search

ge0rg / aprsdroid

APRSdroid - Geo-Location for Radio Amateurs
https://aprsdroid.org/
GNU General Public License v2.0
519 stars 102 forks source link

Certificate error #116

Closed mkrotzer closed 8 years ago

mkrotzer commented 8 years ago

What did you want to accomplish?

 Connect to ssl.aprs2.net

What were the exact steps you performed?

 https://aprsdroid.org/ssl/

What was the expected outcome?

 Authentication

What happened instead?

 # Client certificated not accepted: self signed certificate in certificate chain
 I do not see this: logresp DO1GL-10 verified, server T2FINLAND
 #aprsc 2.0.14 ....
 Loaded Key: ....KE8BUN (looks how it should)

What APRSdroid configuration were you using (SmartBeaconing/Periodic/..., TCP/Bluetooth/AFSK/...)?

TCP

I followed the LOTW process on debian linux.

gnuself commented 8 years ago

I also ran into this same issue. I cannot authenticate using the LOTW certificate that I loaded. I'm using Arch Linux.

bwarden commented 8 years ago

I ran into this issue upon installing a new certificate for a new callsign. I suspect that the certificate is actually rejected by the APRS-IS server, so this probably isn't an issue with aprsdroid itself, but something with how the certificates are produced by LOTW.

Upon further investigation, it looks like ARRL updated their CA certificate. The old one was signed with an insecure algorithm (possibly SHA-1, but I didn't dig deep), so they probably decided it was necessary to update it. Since it doesn't trace back to a known root CA, it won't be automatically recognized by the APRS-IS servers. Until they add ARRL's new CA certificate to their trusted CA databases, they'll continue to reject callsign certificates signed since the change.

caseydiers commented 8 years ago

Same issue here:

Connection lost. Reconnecting in 30 seconds. Client certificate note accepted: self signed certificate in certificate chain. aprsc 2.0.20-g6a459af

ge0rg commented 8 years ago

Yes, @bwarden provided the correct analysis. Currently, the SSL servers are provided with the trusted certificate bundle manually, and the whole feature is considered beta. Unfortunately, it looks like we need to convince the server operators to do some more work on this, before it can be used again. There is also no way to remove a certificate from aprsdroid, you need to remove the app and reinstall, and this will kill all your settings, including the pass code.

ge0rg commented 8 years ago

Okay, I've pinged the aprs2-ops some weeks ago and they have installed the current ARRL Root on at least two of the ssl servers.