Too late: Important! Upgrade to 5.49.16 ASAP for rooted and subscription Toons!

[michel30]

And does no one has a certificate for the Toon one to write over the old one with the new one?

[TheHogNL]

And does no one has a certificate for the Toon one to write over the old one with the new one?

The certificates are personal to the toon. You can't use one certificate multiple times.

But I am working on a script to be able to ask a new toon1 certificate without upgrading to 5.46.19. So hang on just a few days.

[TheRedBull]

And does no one has a certificate for the Toon one to write over the old one with the new one?

The certificates are personal to the toon. You can't use one certificate multiple times.

But I am working on a script to be able to ask a new toon1 certificate without upgrading to 5.46.19. So hang on just a few days.

Also missed the update last week....

Not sure if there is any email listing, or way to be notified about these urgent updates?

Also can't someone with the update not acquire the code that was used by the update to get new certificates? Or is this exactly what you are currently figuring out?

[TheHogNL]

Also can't someone with the update not acquire the code that was used by the update to get new certificates? Or is this exactly what you are currently figuring out?

Exactly

[TheHogNL]

The latest update script (update-rooted.sh v4.7) will now request new VPN certificates if necessary automatically or if you provide the -c option. After that you can update the firmware as usual again.

[FunFair]

The latest update script (update-rooted.sh v4.7) will now request new VPN certificates if necessary automatically or if you provide the -c option. After that you can update the firmware as usual again.

hero!

It requested a new certificate voor my Toon 1 and now the VPN tunnel is working again!

[michel30]

The latest update script (update-rooted.sh v4.7) will now request new VPN certificates if necessary automatically or if you provide the -c option. After that you can update the firmware as usual again.

So for my understanding.

I put the file update-rooted.sh v4.7 on my toon one and run this scrip with the option -c and fingers cross

[Toonz]

or simply update via TSC menu, new script will be automatically downloaded, certificates requested and new firmware installed

[michel30]

@TheHogNL

Thanks for the new script, Toon is upgraded to version 5.49.16

[TheRedBull]

or simply update via TSC menu, new script will be automatically downloaded, certificates requested and new firmware installed

This worked like a charm!

Thanks @Toonz And @TheHogNL

For me this means alot that you were able to fix this mayor issue for my older device.

Also that you were able to fix something that Toon (Eneco) was not able to do for all of us (so far).

[hvxl]

Being the cautious type and not really wanting to upgrade the firmware at this moment (Toon restarts frequently enough as it is), I just tried to get new certicates using update-rooted.sh -c. That didn't go very successfully:

Code: Select all

toon:~# ./update-rooted.sh -c

	:

Requesting new VPN certificates
Error opening Certificate /etc/openvpn/vpn/toon.crt
1074390752:error:02001002:system library:fopen:No such file or directory:bss_file.c:406:fopen('/etc/openvpn/vpn/toon.crt','r')
1074390752:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:408:
unable to load certificate
This toon does not contain old VPN certficates. Not necessary to update VPN certificates.

In /etc/openvpn/vpn I have the following files (serial number obscured):

Code: Select all

toon:~# ls -l /etc/openvpn/vpn/
-rw-------    1 root     root          1379 Apr 17  2012 ca.crt
-rw-r--r--    1 root     root           245 Apr 17  2012 dh1024.pem
-rw-------    1 root     root          4006 Jul 11  2014 eneco-001-######.crt
-rw-------    1 root     root           891 Jul 11  2014 eneco-001-######.key
-rw-------    1 root     root           636 Apr 17  2012 ta.key

The eneco-001 certificate doesn't appear to be a problem for another 2 years:

Code: Select all

toon:~# openssl x509 -in /etc/openvpn/vpn/eneco-001-######.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: ##### (0x#####)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=NL, ST=NH, L=Amsterdam, O=Home Automation Europe, OU=Eneco, CN=Home Automation Europe CA/emailAddress=admin@quby.nl
        Validity
            Not Before: Jul 11 13:23:01 2014 GMT
            Not After : Jul  8 13:23:01 2024 GMT
        Subject: C=NL, ST=NH, L=Amsterdam, O=Home Automation Europe, OU=Eneco, CN=eneco-001-######/emailAddress=admin@quby.nl

