Storeman and side loading problems (also: Root CA X3 certificate expiration)

No such command (either as nemo or root). No openssl in /usr/bin either.
I can’t connect to Jolla Store either now - just spins. Connection to web sites, mp3 streaming, etc are still ok.

devel-su pkcon install openssl

???
Works here.
Something with your account, maybe remove account, readd (at least reenter password) and reboot?

Thank you for your patience!

Yes, I’m getting the old Digital Signal Trust certificate - first line of the response is verifyerror: certificate has expired.

Tried the same thing on my laptop, I get the ISG certificate and everything is fine.

I think I’m getting too nervous … the Jolla Store is fine, must just have been a network glitch

Okay, got if “fixed”.
Removed the full section about "Digital Signature Trust’ Root CA X3 cert from file

vi /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit

and ran

update-ca-trust

manually.
Then (and only then) the available ISRG Root X1 takes over.

– with openssl you may force this with -trusted_first but not with Storeman :wink:

Section starts with
[p11-kit-object-v1]
label: "DST Root CA X3"
and ends with the next empty line (after a lot of #-commented lines and before the next p11-kit-object-v1).

–edit
Please be aware that every file in that directory is read, so move any backup file one level higher (or elsewhere).

5 Likes

What is the version of the ca-certificates package on J1/3.4?

While updating openssl is non-trivial, making a current ca-certificates package should be relativaly easy.

In fact I have made one:

https://build.sailfishos.org/package/show/home:nephros:j1/ca-certificates

Just compiled from sailfishos git, completely untested, but may help.

EDIT: Just tested with this build of ca-certificates-2020.2.41-1.4.1, that doesn’t solve the problem - even though that is the version used in SFOS4.2.

1 Like

That worked! Thank you very much.

For anyone else with the same problem: don’t do what I did and leave a backup copy of the original ca-bundle.trust.p11-kit file in the ca-trust-source directory; any file in this directory seems to be read by update-ca-trust. Copy it somewhere else!

Ah yes, could have mentioned it :wink:

On 3.2.1 the version of ca-certificates is
2018.2.26-1.3.1

@navtis, could you check for 3.4 with

pkcon search ca-cert

3.4 has the same package.

And I think I remember to have read something like this that it might only be updated/solved soon ™ with 4.3 …

But for our J1s we need updated ca-certificates as well and I would like to see @Jolla to support their baby at least with up-to-date certificates. No more no less.

Or we go by hand manipulation or offer this by ourselves on openrepos?

Support from Jolla is unlikely not going to happen.

Community-built packages should be no problem though, over openrepos, chum, OBS or another way.

@nephros why you expect support from Jolla for Jolla phone. They finished supporting this phone after 7 years. Which is a lot in mobile world.

Oh, it was me! :smiley:
And not ‘expecting’ them to do so (absolutely I do not expect them).
Just requesting to at least support such fundamental security critical update. Which should not be that much of work/overhead to push a newer ca-certificate package on the J1 3.4 repo, or?

Do you remember the PR1.3.1 update?

3 Likes
pkcon search ca-cert

ca-certificates-2018.2.26-1.4.1.jolla.noarch (installed) The Mozilla CA root certificate bundle

Actually I guess a proper community port/release fot the J1 would be the best solution.

But who will step up? :smiley:

1 Like

Thank you @peterleinchen for the correct basic assessment and almost the right implementation (you patch the source bundle, not the target one).
After some more research I created a more generic guide how to handle this properly:

1 Like

Wow, thank you!

Another really well-written, detailed and knowledged guide by @olf.

I am not that deep into that cert stuff, normally do not need it and always forced to dig into it when something happens.
So I did not dare to look for the cert to put it into the blacklist (as it was not in pem format in the bundle).

One noob question I do have: why is my approach only almost? :wink:
I used the source bundle and ran update-ca-trust.
What is “wrong” with that?

See Fix certificate issues on SailfishOS - #3 by olf