How do we handle certficate changes on bintray.com?

[cyberman54]

How can we change a certificate on a node, after bintray made changes on their server side certificates?
How do we handle certifcate renewals?

[ivankravets]

• Should we automatically generate certificates before building?
• What is your OS?

[cyberman54]

This seems like a chicken-and-egg-problem: after bintray changes certificate on their servers, nodes which hold previous certificate in flash memory are no longer able to download binaries from bintray.com. Therefore it will not be possible to update certificates on nodes by pushing a new firmware to them, incorporating the new bintray certificate.

[ivankravets]

Ah... you are right. I already reported this issue to Bintray. Let's see maybe they will improve something.

[S2Doc]

@ivankravets - Has there been any progress on this?

[ivankravets]

Sorry, no updates :(

[S2Doc]

This would seem to make BinTray an unusable method for OTA updates of large numbers of edge IoT devices. Are there any solutions out there that work with the Arduino framework?

[ivankravets]

If you plan to use for production, it's better to use own endpoint with free https://letsencrypt.org/. There are a lot of chip VPS for a few dollars per month. So, you can create own JSON manifest and DL endpoint.

Bintray is mostly oriented on powerful clients.

[S2Doc]

Thanks for the suggestion, @ivankravets . Unfortunately, it looks like letsencrypt.org requires that certificates be changed every 90 days. That is worse than Bintray. :(

[S2Doc]

@ivankravets - I didn't pick up on your VPS suggestion when I first read your comment. That's a great idea which I will definitely explore. Thanks!!

[cyberman54]

Did not get it yet, can you explain the concept a little further? What is VPS?

[ivankravets]

VPS for $5/mo

• https://www.leaseweb.com/cloud/virtual-server
• https://www.linode.com/pricing
• https://www.digitalocean.com/pricing/#Compute

Instead of VPS, you can AWS or another computing service which will charge your per resource usage.

---

You can tune publish process here https://github.com/platformio/bintray-secure-ota/blob/master/publish_firmware.py#L31

So, you will still be able to deploy firmware to your VPS backend where IoT devices will check for updates.

[S2Doc]

VPS = Virtual Private Server (see https://en.wikipedia.org/wiki/Virtual_private_server). It is a virtual machine running on a cloud device which acts as a server. This allows the user to have superuser authority on the virtual server. As I understand it from reading the linked article, this should allow one to control their own security certificates and when they are updated.

Its an elegant solution, but may require more expertise than I currently have. Still learning, though.

[S2Doc]

@ivankravets and I cross-posted.

[cyberman54]

ok, you're talking on own servers, now i got it. Of course i have "VPS" (at Scaleway, as low as $2,99/mth. max). But doesn't it mean i must install complete bintray jfrog instance on my VPS?

[ivankravets]

Just install nginx on a server and serve firmware_updates.json. Later you can load this JSON via HTTPS, parse with ArduinoJSON library and do self upgrade.

[cyberman54]

@ivankravets i'm not sure i got it - that means to not use jfrog bintray and the bintray class in code any more, but to setup own update server and code for downloading?

[ivankravets]

I'm not a security expert. Can we keep on a target device only root certificate?