Known fatal error – workaround for expired SSL certificate when cloning LwIP library

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
markgsaunders
Employee
Employee
50 sign-ins 10 solutions authored 5 solutions authored

We have discovered a problem with the lwip library in ModusToolbox 2.0, 2.1, 2.2 and 2.3. It occurs when creating a new Wi-Fi project or updating the lwip library in an existing project. The problem is reported as a fatal error.

fatal: unable to access 'https://git.savannah.nongnu.org/git/lwip/': SSL certificate problem: certificate has expired

There is a defect in versions of OpenSSL prior to 1.1.0 which, as of September 30, causes web accesses with the Let's Encrypt intermediate certificate (Let's Encrypt R3) to fail. Let's Encrypt R3 contains signatures from two roots: DST Root CA X3 and ISRG Root X1. As explained by Let’s Encrypt (DST Root CA X3 Expiration), the former certificate has expired but the latter remains trusted. The defective versions of OpenSSL require both certificates to be trusted and erroneously deny the access.

OpenSSL 1.1.0 is used by the modus-shell utility on Windows hosts in all versions of ModusToolbox. The soon-to-be released ModusToolbox 2.4 shall include a newer version of OpenSSL to correct the problem.

To safely and reliably access lwip from ModusToolbox 2.3 and earlier, follow these steps to remove the expired certificate.

  1. Open the file ~\ModusToolbox\tools_2.x\modus-shell\etc\pki\ca-trust\extracted\pem\tls-ca-bundle.pem in a text editor
  2. Search for the line beginning with the comment "# DST Root CA X3"
  3. Delete that line and the associated certificate -  including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.
2 Replies
Harris_Chan
Employee
Employee
5 comments on KBA 10 questions asked 100 sign-ins

Thanks a lot, Mark, your fix worked for me (while creating AnyCloud_MQTT_Client code example project), really wonderful timing on the post indeed for my answering/demoing to DFAEs on this issue 😉

0 Likes