Storeman and side loading problems (also: Root CA X3 certificate expiration)

Hi,

It’s a strange behaviour especially if you didn’t update Storeman. As I know there were no changes in OpenRepos API so Storeman should just keep working. I suppose you have some OS related errors.

I wasn’t going to mention it, but yesterday, I took my old Jolla1 out with me, everything working okay, but storeman wouldn’t start correctly, I get the same ‘network error’ message as mentioned above. At the same time, I checked other apps were working, I could access and use Jolla Store, my email would send & receive.

I removed it, used the latest storeman installer which went without a hitch, but as stated above, I get the error message that there is no network when indeed there is network access.

My Jolla1 is on the lastest/last OS release and all apps that require internet access are working/functioning correctly.

What about?

SSL certificate problem: certificate has expired

The Let’sEncrypt thing?

I have this now on a SFOS3.2.1 device (starting in Oct)

Could it be this? I have noticed I’m getting a lot of ‘accept certificate for this web site?’ messages when browsing sites using letsencrypt which I don’t see on other devices. Could this be because of an older version of openssl? Or an outdated certificate store?

Just try this:

openssl s_client -connect sailfish.openrepos.net:443

No such command (either as nemo or root). No openssl in /usr/bin either.
I can’t connect to Jolla Store either now - just spins. Connection to web sites, mp3 streaming, etc are still ok.

devel-su pkcon install openssl

???
Works here.
Something with your account, maybe remove account, readd (at least reenter password) and reboot?

Thank you for your patience!

Yes, I’m getting the old Digital Signal Trust certificate - first line of the response is verifyerror: certificate has expired.

Tried the same thing on my laptop, I get the ISG certificate and everything is fine.

I think I’m getting too nervous … the Jolla Store is fine, must just have been a network glitch

Okay, got if “fixed”.
Removed the full section about "Digital Signature Trust’ Root CA X3 cert from file

vi /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit

and ran

update-ca-trust

manually.
Then (and only then) the available ISRG Root X1 takes over.

– with openssl you may force this with -trusted_first but not with Storeman :wink:

Section starts with
[p11-kit-object-v1]
label: "DST Root CA X3"
and ends with the next empty line (after a lot of #-commented lines and before the next p11-kit-object-v1).

–edit
Please be aware that every file in that directory is read, so move any backup file one level higher (or elsewhere).

4 Likes

What is the version of the ca-certificates package on J1/3.4?

While updating openssl is non-trivial, making a current ca-certificates package should be relativaly easy.

In fact I have made one:

https://build.sailfishos.org/package/show/home:nephros:j1/ca-certificates

Just compiled from sailfishos git, completely untested, but may help.

EDIT: Just tested with this build of ca-certificates-2020.2.41-1.4.1, that doesn’t solve the problem - even though that is the version used in SFOS4.2.

1 Like

That worked! Thank you very much.

For anyone else with the same problem: don’t do what I did and leave a backup copy of the original ca-bundle.trust.p11-kit file in the ca-trust-source directory; any file in this directory seems to be read by update-ca-trust. Copy it somewhere else!

Ah yes, could have mentioned it :wink:

On 3.2.1 the version of ca-certificates is
2018.2.26-1.3.1

@navtis, could you check for 3.4 with

pkcon search ca-cert

3.4 has the same package.

And I think I remember to have read something like this that it might only be updated/solved soon ™ with 4.3 …

But for our J1s we need updated ca-certificates as well and I would like to see @Jolla to support their baby at least with up-to-date certificates. No more no less.

Or we go by hand manipulation or offer this by ourselves on openrepos?

Support from Jolla is unlikely not going to happen.

Community-built packages should be no problem though, over openrepos, chum, OBS or another way.

@nephros why you expect support from Jolla for Jolla phone. They finished supporting this phone after 7 years. Which is a lot in mobile world.

Oh, it was me! :smiley:
And not ‘expecting’ them to do so (absolutely I do not expect them).
Just requesting to at least support such fundamental security critical update. Which should not be that much of work/overhead to push a newer ca-certificate package on the J1 3.4 repo, or?

Do you remember the PR1.3.1 update?

3 Likes