Let's Encrypt certificate chain compatibility
From SpinetiX Support Wiki
This article is related to Security.
Issue
Let’s Encrypt historical root certificate, DST Root CA X3, expired on September 30, 2021. Although Let’s Encrypt transitioned in May 2021 to their new root certificate, ISRG Root X1, the mechanism to ensure that the transition remains compatible with old Android devices resulted in an incompatibility with other software that broke SSL/TLS secured communications starting September 30, 2021. Among the affected software are OpenSSL versions 1.0.2 and earlier, which is used in some players' firmware/DSOS versions — in this case, any SSL/TLS connection to a server using Let’s Encrypt certificates would fail with an unexpected “certificate has expired” error.
Impact on SpinetiX products
SpinetiX ARYA services
The players' connections to ARYA cloud and/or SpinetiX hosted data feeds (such as weather and financial data) are not affected by the above issue, as these servers are not using Let’s Encrypt certificates to host the services.
SpinetiX Cockpit services
Not Affected | |
---|---|
Affected |
|
SpinetiX Cockpit services were affected between September 30th and October 4th — as a consequence, the HMP350, HMP300, and DiVA players running firmware 4.6.x and earlier, as well as legacy players (all firmware versions), appeared to be offline in Cockpit and could not connect to third-party data providers (i.e., Cockpit channels). This was solved by switching the Cockpit backend servers to another certificate provider (GoDaddy), which became effective October 4 and which is compatible with all SpinetiX players, back to the HMP100.
Some legacy configurations may still use the main site (https://cockpit.spinetix.com) for player communications, and these were also affected even after the switch of certificates on October 4th. This was solved on October 6th, 2021, by switching the certificates on the main Cockpit site as well.
Third-party services
Data feeds and CMS
Not Affected | |
---|---|
Affected |
|
Fixed Release Availability | Upgrade to firmware 4.7.1 or later. |
The HMP350, HMP300, and DiVA players running firmware 4.6.x and earlier, as well as legacy players (all firmware versions), lost access to third-party data feeds (like RSS feeds) hosted on servers using Let’s Encrypt certificates. Similarly, the communication with third-party CMS is affected if the CMS uses Let’s Encrypt certificates for its RPC Concentrator. The solution is to update the player firmware to 4.7.1 or later.
The workarounds for players that cannot be updated, like legacy players, are the following:
- Use the Let’s Encrypt alternate certificate chain, although this is often not an available option on website hosting services.
- Switch the affected web servers to another certificate provider (e.g., GoDaddy).
- Change the web page to use http instead of https.
Display of web pages
Not Affected | HMP400, HMP400W, and third-party players running DSOS |
---|---|
Affected | HMP350 and HMP300 players |
Fixed Release Availability | Upgrade to firmware 4.7.2 or later. |
Web pages hosted on servers using Let's Encrypt certificates are no longer displayed on HMP350 and HMP300 players (all current firmware versions). A fix is included in the firmware 4.7.2.
Workarounds until the affected players can be updated to firmware 4.7.2:
- Use the Let’s Encrypt alternate certificate chain, although this is often not an available option on website hosting services.
- Switch the affected web servers to another certificate provider (e.g., GoDaddy).
- Change the web page to use http instead of https.