teslamotors
How to handle the certificate renewal right
Hi all, I'm wondering what the way of handling the fleet telemetry domain certificate renewal.
If I get it right, we need to pass both intermediate and root CAs as the ca param when creating a telemetry config. I played around with the check_server_cert.sh script, seems like the cert check won't pass if I provide only the root CA.
From what I understand, there's no way of "pinning" the intermediate CA when using Let's Encrypt and similar tools, also with the root CA we can only set it as "preferred" with no guarantees it will be used.
This drives me to the conclusion that I need to handle certificate renewals - basically reconfigure all the connected vehicles to have the right CAs. Is that the way it is supposed to work? Are there any other options that I'm missing?
There was no reason to use public certificates for this, so in my case I just used a self signed certificate with a 10 year expiry. When I do need to roll that certificate, I fully expect I'll need to read and then push the config on every single vehicle to change the root certificates.
Thanks for sharing! Did it work well for you? For whatever reason, I thought Tesla cars only support publicly trusted CAs
No, public CA's is a web browser thing.
That's why you specify the CA cert in your config, it only trusts what you tell it to trust, and so Teslemetry has been using a completely private CA for all Fleet Telemetry for 18 months. My server certs are only valid for 1 year, but I use Ansible to reissue them every so often. You can take a look at that here: https://www.sslshopper.com/ssl-checker.html#hostname=https://ft.teslemetry.com:8443