Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Readers > Amazon Kindle > Kindle Developer's Corner

Notices

Reply
 
Thread Tools Search this Thread
Old 03-20-2023, 06:59 AM   #1
stefer
Junior Member
stefer began at the beginning.
 
Posts: 4
Karma: 10
Join Date: Mar 2023
Device: KPW3
Updating ca-certificates

I've been trying to update the ca certificate bundle on my KPW3 without much success. Since it's still running 5.14.2, the certificate bundle is pretty old, and the device can't connect to any web servers that use Let's Encrypt certs anymore.

According to this post, I would need to update /etc/ssl/ca-certificates.crt and /usr/java/lib/security/cacerts, so I downloaded the latest (5.15.1.1) firmware image, extracted the rootfs squashfs image with kindletool, copied the two files from it and replaced the corresponding files on my KPW3 (ca-certificates.crt is a symlink to ca-certificates-prod.crt so I replaced ca-certificates-prod.crt instead).

I'm not quite sure how to test the updated java keystore, but the updated ca-certificates.crt doesn't seem to be working with openssl s_client ootb. The error message I get is "Verify return code: 20 (unable to get local issuer certificate)", and the experimental web browser can't establish a secure connection with anything that uses Let's Encrypt certs either. However, curl or wget seem to be able to pick it up without any issues, and openssl will give me "Verify return code: 0 (ok)" as well if I specify the CA file with -CAfile /etc/ssl/certs/ca-certificates.crt.

So the question is what am I missing here? Since the updated CA certificate bundle seem to work just fine if I explicitly tell openssl to use it, do I have a configuration issue? I've searched on this forum on this topic and wasn't able to find any concrete answers so far.

Note: This is my first post so apologies if there are any formatting issues. It would be great if someone can tell me if there's a way to do inline monospace text too.
stefer is offline   Reply With Quote
Old 03-20-2023, 07:08 AM   #2
Kusuri
Connoisseur
Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.Kusuri ought to be getting tired of karma fortunes by now.
 
Posts: 99
Karma: 909418
Join Date: Aug 2021
Location: Germany
Device: PW4+Fire 7", Onyx Boox Nova Air
I don't know if this is the case on kindles, but some browsers have their own certificate storage. so even if you update the operation system certs, it can't use those and has its own storage for certs. could it be that kindles browser is maybe having such a storage? especially since you mentioned that curl and wget works?
Kusuri is offline   Reply With Quote
Old 03-20-2023, 07:16 AM   #3
stefer
Junior Member
stefer began at the beginning.
 
Posts: 4
Karma: 10
Join Date: Mar 2023
Device: KPW3
Yeah that could certainly be a possibility, but I'm struggling to find another cert store in the rootfs, so I'm hoping someone might have an idea on where the browser is reading the cert storage from.
stefer is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
K3 update-ca-certificates binary mergen3107 Kindle Developer's Corner 5 12-18-2022 11:30 PM
Amazon Gift Certificates lilac_jive Amazon Kindle 3 02-10-2009 10:06 AM
Now, Kindle Gift Certificates... desertgrandma Amazon Kindle 14 01-21-2009 07:10 PM


All times are GMT -4. The time now is 02:58 PM.


MobileRead.com is a privately owned, operated and funded community.