Daily certificate updates
Moderators: marcelr, TheHogNL, Toonz
Daily certificate updates
Since about a week, my Toon tells me every day: "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub". Checking /etc/ssl/certs/ca-certificates.crt, I see that the file gets a new timestamp every day, but the contents stays exactly the same (md5sum d13ca17805cee62ca0a5c6ceab1679e7).
The message seems to be triggered by the changed timestamp, but changing it back doesn't make the message disappear. I haven't found a way to get rid of the message, other than restarting the GUI. But the next day it pops up again. Having to restart the Toon every day gets a bit annoying.
So my question is: Why do I get a fresh copy of the same ca-certificates.crt file every day? Was something changed on the server that may prevent the update process from determining that no update is necessary?
The message seems to be triggered by the changed timestamp, but changing it back doesn't make the message disappear. I haven't found a way to get rid of the message, other than restarting the GUI. But the next day it pops up again. Having to restart the Toon every day gets a bit annoying.
So my question is: Why do I get a fresh copy of the same ca-certificates.crt file every day? Was something changed on the server that may prevent the update process from determining that no update is necessary?
Schelte
Re: Daily certificate updates
Last week we needed to add a intermediate certificate for NLAlert app to keep working. See the modifications here: https://github.com/ToonSoftwareCollecti ... master/tschvxl wrote:Since about a week, my Toon tells me every day: "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub". Checking /etc/ssl/certs/ca-certificates.crt, I see that the file gets a new timestamp every day, but the contents stays exactly the same (md5sum d13ca17805cee62ca0a5c6ceab1679e7).
The message seems to be triggered by the changed timestamp, but changing it back doesn't make the message disappear. I haven't found a way to get rid of the message, other than restarting the GUI. But the next day it pops up again. Having to restart the Toon every day gets a bit annoying.
So my question is: Why do I get a fresh copy of the same ca-certificates.crt file every day? Was something changed on the server that may prevent the update process from determining that no update is necessary?
I'll check if there is something wrong with the logic which checks if an update is needed. You are the first one noticing this though.
And could you check /var/log/tsc ?
Member of the Toon Software Collective
Re: Daily certificate updates
Nothing wrong with the download routine. I did add some sanity checks if download was ok and openssl conversion went ok in a tsc script version just released.
However something is not working at your toon. Please share the /var/log/tsc file
However something is not working at your toon. Please share the /var/log/tsc file
Member of the Toon Software Collective
Re: Daily certificate updates
I didn't get a new ca-certificates.crt file yesterday.
This is /var/log/tsc (dated Oct 7 19:26 UTC, exactly the time of day I used to get a new ca-certificates.crt file):
There is no Staat der Nederlanden Domein Server CA 2020 certificate in ca-certificates.crt.
This is /var/log/tsc (dated Oct 7 19:26 UTC, exactly the time of day I used to get a new ca-certificates.crt file):
Code: Select all
Starting TSC support script (version 2.16)
Running 5.0.4 on a qb2
Allowing SSH in firewall rules INPUT table
Checking for updates
Running 5.0.4 on a qb2
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
Download failed. Trying next time.
Could not find mandatory Toon Mobile Web app, installing...
tar: can't open 'mobile.tar.gz': No such file or directory
Schelte
Re: Daily certificate updates
Could you try:hvxl wrote:I didn't get a new ca-certificates.crt file yesterday.
This is /var/log/tsc (dated Oct 7 19:26 UTC, exactly the time of day I used to get a new ca-certificates.crt file):
There is no Staat der Nederlanden Domein Server CA 2020 certificate in ca-certificates.crt.Code: Select all
Starting TSC support script (version 2.16) Running 5.0.4 on a qb2 Allowing SSH in firewall rules INPUT table Checking for updates Running 5.0.4 on a qb2 Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API Download failed. Trying next time. Could not find mandatory Toon Mobile Web app, installing... tar: can't open 'mobile.tar.gz': No such file or directory
Code: Select all
/usr/bin/curl -Nks https://cert.pkioverheid.nl/DomeinServerCA2020.cer -o /tmp/DomeinServerCA2020.cer
I guess something is wrong with your /tmp directory as the mobile.tar.gz which also gets downloaded to tmp first isn't working also.
