validate againg Did you actually try replacing CA with |
|
Yes! I checked with ISRG Root X1 on esp8266 and it works! I even changed one random byte to make a negative test, and it failed to connect to the server. So, it works! What I did not check is the tasmota32. But I hope it should work. Also, this changes gives +about 290 bytes in comparison to initial build. |
|
Awesome, well done. ESP32 uses exactly the same code so I don't expect any difference. |
According to the blog post [1] new intermediate certificates will be deployed. Thus R3 certificate, used now will not allow to setup a secure connection. This root certificate is valid till 2035/06
According to the blog post [1] new intermediate certificates will be deployed on 6th of June, 2024.
[1] https://letsencrypt.org/2024/04/12/changes-to-issuance-chains
Thus existing R3 will stop to work for newly issued certificates. This PR replaces R3 by ISRG root one, which should work till 2035.
This change adds about 288 bytes to the final build.
Description:
Related issue (if applicable): fixes #
Checklist:
NOTE: The code change must pass CI tests. Your PR cannot be merged unless tests pass