Repairs OTA Feature

[PH89]

This replaces the ca certificate in favor of repairing the ota update feature

[eku]

Is it permissible to ask what the problem was and where the certificates came from?

[PH89]

Sure thing. Github was changing to a new CA. So the previous ca certificate that was used caused a validation error. Certificate is the current ca-chain of github.com

[eku]

Sure thing. Github was changing to a new CA. So the previous ca certificate that was used caused a validation error. Certificate is the current ca-chain of github.com

Thanks. Any reason to include two certs?
BTW plain HTTP would also work.

[PH89]

The other certificate is the so called intermediate ca certiciate.
A chain of trust in SSL is working normally using a ca chain. In case of github.com its:

USERTrust RSA Certification Authority [CA]
| signs
Sectigo RSA Domain Validation Secure Server CA [Intermediate CA]
| signs
*.github.io [Endpoint Certificate]

We need CA and Sub-CA (intermediate) to perform a full validation of the Endpoint Certificate (*.github.io)

---

Unencrypted (plain) HTTP is not working anymore.
Thats way @Blueforcer was already implementing the OTA-Update feature over HTTPS.
Even if it would be possible with plain HTTP, it would be a security issue.

[eku]

I have already suggested this elsewhere. Instead of embedding the certificate in the source code and building a new version every time it expires or is changed, it could be stored in the flash file system and read from there.

Now would be a good time to make the change.

[PH89]

Implementation detail I would say. Ofc it has advantages if its red from fs, but maintainers needs to update it as a working default anyway. Not everyone using awtrix is a developer or is knowing how to fetch and replace a certificate in fs. It just needs to work :)

BTW: the sub ca is expiring in 01.01.2031 so I guess we sill have time.