Storeman and side loading problems (also: Root CA X3 certificate expiration)

General
#1

I have an old Jolla 1, running 3.4.0.24. It’s my main phone, and I am still happy with it, though my usage is pretty basic.

Recently (not sure from when) Storeman stopped working - I get a ‘network error’ message when it starts up, when I try to run a search in it, etc. I can use it to list my installed applications or any purely local functions that do not need network access.

Since I have no networking problems in any other apps I am aware of (the Jolla Store works fine), I decided to try replacing Storeman using the new Storeman installer. To do this I need to sideload, so need to set ‘allow untrusted software’. When I try to set this, I go into a loop: click on ‘allow untrusted software’, give code in ‘confirm with security code’, click on ‘accept’ in ‘untrusted software terms’ - and then it throws me back to the start, with ‘allow untrusted software’ still greyed out.

So now I have two problems…

Any suggestions to fix either?

Thanks
Graham

#2

I’ve just seen the Jolla 1 is unsupported now. I was vaguely aware this was going to happen, but assumed it would just be lack of new security fixes rather than retrospective breakage (in fact I’m pretty sure I used Storeman since 3.4, so this may even be unrelated).

Has anyone ever managed to install any other OS on a Jolla 1?

#3

Storeman changed repos to support multiple releases and archs. Search for storeman-installer

ps: I got a used xa2 after my j1 died last year and am super happy

#4

Good to know, although it feels a shame to dump my jolla1 when it has no physical problems at all.

About ‘allow untrusted software’ - any reason it might not be working for me apart from being a jolla1?

Graham

#5

Hi,

It’s a strange behaviour especially if you didn’t update Storeman. As I know there were no changes in OpenRepos API so Storeman should just keep working. I suppose you have some OS related errors.

#6

I wasn’t going to mention it, but yesterday, I took my old Jolla1 out with me, everything working okay, but storeman wouldn’t start correctly, I get the same ‘network error’ message as mentioned above. At the same time, I checked other apps were working, I could access and use Jolla Store, my email would send & receive.

I removed it, used the latest storeman installer which went without a hitch, but as stated above, I get the error message that there is no network when indeed there is network access.

My Jolla1 is on the lastest/last OS release and all apps that require internet access are working/functioning correctly.

#7

What about?

SSL certificate problem: certificate has expired

The Let’sEncrypt thing?

I have this now on a SFOS3.2.1 device (starting in Oct)

#8

Could it be this? I have noticed I’m getting a lot of ‘accept certificate for this web site?’ messages when browsing sites using letsencrypt which I don’t see on other devices. Could this be because of an older version of openssl? Or an outdated certificate store?

#9

Just try this:

openssl s_client -connect sailfish.openrepos.net:443
#10

No such command (either as nemo or root). No openssl in /usr/bin either.
I can’t connect to Jolla Store either now - just spins. Connection to web sites, mp3 streaming, etc are still ok.

Email Update Error: Check Certificate
#11 
devel-su pkcon install openssl
#12

???
Works here.
Something with your account, maybe remove account, readd (at least reenter password) and reboot?

#13

Thank you for your patience!

Yes, I’m getting the old Digital Signal Trust certificate - first line of the response is verifyerror: certificate has expired.

Tried the same thing on my laptop, I get the ISG certificate and everything is fine.

#14

I think I’m getting too nervous … the Jolla Store is fine, must just have been a network glitch

#15

Okay, got if “fixed”.
Removed the full section about "Digital Signature Trust’ Root CA X3 cert from file

vi /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit

and ran

update-ca-trust

manually.
Then (and only then) the available ISRG Root X1 takes over.

– with openssl you may force this with -trusted_first but not with Storeman :wink:

Section starts with
[p11-kit-object-v1]
label: "DST Root CA X3"
and ends with the next empty line (after a lot of #-commented lines and before the next p11-kit-object-v1).

–edit
Please be aware that every file in that directory is read, so move any backup file one level higher (or elsewhere).

4 Likes
[Guide] Fix certificate issues on SailfishOS
#16

What is the version of the ca-certificates package on J1/3.4?

While updating openssl is non-trivial, making a current ca-certificates package should be relativaly easy.

In fact I have made one:

https://build.sailfishos.org/package/show/home:nephros:j1/ca-certificates

Just compiled from sailfishos git, completely untested, but may help.

EDIT: Just tested with this build of ca-certificates-2020.2.41-1.4.1, that doesn’t solve the problem - even though that is the version used in SFOS4.2.

1 Like
#17

That worked! Thank you very much.

For anyone else with the same problem: don’t do what I did and leave a backup copy of the original ca-bundle.trust.p11-kit file in the ca-trust-source directory; any file in this directory seems to be read by update-ca-trust. Copy it somewhere else!

#18

Ah yes, could have mentioned it :wink:

#19

On 3.2.1 the version of ca-certificates is
2018.2.26-1.3.1

@navtis, could you check for 3.4 with

pkcon search ca-cert
#20

3.4 has the same package.