Daily certificate updates

Forum about the Toon firmware, and its extensions

Moderators: marcelr, TheHogNL, Toonz

hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Daily certificate updates

Post by hvxl »

Since about a week, my Toon tells me every day: "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub". Checking /etc/ssl/certs/ca-certificates.crt, I see that the file gets a new timestamp every day, but the contents stays exactly the same (md5sum d13ca17805cee62ca0a5c6ceab1679e7).

The message seems to be triggered by the changed timestamp, but changing it back doesn't make the message disappear. I haven't found a way to get rid of the message, other than restarting the GUI. But the next day it pops up again. Having to restart the Toon every day gets a bit annoying.

So my question is: Why do I get a fresh copy of the same ca-certificates.crt file every day? Was something changed on the server that may prevent the update process from determining that no update is necessary?
Schelte
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Daily certificate updates

Post by TheHogNL »

hvxl wrote:Since about a week, my Toon tells me every day: "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub". Checking /etc/ssl/certs/ca-certificates.crt, I see that the file gets a new timestamp every day, but the contents stays exactly the same (md5sum d13ca17805cee62ca0a5c6ceab1679e7).

The message seems to be triggered by the changed timestamp, but changing it back doesn't make the message disappear. I haven't found a way to get rid of the message, other than restarting the GUI. But the next day it pops up again. Having to restart the Toon every day gets a bit annoying.

So my question is: Why do I get a fresh copy of the same ca-certificates.crt file every day? Was something changed on the server that may prevent the update process from determining that no update is necessary?
Last week we needed to add a intermediate certificate for NLAlert app to keep working. See the modifications here: https://github.com/ToonSoftwareCollecti ... master/tsc
I'll check if there is something wrong with the logic which checks if an update is needed. You are the first one noticing this though.

And could you check /var/log/tsc ?
Member of the Toon Software Collective
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Daily certificate updates

Post by TheHogNL »

Nothing wrong with the download routine. I did add some sanity checks if download was ok and openssl conversion went ok in a tsc script version just released.

However something is not working at your toon. Please share the /var/log/tsc file
Member of the Toon Software Collective
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: Daily certificate updates

Post by hvxl »

I didn't get a new ca-certificates.crt file yesterday.

This is /var/log/tsc (dated Oct 7 19:26 UTC, exactly the time of day I used to get a new ca-certificates.crt file):

Code: Select all

Starting TSC support script (version 2.16)
Running 5.0.4 on a qb2
Allowing SSH in firewall rules INPUT table
Checking for updates
Running 5.0.4 on a qb2
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
Download failed. Trying next time.
Could not find mandatory Toon Mobile Web app, installing...
tar: can't open 'mobile.tar.gz': No such file or directory
There is no Staat der Nederlanden Domein Server CA 2020 certificate in ca-certificates.crt.
Schelte
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Daily certificate updates

Post by TheHogNL »

hvxl wrote:I didn't get a new ca-certificates.crt file yesterday.

This is /var/log/tsc (dated Oct 7 19:26 UTC, exactly the time of day I used to get a new ca-certificates.crt file):

Code: Select all

Starting TSC support script (version 2.16)
Running 5.0.4 on a qb2
Allowing SSH in firewall rules INPUT table
Checking for updates
Running 5.0.4 on a qb2
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
Download failed. Trying next time.
Could not find mandatory Toon Mobile Web app, installing...
tar: can't open 'mobile.tar.gz': No such file or directory
There is no Staat der Nederlanden Domein Server CA 2020 certificate in ca-certificates.crt.
Could you try:

Code: Select all

/usr/bin/curl -Nks https://cert.pkioverheid.nl/DomeinServerCA2020.cer -o /tmp/DomeinServerCA2020.cer
This seems to fail for some reason.

I guess something is wrong with your /tmp directory as the mobile.tar.gz which also gets downloaded to tmp first isn't working also.
Member of the Toon Software Collective
Toonz
Forum Moderator
Forum Moderator
Posts: 1873
Joined: Mon Dec 19, 2016 1:58 pm

Re: Daily certificate updates

Post by Toonz »

sometimes the symlink of /tmp is broken. Have seen that before on a few occasions. Should refer /var/volatile/tmp folder
member of the Toon Software Collective
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Daily certificate updates

Post by TheHogNL »

@hvxl can you confirm broken symlink on /tmp ?
Member of the Toon Software Collective
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: Daily certificate updates

Post by hvxl »

Sorry for the slow response. For some reason I'm not being notified of updates in this topic, even though I subscribed.

Code: Select all

toon:~# ls -l /tmp
lrwxrwxrwx    1 root     root             8 Mar  2  2016 /tmp -> /var/tmp
toon:~# ls -l /var/tmp
lrwxrwxrwx    1 root     root            12 Mar  2  2016 /var/tmp -> volatile/tmp
toon:~# /usr/bin/curl -Nks https://cert.pkioverheid.nl/DomeinServerCA2020.cer -o  /tmp/DomeinServerCA2020.cer
toon:~# echo $?
35
Schelte
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: Daily certificate updates

Post by hvxl »

O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
Schelte
Toonz
Forum Moderator
Forum Moderator
Posts: 1873
Joined: Mon Dec 19, 2016 1:58 pm

Re: Daily certificate updates

Post by Toonz »

hvxl wrote:O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
https://api.github.com/.....
member of the Toon Software Collective
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: Daily certificate updates

Post by hvxl »

I have allowed that too. Now wait and see what it does today at 21:26.
Schelte
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Daily certificate updates

Post by TheHogNL »

hvxl wrote:O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
:D
Member of the Toon Software Collective
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: Daily certificate updates

Post by hvxl »

Well, that still didn't work. Turns out that api.github.com redirects to codeload.github.com, which was still blocked. So I just allowed all of github.com.

But waiting a day for each try makes progress very slow. So I investigated a bit and found that all of this is done by the /usr/bin/tsc script (not a big surprise in hindsight). That script gets started from inittab with the "respawn" action. That means I can just kill the running instance and it will automatically restart.

After a `killall tsc`, /var/log/tsc showed:

Code: Select all

Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
/usr/local/share/ca-certificates/DomeinServerCA2020.crt: No such file or directory
Openssl DER to PEM failed for intermediate certificate. Trying next time.
Could not find mandatory Toon Mobile Web app, installing...
Installed toon mobile web app...
That's one step closer. But there's still a problem with the certificate. That one was easily found. No directory /usr/local existed, let alone /usr/local/share/ca-certificates. After creating that (mkdir -p /usr/local/share/ca-certificates) and another `killall tsc`, /var/log/tsc said:

Code: Select all

Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Of course, toon once again displayed the "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub" banner. But now the certificates were actually updated.
Schelte
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Daily certificate updates

Post by TheHogNL »

Surpised to see that directory didn't exist on you toon. The directory is part of the qt-gui package in recent firmwares. I'll check if version 5.0.4 didn't include that yet and did certificates another way.
Member of the Toon Software Collective
TheHogNL
Forum Moderator
Forum Moderator
Posts: 2125
Joined: Sun Aug 20, 2017 8:53 pm

Re: Daily certificate updates

Post by TheHogNL »

So yes, 5.0.4 only has this /usr/share/ca-certificates/DigiCert_GlobalRoot_CA-11-2031-Buienradar-qt-gui.crt installed and in a different directory.

Wondering. .should I care.. or just believe that people will update their Toons :)
Member of the Toon Software Collective
Post Reply

Return to “Toon Firmware”