Due to some unfortunate circumstances - that we dropped the ball on - combined with some long overdue maintenance, the laser cutter is currently out of order.
Details:
Due to the retirement of a particular Let’s Encrypt certificate, the laser pi is currently not able to communicate to the membership software to verify users.
Unfortunately, all the software on the pi is also horribly out of date, and while @lukecyca and I tried a whole bunch of things, we weren’t able to get a work-around in place.
More unfortunate is that it takes a while to get the software compiled and installed on a replacement.
Perhaps you and @lukecyca have already exhausted these avenues or your energy to work around this, but I’ve also been dealing with the expiration of this root certificate today, so have amassed some knowledge about what happened, why, and how to work around it.
The first problem is that the old ‘trusted root’ certificate that signed LE’s CA expired, and the new ‘trusted root’ isn’t contained in the trust store of many older software builds. This is relatively simple to fix, just install it manually. On Debian/Ubuntu-ish distros, this should involve acquiring the certificate (from here, placing it in /usr/local/share/ca-certificates (the filename must end in .crt) and running sudo update-ca-certificates.
The bigger / harder problem is that the recommended certificate chain that LE issues includes a hack to support older Android release that OpenSSL prior to 1.1.0 (as found in e.g. Ubuntu 16.04) will fail to validate. Worse, I think it means that it’s impossible to make this certificate validate at all, even if installing all of its CAs manually. The solution here involves reconfiguring the ACME client on the server (e.g. certbot) to request the shortened chain that is compatible with older OpenSSL (sacrificing support for older Android). I think that VHS maintains this server itself, so this should be feasible. To do this, select the chain with CN “ISRG Root X1”, adding --preferred-chain "ISRG Root X1" to the certbot command should do it.
In the meantime, if this is going to be a multi-day/week thing, is there a hardware hack that we can implement as a workaround? Like a physical combi lock on a switch kind of thing, similar to what we do with the door code, or the woodshop tools?