Page 1 of 2
Daily certificate updates
Posted: Tue Oct 06, 2020 10:27 pm
by hvxl
Since about a week, my Toon tells me every day: "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub". Checking /etc/ssl/certs/ca-certificates.crt, I see that the file gets a new timestamp every day, but the contents stays exactly the same (md5sum d13ca17805cee62ca0a5c6ceab1679e7).
The message seems to be triggered by the changed timestamp, but changing it back doesn't make the message disappear. I haven't found a way to get rid of the message, other than restarting the GUI. But the next day it pops up again. Having to restart the Toon every day gets a bit annoying.
So my question is: Why do I get a fresh copy of the same ca-certificates.crt file every day? Was something changed on the server that may prevent the update process from determining that no update is necessary?
Re: Daily certificate updates
Posted: Wed Oct 07, 2020 10:58 am
by TheHogNL
hvxl wrote:Since about a week, my Toon tells me every day: "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub". Checking /etc/ssl/certs/ca-certificates.crt, I see that the file gets a new timestamp every day, but the contents stays exactly the same (md5sum d13ca17805cee62ca0a5c6ceab1679e7).
The message seems to be triggered by the changed timestamp, but changing it back doesn't make the message disappear. I haven't found a way to get rid of the message, other than restarting the GUI. But the next day it pops up again. Having to restart the Toon every day gets a bit annoying.
So my question is: Why do I get a fresh copy of the same ca-certificates.crt file every day? Was something changed on the server that may prevent the update process from determining that no update is necessary?
Last week we needed to add a intermediate certificate for NLAlert app to keep working. See the modifications here:
https://github.com/ToonSoftwareCollecti ... master/tsc
I'll check if there is something wrong with the logic which checks if an update is needed. You are the first one noticing this though.
And could you check /var/log/tsc ?
Re: Daily certificate updates
Posted: Wed Oct 07, 2020 11:26 am
by TheHogNL
Nothing wrong with the download routine. I did add some sanity checks if download was ok and openssl conversion went ok in a tsc script version just released.
However something is not working at your toon. Please share the /var/log/tsc file
Re: Daily certificate updates
Posted: Thu Oct 08, 2020 1:41 pm
by hvxl
I didn't get a new ca-certificates.crt file yesterday.
This is /var/log/tsc (dated Oct 7 19:26 UTC, exactly the time of day I used to get a new ca-certificates.crt file):
Code: Select all
Starting TSC support script (version 2.16)
Running 5.0.4 on a qb2
Allowing SSH in firewall rules INPUT table
Checking for updates
Running 5.0.4 on a qb2
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
Download failed. Trying next time.
Could not find mandatory Toon Mobile Web app, installing...
tar: can't open 'mobile.tar.gz': No such file or directory
There is no Staat der Nederlanden Domein Server CA 2020 certificate in ca-certificates.crt.
Re: Daily certificate updates
Posted: Thu Oct 08, 2020 6:57 pm
by TheHogNL
hvxl wrote:I didn't get a new ca-certificates.crt file yesterday.
This is /var/log/tsc (dated Oct 7 19:26 UTC, exactly the time of day I used to get a new ca-certificates.crt file):
Code: Select all
Starting TSC support script (version 2.16)
Running 5.0.4 on a qb2
Allowing SSH in firewall rules INPUT table
Checking for updates
Running 5.0.4 on a qb2
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
Download failed. Trying next time.
Could not find mandatory Toon Mobile Web app, installing...
tar: can't open 'mobile.tar.gz': No such file or directory
There is no Staat der Nederlanden Domein Server CA 2020 certificate in ca-certificates.crt.
Could you try:
Code: Select all
/usr/bin/curl -Nks https://cert.pkioverheid.nl/DomeinServerCA2020.cer -o /tmp/DomeinServerCA2020.cer
This seems to fail for some reason.
I guess something is wrong with your /tmp directory as the mobile.tar.gz which also gets downloaded to tmp first isn't working also.
Re: Daily certificate updates
Posted: Thu Oct 08, 2020 9:31 pm
by Toonz
sometimes the symlink of /tmp is broken. Have seen that before on a few occasions. Should refer /var/volatile/tmp folder
Re: Daily certificate updates
Posted: Thu Oct 08, 2020 10:43 pm
by TheHogNL
@hvxl can you confirm broken symlink on /tmp ?
Re: Daily certificate updates
Posted: Fri Oct 09, 2020 12:54 am
by hvxl
Sorry for the slow response. For some reason I'm not being notified of updates in this topic, even though I subscribed.
Code: Select all
toon:~# ls -l /tmp
lrwxrwxrwx 1 root root 8 Mar 2 2016 /tmp -> /var/tmp
toon:~# ls -l /var/tmp
lrwxrwxrwx 1 root root 12 Mar 2 2016 /var/tmp -> volatile/tmp
toon:~# /usr/bin/curl -Nks https://cert.pkioverheid.nl/DomeinServerCA2020.cer -o /tmp/DomeinServerCA2020.cer
toon:~# echo $?
35
Re: Daily certificate updates
Posted: Fri Oct 09, 2020 1:00 am
by hvxl
O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
Re: Daily certificate updates
Posted: Fri Oct 09, 2020 10:02 am
by Toonz
hvxl wrote:O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
https://api.github.com/.....
Re: Daily certificate updates
Posted: Fri Oct 09, 2020 11:02 am
by hvxl
I have allowed that too. Now wait and see what it does today at 21:26.
Re: Daily certificate updates
Posted: Fri Oct 09, 2020 4:50 pm
by TheHogNL
hvxl wrote:O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
Re: Daily certificate updates
Posted: Fri Oct 09, 2020 10:55 pm
by hvxl
Well, that still didn't work. Turns out that api.github.com redirects to codeload.github.com, which was still blocked. So I just allowed all of github.com.
But waiting a day for each try makes progress very slow. So I investigated a bit and found that all of this is done by the /usr/bin/tsc script (not a big surprise in hindsight). That script gets started from inittab with the "respawn" action. That means I can just kill the running instance and it will automatically restart.
After a `killall tsc`, /var/log/tsc showed:
Code: Select all
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
/usr/local/share/ca-certificates/DomeinServerCA2020.crt: No such file or directory
Openssl DER to PEM failed for intermediate certificate. Trying next time.
Could not find mandatory Toon Mobile Web app, installing...
Installed toon mobile web app...
That's one step closer. But there's still a problem with the certificate. That one was easily found. No directory /usr/local existed, let alone /usr/local/share/ca-certificates. After creating that (mkdir -p /usr/local/share/ca-certificates) and another `killall tsc`, /var/log/tsc said:
Code: Select all
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Of course, toon once again displayed the "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub" banner. But now the certificates were actually updated.
Re: Daily certificate updates
Posted: Sat Oct 10, 2020 10:33 am
by TheHogNL
Surpised to see that directory didn't exist on you toon. The directory is part of the qt-gui package in recent firmwares. I'll check if version 5.0.4 didn't include that yet and did certificates another way.
Re: Daily certificate updates
Posted: Sat Oct 10, 2020 10:38 am
by TheHogNL
So yes, 5.0.4 only has this /usr/share/ca-certificates/DigiCert_GlobalRoot_CA-11-2031-Buienradar-qt-gui.crt installed and in a different directory.
Wondering. .should I care.. or just believe that people will update their Toons
