x509: certificate has expired or is not yet valid

This is Samsung Galaxy S5 LTE-A running Samsung Android 6.0.1. The OS is old and there are no more updates to it. I’ve tried to update certificates in the Android settings, but there is no difference.

If there are no proper certificates available for the abandoned OS, is there anything that the user can do to solve this problem, or is this something that we’ve simply got to live with?

Ref: https://forum.syncthing.net/t/how-do-i-kick-it-to-retry-the-relays-connection/17444.

A custom ROM is IMHO your best bet.

e.g https://lineageos.org/

Syncthing servers use Let’s Encrypt certificates. Those use only one root certificate (their own) since 30.10. which is only available in Android 7.1 and up.

Thank you for all the replies.

Unfortunately, all AOSP-based custom ROMs available for the specific device (lentislte) have a buggy kernel, which causes random reboots and also has a lot of issues with mobile network connectivity.

This may be a newbie question, but is there any way to force-install such a certificate manually, e.g. using the command line? The device is rooted.

I remember there was a cert folder only accessible via root and copying+chmod’ing the cer files to it worked for me back those times. (used it to install a proxy https cert)

Quick research turned up Android : add cert to system store · GitHub

Thanks for the link!

I use a password to unlock the device anyway, so I’ve tried to add the Let’s Encrypt certificate to the personal store first, using just the GUI method. I’ve followed the steps from https://stoutner.com/lets-encrypt-isrg-root-x1-and-privacy-browser.

However, even after installing the certificate, there is no difference regarding Syncthing. Is the ISRG Root X1 certificate the right one, or does Syncthing need something else? If that’s the case, does anyone know which specific certificates are required by Syncthing?


I’ve just realised that the same problem is happening on yet another device. This one runs Android 7.1 (also by Samsung). In contrary to the first one, the other device is located in a different location, so direct connection is impossible. As the expired certificate prevents any relay connections, the device has been unable to connect at all (as QUIC isn’t working either for some reason, even though it is “listening”).

Does this mean that the expired certificate has rendered Syncthing on these older Android devices basically useless? :sweat:

I have fixed the problem. The thing is that the certificate has to be installed in the system storage, as otherwise Syncthing seems to completely ignore it. Of course, in order to do so, you need to have root access, so if your Android device isn’t rooted, you’re probably out of luck (unless you’ve got a custom recovery with /system access).

The detailed steps are as follows.

  1. Download https://letsencrypt.org/certs/isrgrootx1.pem.txt.

  2. Run openssl x509 -inform PEM -subject_hash -in isrgrootx1.pem.txt (in Windows, you can use openssl.exe from MSYS2).

  3. Look for the subject of the certificate in the command output. It was 4042bcee in my case.

  4. Rename the file from isrgrootx1.pem.txt to 4042bcee.0.

  5. Copy the file to the Android device, e.g. with adb push 4042bcee.0 /sdcard/.

  6. Open the shell, e.g. with adb shell (or you can use a terminal emulator on the device itself).

  7. Switch to root, mount the /system partition as writeable, copy the certificate to the system storage, fix the permissions, then remount the partition as read-only.

    mount -o rw,remount /system
    cp /sdcard/4042bcee.0 /system/etc/security/cacerts/
    chmod 0644 /system/etc/security/cacerts/4042bcee.0
    mount -o ro,remount /system
  8. Restart Syncthing, which should now be able to connect to relays.

The instructions are based on the @Catfriend1’s link and also on a few other sources I’ve managed to find in the Internet. I’ve tested them with success on the two devices mentioned in this thread.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.