Let's Encrypt certificate chain compatibility

From SpinetiX Support Wiki

Jump to: navigation, search

This article is related to Security.

Issue

Let’s Encrypt historical root certificate, DST Root CA X3, expired on September 30, 2021. Although Let’s Encrypt transitioned in May 2021 to their new root certificate, ISRG Root X1, the mechanism to ensure that the transition remains compatible with old Android devices resulted in an incompatibility with other software that broke SSL/TLS secured communications starting September 30, 2021. Among the affected software are OpenSSL versions 1.0.2 and earlier, which is used in some players' firmware/DSOS versions — in this case, any SSL/TLS connection to a server using Let’s Encrypt certificates would fail with an unexpected “certificate has expired” error.

Impact on SpinetiX products

SpinetiX ARYA services

Status: Not affected

The players' connections to ARYA cloud and/or SpinetiX hosted data feeds (such as weather and financial data) are not affected by the above issue, as these servers are not using Let’s Encrypt certificates to host the services.

SpinetiX Cockpit services

Status: Solved
Update: October 6th, 2021
Not Affected
Affected

SpinetiX Cockpit services were affected between September 30th and October 4th — as a consequence, the HMP350, HMP300, and DiVA players running firmware 4.6.x and earlier, as well as legacy players (all firmware versions), appeared to be offline in Cockpit and could not connect to third-party data providers (i.e., Cockpit channels). This was solved by switching the Cockpit backend servers to another certificate provider (GoDaddy), which became effective October 4 and which is compatible with all SpinetiX players, back to the HMP100.

Some legacy configurations may still use the main site (https://cockpit.spinetix.com) for player communications, and these were also affected even after the switch of certificates on October 4th. This was solved on October 6th, 2021, by switching the certificates on the main Cockpit site as well.

Third-party services

Data feeds and CMS

Status: Solved
Update: October 6th, 2021
Not Affected
Affected
Fixed Release Availability Upgrade to firmware 4.7.1 or later.

The HMP350, HMP300, and DiVA players running firmware 4.6.x and earlier, as well as legacy players (all firmware versions), lost access to third-party data feeds (like RSS feeds) hosted on servers using Let’s Encrypt certificates. Similarly, the communication with third-party CMS is affected if the CMS uses Let’s Encrypt certificates for its RPC Concentrator. The solution is to update the player firmware to 4.7.1 or later.

The workarounds for players that cannot be updated, like legacy players, are the following:

  • Use the Let’s Encrypt alternate certificate chain, although this is often not an available option on website hosting services.
  • Switch the affected web servers to another certificate provider (e.g., GoDaddy).
  • Change the web page to use http instead of https.

Display of web pages

Status: Unsolved
Update: October 6th, 2021
Not Affected HMP400, HMP400W, and third-party players running DSOS
Affected HMP350 and HMP300 players
Fixed Release Availability Upgrade to firmware 4.7.2 or later.

Web pages hosted on servers using Let's Encrypt certificates are no longer displayed on HMP350 and HMP300 players (all current firmware versions). A fix will be included in the firmware 4.7.2, which will be released in the coming days.

Workarounds until the affected players can be updated to firmware 4.7.2:

  • Use the Let’s Encrypt alternate certificate chain, although this is often not an available option on website hosting services.
  • Switch the affected web servers to another certificate provider (e.g., GoDaddy).
  • Change the web page to use http instead of https.
Note Note:
DiVA and legacy players are out of scope since they cannot display web pages.

References

This page was last modified on 6 October 2021, at 15:39.