Storeman and side loading problems (also: Root CA X3 certificate expiration)

I have an old Jolla 1, running 3.4.0.24. It’s my main phone, and I am still happy with it, though my usage is pretty basic.

Recently (not sure from when) Storeman stopped working - I get a ‘network error’ message when it starts up, when I try to run a search in it, etc. I can use it to list my installed applications or any purely local functions that do not need network access.

Since I have no networking problems in any other apps I am aware of (the Jolla Store works fine), I decided to try replacing Storeman using the new Storeman installer. To do this I need to sideload, so need to set ‘allow untrusted software’. When I try to set this, I go into a loop: click on ‘allow untrusted software’, give code in ‘confirm with security code’, click on ‘accept’ in ‘untrusted software terms’ - and then it throws me back to the start, with ‘allow untrusted software’ still greyed out.

So now I have two problems…

Any suggestions to fix either?

Thanks
Graham

I’ve just seen the Jolla 1 is unsupported now. I was vaguely aware this was going to happen, but assumed it would just be lack of new security fixes rather than retrospective breakage (in fact I’m pretty sure I used Storeman since 3.4, so this may even be unrelated).

Has anyone ever managed to install any other OS on a Jolla 1?

Storeman changed repos to support multiple releases and archs. Search for storeman-installer

ps: I got a used xa2 after my j1 died last year and am super happy

Good to know, although it feels a shame to dump my jolla1 when it has no physical problems at all.

About ‘allow untrusted software’ - any reason it might not be working for me apart from being a jolla1?

Graham

Hi,

It’s a strange behaviour especially if you didn’t update Storeman. As I know there were no changes in OpenRepos API so Storeman should just keep working. I suppose you have some OS related errors.

I wasn’t going to mention it, but yesterday, I took my old Jolla1 out with me, everything working okay, but storeman wouldn’t start correctly, I get the same ‘network error’ message as mentioned above. At the same time, I checked other apps were working, I could access and use Jolla Store, my email would send & receive.

I removed it, used the latest storeman installer which went without a hitch, but as stated above, I get the error message that there is no network when indeed there is network access.

My Jolla1 is on the lastest/last OS release and all apps that require internet access are working/functioning correctly.

What about?

SSL certificate problem: certificate has expired

The Let’sEncrypt thing?

I have this now on a SFOS3.2.1 device (starting in Oct)

Could it be this? I have noticed I’m getting a lot of ‘accept certificate for this web site?’ messages when browsing sites using letsencrypt which I don’t see on other devices. Could this be because of an older version of openssl? Or an outdated certificate store?

Just try this:

openssl s_client -connect sailfish.openrepos.net:443

No such command (either as nemo or root). No openssl in /usr/bin either.
I can’t connect to Jolla Store either now - just spins. Connection to web sites, mp3 streaming, etc are still ok.

devel-su pkcon install openssl

???
Works here.
Something with your account, maybe remove account, readd (at least reenter password) and reboot?

Thank you for your patience!

Yes, I’m getting the old Digital Signal Trust certificate - first line of the response is verifyerror: certificate has expired.

Tried the same thing on my laptop, I get the ISG certificate and everything is fine.

I think I’m getting too nervous … the Jolla Store is fine, must just have been a network glitch

Okay, got if “fixed”.
Removed the full section about "Digital Signature Trust’ Root CA X3 cert from file

vi /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit

and ran

update-ca-trust

manually.
Then (and only then) the available ISRG Root X1 takes over.

– with openssl you may force this with -trusted_first but not with Storeman :wink:

Section starts with
[p11-kit-object-v1]
label: "DST Root CA X3"
and ends with the next empty line (after a lot of #-commented lines and before the next p11-kit-object-v1).

–edit
Please be aware that every file in that directory is read, so move any backup file one level higher (or elsewhere).

4 Likes

What is the version of the ca-certificates package on J1/3.4?

While updating openssl is non-trivial, making a current ca-certificates package should be relativaly easy.

In fact I have made one:

https://build.sailfishos.org/package/show/home:nephros:j1/ca-certificates

Just compiled from sailfishos git, completely untested, but may help.

EDIT: Just tested with this build of ca-certificates-2020.2.41-1.4.1, that doesn’t solve the problem - even though that is the version used in SFOS4.2.

1 Like

That worked! Thank you very much.

For anyone else with the same problem: don’t do what I did and leave a backup copy of the original ca-bundle.trust.p11-kit file in the ca-trust-source directory; any file in this directory seems to be read by update-ca-trust. Copy it somewhere else!

Ah yes, could have mentioned it :wink:

On 3.2.1 the version of ca-certificates is
2018.2.26-1.3.1

@navtis, could you check for 3.4 with

pkcon search ca-cert

3.4 has the same package.