How to update ca-certificates/OpenSSL?

cheesi · October 4, 2021, 3:36pm

Hello there!

We are currently on BSP Version 2.8.6. As we have ties to the legacy update tool and wifi issues with the 2.8.7, we are currently not able to upgrade to a new BSP version.

We currently have issues accessing one of your services from our device, as our server is using a Let’s encrypt certificate, and the old Let’s encrypt CA expired just at the end of last week. Now the certificate validation fails, because the current BSP doesn’t have the new Let’s encrypt root CA.

My guess would be, a update to the ca-certificates packages (and maybe OpenSSL) would fix that.

Any suggestion, on how to update just those two packages?

Environment:
Colibri iMX6 Solo 256MB V1.1A
Viola Carrier Board V1.2B PLUS
Linux BSP 2.8.6

MariusM · October 5, 2021, 7:40am

Any package version can be built , update ca-certificates*.bb . Try it! Dependencies can be a problem

You can also try to copy files in the new versions to /etc/ssl/cert

cheesi · October 5, 2021, 10:35am

The thing is, I would like to check in the changes in the repo of our layer. So I guess creating a new ca-certificates_%.bbappend file in our layer and copying the changes from ca-certificates_20190110.bb\ca-certificates\recipes-support\meta - openembedded-core - OpenEmbedded Core layer or maybe even OpenEmbedded Layer Index - ca-certificates could work?

Yeah I also thought about manually adding the new root CA, although, that’s something I would like to avoid.