Use letsencrypt ISRG_Root_X1 certificate instead of R3

arendst / Tasmota

Alternative firmware for ESP8266 and ESP32 based devices with easy configuration using webUI, OTA updates, automation using timers or rules, expandability and entirely local control over MQTT, HTTP, Serial or KNX. Full documentation at

https://tasmota.github.io/docs

GNU General Public License v3.0

21.73k stars 4.72k forks source link

Use letsencrypt ISRG_Root_X1 certificate instead of R3 #21352

Closed gladk closed 2 months ago

gladk commented 2 months ago

According to the blog post [1] new intermediate certificates will be deployed on 6th of June, 2024.

[1] https://letsencrypt.org/2024/04/12/changes-to-issuance-chains

Thus existing R3 will stop to work for newly issued certificates. This PR replaces R3 by ISRG root one, which should work till 2035.

This change adds about 288 bytes to the final build.

Description:

Related issue (if applicable): fixes #

Checklist:

[X] The pull request is done against the latest development branch
[X] Only relevant files were touched
[X] Only one feature/fix was added per PR and the code change compiles without warnings
[ ] The code change is tested and works with Tasmota core ESP8266 V.2.7.6
[ ] The code change is tested and works with Tasmota core ESP32 V.3.0.0
[X] I accept the CLA.

NOTE: The code change must pass CI tests. Your PR cannot be merged unless tests pass

s-hadinger commented 2 months ago

Why do we need 5 certificates. This is a big size increase

gladk commented 2 months ago

r3 can be removed about 6th of September 2024. Ass all certificates, issued by letsencrypt have a max expiration length 3 months.

according to this picture, only r10 and r11 will be used, but it is not clear, whether we really need r>11.

gladk commented 2 months ago

I wonder if we can use 'ISRG Root X1' instead which is RSA 4096

good catch. Let me check.

gladk commented 2 months ago

@s-hadinger thank you for the hint! It really works. I am updating the merge request.

s-hadinger commented 2 months ago

Hold on, I had second thoughts and I'm surprised it's working at all since we don't have the full cert chaon

gladk commented 2 months ago

The main problem is here that the devices flashed with R3 will probably stop working soon, because certificate check will fail.

s-hadinger commented 2 months ago

I understand. My initial thought was to validate againg ISRG Root X1, but I had second thoughts and I understand that a server certificate should only contain the signature from the intermediate CA (R3 or R10-R15), but does not contain the entire signature chain of to the root CA.

Did you actually try replacing CA with ISRG Root X1? Does it work?

gladk commented 2 months ago

Yes! I checked with ISRG Root X1 on esp8266 and it works! I even changed one random byte to make a negative test, and it failed to connect to the server. So, it works!

What I did not check is the tasmota32. But I hope it should work. Also, this changes gives +about 290 bytes in comparison to initial build.

s-hadinger commented 2 months ago

Awesome, well done. ESP32 uses exactly the same code so I don't expect any difference.