Closed JSkier21 closed 2 years ago
dlysnes
commented
2 years ago Actually they messed up leaving out CA (full chain) when updating cert (https://www.sslshopper.com/ssl-checker.html#hostname=https://iot.controlmyspa.com). I sent them an email asking them to fix it, however probably won't happen soon. Messing around in Dockerfile now to import the CA when spinning it up, but no success yet. Here's the CA: https://www.tbs-certificates.co.uk/FAQ/en/RapidSSLTLSDVRSAMixedSHA2562020CA-1.html
JSkier21
commented
2 years ago EDIT: Added full chain (public certs).
Heh, yup, definitely didn't dive into the cert that far, thanks 😆 I wonder what they did to get the Android app working, I probably don't want to know. iOS just worked, most likely just downloaded the CA (that's why browsers still work to iot.controlmyspa.com).
I also sent them a message, but I've never gotten action or responses back from their support either.
I don't think including the root CA would do anything without calling it out the CA in JS. Likewise, I'll see if I can roll out a full cert chain for JS and get that app working again.
Full chain: controlmyspa-com-chain.pem.zip
dlysnes
commented
2 years ago It's a typical error when adding certs. I guess they added the CA to the app itself (or drop cert check). I imported the CA to root certs, and after that curl works fine with no errors. Adding it to Dockerfile is a bit messy though, especially in 16:alpine it seems. Apk installed all requirements, but running update-ca-certificates always fail.
dlysnes
commented
2 years ago Well, I got some reply from them, and now it seems like they have fixed the certificate :) Working here at least
JSkier21
commented
2 years ago Well, I got some reply from them, and now it seems like they have fixed the certificate :) Working here at least
Also got a reply from them, which was surprising. Glad they updated the chain properly.
I noticed that the certificate was updated over at controlmyspa.com (they updated the Android app a few days after it broke that with the new certificate). The new cert looks okay, but I didn't dive in too deep to the chain. For some reason, the app is failing to verify, probably on a root CA that wasn't available when nodejs was compiled. I believe this issue is with the upstream JS app, controlmyspajs, issue put in here: https://gitlab.com/VVlasy/controlmyspajs/-/issues/4.
There are a couple of ways to fix this I believe, either turn off verification (not ideal), or code in the root CA as trusted over at controlmyspajs. I am also rebuilding nodejs and will see if that works. Otherwise, will try to find time to code in the root CAs as trusted over at controlmyspajs.