Version 1.27.6. Problems with tls-certificates?

yako · April 19, 2024, 3:11pm

Hello.

After updating to version 1.27.6 the application hangs at the loading stage. There are lines in the logs:

I/SyncthingNativeCode(14606): [O4DOE] INFO: listenerSupervisor@dynamic+https://relays.syncthing.net/endpoint: service dynamic+https://relays.syncthing.net/endpoint failed: Get "https://relays.syncthing.net/endpoint": tls: failed to verify certificate: x509: certificate signed by unknown authority
I/SyncthingNativeCode(14606): [O4DOE] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
I/SyncthingNativeCode(14606): [O4DOE] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down

I tried to reinstall the application, and install previous versions from github and f-droid, but they hang at the key generation stage.

tomasz86 · April 19, 2024, 4:17pm

The certificate error is normal for Android 7 and older (see https://forum.syncthing.net/t/x509-certificate-has-expired-or-is-not-yet-valid/17617). However, it should still not prevent the app from running. I think you may need to either post a full log or look for other errors, as these seem to only be about the relay listener shutting down, not Syncthing itself.

yako · April 19, 2024, 10:56pm

Thank you for your answer. You are right: it is an old device with Android 6, and it seems that the problem is not the certificates. After I reinstalled different versions several times, once, version 1.27.6 started successfully. The re-added folders were successfully rescanned and synchronized. But after that, everything repeats: startup gets stuck on “Syncthing is taking very long to load” message in the interface and “Synthing is starting” in notifications. After some time, already-added folders start synchronizing. In the log, there is nothing except repeated messages about certificates and starting / shutting down relay listener.

gadget · April 20, 2024, 1:43am

The SSL/TLS certificate for https://relays.syncthing.net/ is issued by Let’s Encrypt. Android 6 was released in 2015, which is shortly after Let’s Encrypt started issuing certificates in November 2014.

At the time, for compatibility reasons, Let’s Encrypt partnered with another more established certificate authority to have Let’s Encrypt’s root certificate cross-signed.

Over time, once Let’s Encrypt’s root certificate was bundled in all of the major web browsers, operating systems, phones, tablets, TVs and so on, Let’s Encrypt slowly phased out it older cross-signed root certificates. That’s where the failed to verify certificate: x509: certificate signed by unknown authority error you’ve been seeing comes into the picture.

One workaround is to try manually installing Let’s Encrypt’s current root certificate: https://letsencrypt.org/certificates/

(The import option is under Android’s security settings unless the manufacturer has disabled it for some reason. Search for “credentials” and/or “encryption”.)

Although Let’s Encrypt’s root certificate is valid, you’ll still get a security warning during the import because the certificate isn’t part of Android’s official “root certificate store” – aka. a collection of official certificates for known certificate authorities shipped with an operating system. On Android, its root certificate store is only updated whenever Android is upgraded.

(Starting with Android 14, root certificates are updated via Google Play and not only during OS upgrades.)

Before installing Let’s Encrypt’s root certificate, try temporarily turning off relaying to see if it’s the reason for the symptoms.