The ca certificate seems to be the one that expired last friday:

Code: Select all

toon:~# openssl x509 -in /etc/openvpn/vpn/ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            da:d1:03:6b:af:24:ab:59
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=NL, ST=NH, L=Amsterdam, O=Home Automation Europe, OU=Eneco, CN=Home Automation Europe CA/emailAddress=admin@quby.nl
        Validity
            Not Before: Apr 17 09:48:39 2012 GMT
            Not After : Apr 15 09:48:39 2022 GMT
        Subject: C=NL, ST=NH, L=Amsterdam, O=Home Automation Europe, OU=Eneco, CN=Home Automation Europe CA/emailAddress=admin@quby.nl

Should I simply rename/copy ca.crt to toon.crt and try again? Or is there no escaping a firmware upgrade?

[TheHogNL]

Should I simply rename/copy ca.crt to toon.crt and try again? Or is there no escaping a firmware upgrade?

No. It is the eneco-001.xxx.crt which needs to be replaced. That certificate is signed by a CA which now is invalid/outdated. That is the issue.
However your toon hostname is 'toon' but should be 'eneco-001-xxxx'. The script uses that to find the correct filename.
I'll update the script right now (will be 4.73) to ignore the hostname and just use the filename as found in that directory.

Also ca.crt and ta.key will be replaced.

[hvxl]

Fun, isn't it? Users who mess up your perfectly working script by changing the host name!

Version 4.73 successfully updated the certificates. Thanks a lot!

[TheHogNL]

Fun, isn't it? Users who mess up your perfectly working script by changing the host name!

Version 4.73 successfully updated the certificates. Thanks a lot!

I did prepare for that in the real request for the certirficate but forgot to implement the same routine in the first part where it checks for a old certificate first

the comment line I re-used in the fix

Code: Select all

#get real hostname (don't believe $HOSTNAME is always correct on rooted toons)

[Xavier]

so way to late I saw this topic.
I have 1 toon 1 and 1 toon 2.
Started by trying updating Toon 1 via TSC menu and check for upgrade.
Update is found,
Update started,
Update failed ---> var/log/ tsc.toonupdate.log:

Code: Select all

Now starting the VPN tunnel and waiting for it to be alive and configured...
Could not enable VPN in a normal reasonable time!
DEBUG information:
192.168.0.0/24 dev eth0 scope link  src 192.168.0.80
default via 192.168.0.1 dev eth0  metric 10
# <persistent /etc/hosts content can be added to /etc/hosts.template file>
127.0.0.1               localhost.localdomain           localhost              eneco-001-025058
172.23.112.1         feed.hae.int    feed
END DEBUG information
Quitting the upgrade. It was a nice try tho...

Connected to Toon1 by SSH and tried:

Code: Select all

sh /root/update-rooted.sh -o

===================================================================================================================================================================
Welcome to the rooted Toon upgrade script. This script will try to upgrade your Toon using your original connection with Eneco. It will start the VPN if necessary.
Please be advised that running this script is at your own risk!

Version: 4.73  - TheHogNL - 20-04-2022

===================================================================================================================================================================

Only start VPN and then quit
This toon does not contain old VPN certficates. Not necessary to update VPN certificates.
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Now starting the VPN tunnel and waiting for it to be alive and configured...
Could not enable VPN in a normal reasonable time!
DEBUG information:
192.168.0.0/24 dev eth0 scope link  src 192.168.0.80
default via 192.168.0.1 dev eth0  metric 10
# <persistent /etc/hosts content can be added to /etc/hosts.template file>
127.0.0.1               localhost.localdomain           localhost              eneco-001-025058
172.23.112.1         feed.hae.int    feed
END DEBUG information
Quitting the upgrade. It was a nice try tho...
killall: openvpn: no process killed

So 1 questions:
How can I upgrade to 5.49.16?

I don't dare to try to upgrade my Toon2 at this moment.