Member of the Toon Software Collective
Re: Daily certificate updates
sometimes the symlink of /tmp is broken. Have seen that before on a few occasions. Should refer /var/volatile/tmp folder
member of the Toon Software Collective
Re: Daily certificate updates
@hvxl can you confirm broken symlink on /tmp ?
Member of the Toon Software Collective
Re: Daily certificate updates
Sorry for the slow response. For some reason I'm not being notified of updates in this topic, even though I subscribed.
Code: Select all
toon:~# ls -l /tmp
lrwxrwxrwx 1 root root 8 Mar 2 2016 /tmp -> /var/tmp
toon:~# ls -l /var/tmp
lrwxrwxrwx 1 root root 12 Mar 2 2016 /var/tmp -> volatile/tmp
toon:~# /usr/bin/curl -Nks https://cert.pkioverheid.nl/DomeinServerCA2020.cer -o /tmp/DomeinServerCA2020.cer
toon:~# echo $?
35
Schelte
Re: Daily certificate updates
O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
Schelte
Re: Daily certificate updates
https://api.github.com/.....hvxl wrote:O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
member of the Toon Software Collective
Re: Daily certificate updates
I have allowed that too. Now wait and see what it does today at 21:26.
Schelte
Re: Daily certificate updates
hvxl wrote:O, hang on. My toon is not allowed to connect to any random web site. I have now allowed cert.pkioverheid.nl. Where does it need to get mobile.tar.gz from?
Member of the Toon Software Collective
Re: Daily certificate updates
Well, that still didn't work. Turns out that api.github.com redirects to codeload.github.com, which was still blocked. So I just allowed all of github.com.
But waiting a day for each try makes progress very slow. So I investigated a bit and found that all of this is done by the /usr/bin/tsc script (not a big surprise in hindsight). That script gets started from inittab with the "respawn" action. That means I can just kill the running instance and it will automatically restart.
After a `killall tsc`, /var/log/tsc showed:
That's one step closer. But there's still a problem with the certificate. That one was easily found. No directory /usr/local existed, let alone /usr/local/share/ca-certificates. After creating that (mkdir -p /usr/local/share/ca-certificates) and another `killall tsc`, /var/log/tsc said:
Of course, toon once again displayed the "De vertrouwde webserver certificaten zijn voor u bijgewerkt. Restart GUI aub" banner. But now the certificates were actually updated.
But waiting a day for each try makes progress very slow. So I investigated a bit and found that all of this is done by the /usr/bin/tsc script (not a big surprise in hindsight). That script gets started from inittab with the "respawn" action. That means I can just kill the running instance and it will automatically restart.
After a `killall tsc`, /var/log/tsc showed:
Code: Select all
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
/usr/local/share/ca-certificates/DomeinServerCA2020.crt: No such file or directory
Openssl DER to PEM failed for intermediate certificate. Trying next time.
Could not find mandatory Toon Mobile Web app, installing...
Installed toon mobile web app...
Code: Select all
Adding intermediate Staat der Nederlanden Domein Server CA 2020 - for NLalert API
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Schelte
Re: Daily certificate updates
Surpised to see that directory didn't exist on you toon. The directory is part of the qt-gui package in recent firmwares. I'll check if version 5.0.4 didn't include that yet and did certificates another way.
Member of the Toon Software Collective
Re: Daily certificate updates
So yes, 5.0.4 only has this /usr/share/ca-certificates/DigiCert_GlobalRoot_CA-11-2031-Buienradar-qt-gui.crt installed and in a different directory.
Wondering. .should I care.. or just believe that people will update their Toons
Wondering. .should I care.. or just believe that people will update their Toons
Member of the Toon Software Collective