cancel
Showing results for 
Search instead for 
Did you mean: 

AnyCloud SDK

markgsaunders
Employee

We have discovered a problem with the lwip library in ModusToolbox 2.0, 2.1, 2.2 and 2.3. It occurs when creating a new Wi-Fi project or updating the lwip library in an existing project. The problem is reported as a fatal error.

fatal: unable to access 'https://git.savannah.nongnu.org/git/lwip/': SSL certificate problem: certificate has expired

There is a defect in versions of OpenSSL prior to 1.1.0 which, as of September 30, causes web accesses with the Let's Encrypt intermediate certificate (Let's Encrypt R3) to fail. Let's Encrypt R3 contains signatures from two roots: DST Root CA X3 and ISRG Root X1. As explained by Let’s Encrypt (DST Root CA X3 Expiration), the former certificate has expired but the latter remains trusted. The defective versions of OpenSSL require both certificates to be trusted and erroneously deny the access.

OpenSSL 1.1.0 is used by the modus-shell utility on Windows hosts in all versions of ModusToolbox. The soon-to-be released ModusToolbox 2.4 shall include a newer version of OpenSSL to correct the problem.

To safely and reliably access lwip from ModusToolbox 2.3 and earlier, follow these steps to remove the expired certificate.

  1. Open the file ~\ModusToolbox\tools_2.x\modus-shell\etc\pki\ca-trust\extracted\pem\tls-ca-bundle.pem in a text editor
  2. Search for the line beginning with the comment "# DST Root CA X3"
  3. Delete that line and the associated certificate -  including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.
2 Replies
ShunC_96
Employee

Thanks a lot, Mark, your fix worked for me (while creating AnyCloud_MQTT_Client code example project), really wonderful timing on the post indeed for my answering/demoing to DFAEs on this issue 😉

0 Likes