matrix notifications not working due to `curl: (60) SSL certificate problem: certificate has expired`

[n8henrie]

• exact camera hardware: wyzecam v2
• the Xiaomi-Dafang-Hacks commitid (from git log) you are experiencing the issue with: d474afb22182ff67af18958c4ec126fbc07ab36b

Description

I'm trying to set up Matrix notifications through the matrix.org server.

When I set -x and remove the --silent flag in /system/sdcard/bin/matrix, I see:

# matrix m 'foo'
+ CURL=/system/sdcard/bin/curl
+ JQ=/system/sdcard/bin/jq
+ what=m
+ '[' m '=' m ]
+ shift
+ sendtext=foo
+ . /system/sdcard/config/matrix.conf
+ host=matrix-client.matrix.org
+ port=443
+ room_id='REDACTED'
+ sender=@REDACTED:matrix.org
+ access_token=REDACTED
+ '[' m '=' f ]
+ '[' m '=' m ]
+ sendMessage
+ echo 'Sending message: foo'
Sending message: foo
+ /system/sdcard/bin/curl -XPOST -d '{"msgtype":"m.notice", "body":"foo"}' 'https://matrix-client.matrix.org:443/_matrix/client/r0/rooms/REDACTED:matrix.org/send/m.room.message?access_token=REDACTED'
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
+ '[' m '=' p ]
+ '[' m '=' v ]
+ '[' -z m ]

What did you do to debug the issue

# cd /system/sdcard/config/ssl/cacert/
# ./update.sh 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Then I added the -k flag to the curl command in ./update.sh and reran -- it seemed to succeed, but afterwards I have all the same issues.

I can add the -k flag to the curl command in the matrix script and the notification then is sent without issue.

[n8henrie]

Of note, I can copy the exact curl command and run it on my Mac with no issues (and a notification is received in Matrix):

$ curl -XPOST -d '{"msgtype":"m.notice", "body":"a fosdf"}' 'https://matrix-client.matrix.org:443/_matrix/client/r0/rooms/!REDACTED:matrix.org/send/m.room.message?access_token=REDACTED'
{"event_id":"REDACTED"}
$ echo $?
0

[c---]

This is the Let's Encrypt problem. They changed the way certificates are signed and older devices that haven't been updated don't have the new root CA.

• On the camera go to /system/sdcard/config/ssl/cacert
• Edit the update.sh file and add --insecure to the curl request
• Now run update.sh and it will update the CA list
• curl should hopefully work now and you should be able to edit the update.sh script and remove the --insecure parameter

Alternatively as a more "proper" method (more secure) you can download the new CA list from https://curl.se/ca/cacert.pem using an updated browser. Then upload that file to the camera in the /system/sdcard/config/ssl/cacert directory. It's doing the same thing but you're not using an "--insecure" acquisition method.

[n8henrie]

Thanks for the quick response!

As noted above, I tried the update.sh with --insecure route; the update appeared to succeed, but the behavior and error message didn't change afterward. ¯_(ツ)_/¯

[c---]

Sorry I didn't read your whole original post very well (my mind is occupied with something else). Anyway...

What is: md5sum /system/sdcard/config/ssl/cacert/cacert.pem

I have aa5ac583708ca35225ac2d230f4acb62 (just updated now) I just did this update on a V2 camera that wasn't working and after doing the update it started working.

[n8henrie]

# stat cacert.pem
  File: cacert.pem
  Size: 206919      Blocks: 448        IO Block: 32768  regular file
Device: b301h/45825d    Inode: 123         Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-06-19 09:53:28.000000000 -0600
Modify: 2022-06-19 01:09:28.000000000 -0600
Change: 2022-06-19 01:09:28.890000000 -0600
# md5sum cacert.pem 
16e9fa85cca8b644874e5b0eaa4c270b  cacert.pem

I just ran it again, and I still get 16e9fa85cca8b644874e5b0eaa4c270b.

[n8henrie]

Huh.

# grep 'as of' cacert.pem 
## Certificate data from Mozilla as of: Tue Apr 13 03:12:04 2021 GMT

[n8henrie]

But if I run it from my Macbook, I get the same as you:

$ curl -sk https://curl.se/ca/cacert.pem | md5sum 
aa5ac583708ca35225ac2d230f4acb62  -

I think I figured it out -- I think the --time-cond is showing the new file as being more recent, see my stat command above.

[n8henrie]

Yep, that got it.

tldr for future readers:

1. cd /system/sdcard/config/ssl/cacert (below commands depend on cacert.pem being in PWD)
2. vi update.sh
3. change curl --remote-name --time-cond cacert.pem https://curl.se/ca/cacert.pem to curl --remote-name -k https://curl.se/ca/cacert.pem
4. run ./update.sh
5. revert the change from step 3
6. repeat step 4 and make sure it runs without error

Thanks for quick responses from @c--- !