search

ge0rg / aprsdroid

APRSdroid - Geo-Location for Radio Amateurs
https://aprsdroid.org/
GNU General Public License v2.0
504 stars 96 forks source link

LOTW certificate fails due to "self-signed certificate" #347

Open CraigBos opened 1 year ago

CraigBos commented 1 year ago

Probably LOTW's fault, but whichever thing is checking the certificates is way too anal-retentive about it.

This is a brand new certificate issued today by LOTW. I got it because APRSDrois was rejecting the previous certificate due to an expired certificate somewhere up the chain.

Come on guys. This is too much.

It would make me happy to give you a log file or screenshot, but I see no button for that on this form.

mistermatt2u commented 1 year ago

+1, same thing here. Certificate was just issued today. Looking at the .p12 file in OpenSSL, the '-legacy' switch was required. Looking at the certificate after I finally got it exported, openssl showed this:

Certificate: Data: Version: 3 (0x2) Serial Number: 738945 (0xb4681) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = CT, L = Newington, O = American Radio Relay League, OU = Logbook of the World, CN = Logbook of the World Production CA, DC = arrl.org, emailAddress = lotw@arrl.org

It appears that maybe 1) the CA certificate is not included (which is expected) and/or 2) that the Issuer (LOTW) is not being recognized as a "not self signed" authority.

I'm guessing that if we included the CA in the PEM, that it might work... But I'm not sure where we can get it.

mistermatt2u commented 1 year ago

I took a bit of a closer look at this. It seems the problem might be that the CA "Logbook of the World Root CA" is signed by itself. So there isn't a recognized CA signing it.

Maybe the best way to resolve this is for LOTW to sign its own CA with a recognized root CA. But I expect that is either cost prohibitive or just too much work for the gain.

For APRSDroid, maybe a "good enough" compromise would be to recognize the "Logbook of the World Root CA" as a valid CA, for the purposes of accepting our callsign certificates.

subject=C = US, ST = CT, L = Newington, O = American Radio Relay League, OU = Logbook of the World, CN = Logbook of the World Root CA, DC = arrl.org, emailAddress = lotw@arrl.org issuer=C = US, ST = CT, L = Newington, O = American Radio Relay League, OU = Logbook of the World, CN = Logbook of the World Root CA, DC = arrl.org, emailAddress = lotw@arrl.org

penguin359 commented 1 year ago

Root CAs in any certificate hierarchy are always self-signed. There's nothing that makes a "real CA" any better than Logbook of the World as the CA. In fact, it wouldn't make much sense since they specialize in validating websites, not some obscure hobbyist service. ARRL is the CA for Logbook of the World.

Certificate expiration for websites or LoTW both have expiration dates that require a regular renewal, but for LoTW, I think the renewal is something like every 7 years so it shouldn't happen often. If they used an intermediate certificate that expired sooner, that is ARRL's fault, not APRSDroid.

I did a test import and was able to import my Logbook of the World certificate issued to me a little less than a year ago. What version of the software? How was it installed? Is it from the Google Play Store? What phone is this error happening on? What version of Android?

BTW, you should be able to upload screenshots to this issue by just dragging into the comment box like so:

2023-08-16 01 06 24