Let's Encrypt root certificate on SailfishOS 4.x

simosagi · 30 September 2021 07:31

Today I was not able to connect from my XA2 with SFOS 4.1 to my TT-RSS server, which uses a Let’s Encrypt SSL certificate.

Checking with my workstation browser all looked ok, so as I remember that this week the old root cert was expiring today (see DST Root CA X3 Expiration (September 2021) - Let's Encrypt ) I added the new ‘ISRG Root X1’ root cert, by copying it to /etc/pki/ca-trust/source and running update-ca-trust. And the issue got solved.

I assume that SailfishOS (at least 4.1, I haven’t updated yet to 4.2) has only ‘DST Root CA X3’ ?

If somebody confirms I can open a proper bug report for the sailors.

sigurg · 30 September 2021 09:56

Works for me without issues on 4.2 as well as 4.1.
You may want to check your server’s certificate chain…

poetaster · 30 September 2021 10:25

I can connect from 4.1 to letsencrypt supplied sites (netzpolitik.org, for instance). I think it’s not the client side certs.

olf · 4 November 2021 21:35

The ca-certificates RPM version 2020.2.41-1 (which is deployed by SailfishOS 4.1.0, 4.2.0 and 4.3.0) definitely contains the ISRG Root X1 certificate, see ca-certificates/ca-certificates.changes at master · sailfishos/ca-certificates · GitHub
Even older versions of the ca-certificates RPM have deployed it for many years.

Thus adding it a second time is not the crucial point.
But by putting it into the /etc/pki hierarchy, you changed its priority, for details see centos update-ca-trust man page on unix.com
This might hint the real cause for your issues and some analysis may guide you to a comprehensible solution.

For additional information and details WRT this topic, see