[Mostly Fixed] Laser Cutter

Due to some unfortunate circumstances - that we dropped the ball on - combined with some long overdue maintenance, the laser cutter is currently out of order.

Details:
Due to the retirement of a particular Let’s Encrypt certificate, the laser pi is currently not able to communicate to the membership software to verify users.

Unfortunately, all the software on the pi is also horribly out of date, and while @lukecyca and I tried a whole bunch of things, we weren’t able to get a work-around in place.

More unfortunate is that it takes a while to get the software compiled and installed on a replacement.

We’ll keep you posted.

Perhaps you and @lukecyca have already exhausted these avenues or your energy to work around this, but I’ve also been dealing with the expiration of this root certificate today, so have amassed some knowledge about what happened, why, and how to work around it.

The first problem is that the old ‘trusted root’ certificate that signed LE’s CA expired, and the new ‘trusted root’ isn’t contained in the trust store of many older software builds. This is relatively simple to fix, just install it manually. On Debian/Ubuntu-ish distros, this should involve acquiring the certificate (from here, placing it in /usr/local/share/ca-certificates (the filename must end in .crt) and running sudo update-ca-certificates.

The bigger / harder problem is that the recommended certificate chain that LE issues includes a hack to support older Android release that OpenSSL prior to 1.1.0 (as found in e.g. Ubuntu 16.04) will fail to validate. Worse, I think it means that it’s impossible to make this certificate validate at all, even if installing all of its CAs manually. The solution here involves reconfiguring the ACME client on the server (e.g. certbot) to request the shortened chain that is compatible with older OpenSSL (sacrificing support for older Android). I think that VHS maintains this server itself, so this should be feasible. To do this, select the chain with CN “ISRG Root X1”, adding --preferred-chain "ISRG Root X1" to the certbot command should do it.

4 Likes

Yeah, it’s OpenSSL1.0.1, which is exactly the issue you’re describing

In the meantime, if this is going to be a multi-day/week thing, is there a hardware hack that we can implement as a workaround? Like a physical combi lock on a switch kind of thing, similar to what we do with the door code, or the woodshop tools?

Multiple avenues are currently being explored. I hope to have an update later this evening.

Worst case scenario, that could be a thing. But administration would be challenging to say the least.

3 Likes

Big thanks to @noirsette for reviving and reinstalling the laser-pi!

I’m currently reinstalling all the software. (Which will take a while)

3 Likes

Well… that went faster than expected. The laser cutter should now be available again.

Can the next person confirm this with me?

3 Likes

I just tried it now.

:x: Github:

  1. Click Github button.
  2. Github asks for my credentials, so I provide them.
  3. Get error on the laser.vanhack.ca page:
    failed to fetch user profile

:white_check_mark: Google:
It works (laser is on now). Note that I only recently linked my Google account to my membership on 28 Sept.

:x: Slack:

  1. Click Slack button.
  2. I get error
    Unable to verify your account. Check that your account is linked
    Well, my account is not linked, in fact, so when I try to do that
  3. Try to link Slack. Go to Nomos > User Profile > Click Slack button where it says “Link new Account”.
  4. Click “Allow” when it displays “VHS Membership Management is requesting permission to access the VHS Slack workspace”
  5. Error:
     vanhack.slack.com is currently unable to handle this request.
     HTTP ERROR 500
    
1 Like

I’m gonna try to update the GitHub OAuth functionality.

Upgrading everything on my test pi left the entire thing inoperable, so selective upgrading will be next up.

The rest of the laser cutter has been tested and is good to go.

So only Slack and Google authentication will work right now.

2 Likes

Thanks for working on yet another infrastructure thang. Let us know where the cider/tip jar is.

1 Like