membership.vanhack.ca has changing certificates

[TyIsI]

membership.vanhack.ca uses LetsEncrypt for HTTPS certificates, which change every 3 months.

This puts a limit on hardcoded certificates in the code.

[lukecyca]

This is fairly easily overcome by pinning the "Let’s Encrypt Authority X1" intermediate cert instead of a leaf cert. The leaf cert changes regularly, but will always be signed by this intermediate key which is likely to stay stable for a long time.

In this thread they discuss whether this intermediate cert will be stable forever. It sounds like LE is not guaranteeing that, but indicates it should be stable for a long time.

In the unlikely event it changes, we'd have to reflash our embedded device. Not a catastrophe.

[richard-sim]

I think we’re already good - we use the exact same cert for isvhsopen.com and Nomos, even though they were extracted separately (and the code treats them separately just in case)

On Fri, Feb 1, 2019 at 3:26 PM Luke Cyca notifications@github.com wrote:

This is fairly easily overcome by pinning the "Let’s Encrypt Authority X1" intermediate cert instead of a leaf cert. The leaf cert changes regularly, but will always be signed by this intermediate key which is likely to stay stable for a long time.

In this thread https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625 they discuss whether this intermediate cert will be stable forever. It sounds like LE is not guaranteeing that, but indicates it should be stable for a long time.

In the unlikely event it changes, we'd have to reflash our embedded device. Not a catastrophe.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/vhs/vhs-door-nfc/issues/1#issuecomment-459902850, or mute the thread https://github.com/notifications/unsubscribe-auth/AAtvnu5ez31p_AtsdrUqyWbQJqW0reTvks5vJM0IgaJpZM4afO6K .

[richard-sim]

Take a look at this file that has both the command and full cert chain to see what we’re using. LMK if you think something still needs to change.

https://github.com/vhs/vhs-door-nfc/blob/master/software/esp32-firmware/src/nomos_cert.h

On Fri, Feb 1, 2019 at 3:44 PM Richard Sim rsim@devras.com wrote:

I think we’re already good - we use the exact same cert for isvhsopen.com and Nomos, even though they were extracted separately (and the code treats them separately just in case)

On Fri, Feb 1, 2019 at 3:26 PM Luke Cyca notifications@github.com wrote:

This is fairly easily overcome by pinning the "Let’s Encrypt Authority X1" intermediate cert instead of a leaf cert. The leaf cert changes regularly, but will always be signed by this intermediate key which is likely to stay stable for a long time.

In this thread https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625 they discuss whether this intermediate cert will be stable forever. It sounds like LE is not guaranteeing that, but indicates it should be stable for a long time.

In the unlikely event it changes, we'd have to reflash our embedded device. Not a catastrophe.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/vhs/vhs-door-nfc/issues/1#issuecomment-459902850, or mute the thread https://github.com/notifications/unsubscribe-auth/AAtvnu5ez31p_AtsdrUqyWbQJqW0reTvks5vJM0IgaJpZM4afO6K .

[lukecyca]

Looks like you are embedding "Let's Encrypt Authority X3" which is totally reasonable.

LE has already retired their X1 and X2 intermediates, so it's possible they'll retire this one eventually too. In that case we'd just have to reflash this one embedded device. Not the end of the world.

Nice work on this firmware, BTW!

[richard-sim]

Thanks! 👍

Closing this issue as it looks like it's a non-issue, at least for now. :)