I've been trying to update the ca certificate bundle on my KPW3 without much success. Since it's still running 5.14.2, the certificate bundle is pretty old, and the device can't connect to any web servers that use Let's Encrypt certs anymore.
According to
this post, I would need to update /etc/ssl/ca-certificates.crt and /usr/java/lib/security/cacerts, so I downloaded the latest (5.15.1.1) firmware image, extracted the rootfs squashfs image with kindletool, copied the two files from it and replaced the corresponding files on my KPW3 (ca-certificates.crt is a symlink to ca-certificates-prod.crt so I replaced ca-certificates-prod.crt instead).
I'm not quite sure how to test the updated java keystore, but the updated ca-certificates.crt doesn't seem to be working with openssl s_client ootb. The error message I get is "Verify return code: 20 (unable to get local issuer certificate)", and the experimental web browser can't establish a secure connection with anything that uses Let's Encrypt certs either. However, curl or wget seem to be able to pick it up without any issues, and openssl will give me "Verify return code: 0 (ok)" as well if I specify the CA file with -CAfile /etc/ssl/certs/ca-certificates.crt.
So the question is what am I missing here? Since the updated CA certificate bundle seem to work just fine if I explicitly tell openssl to use it, do I have a configuration issue? I've searched on this forum on this topic and wasn't able to find any concrete answers so far.
Note: This is my first post so apologies if there are any formatting issues. It would be great if someone can tell me if there's a way to do inline monospace text too.