Error message while updating the fdroid repository

The update of the fdroid repository fails with the error you can see on the screenshot.

Thanks for your help :slight_smile:

1 Like

Strange. Looks like a server side problem.
To be sure, could you try going to app info and clearing cache and try again? That may help.

Can you manually get version 1.8 (if not already)? https://f-droid.org/repo/org.fdroid.fdroid_1008050.apk

What Android version is this?

If before version 5.1 maybe this issue is at fault: Comodo Knowledge Base ?

1 Like

The cache clearing doesn’t change anything. I have also reinstalled the f-droid app (in version 1.8) and the issue is still here.
I’m on android 5.0.2. I know it’s an old version, but it’s still working so I don’t want to throw it away…

1 Like

5.0.2

Read the link @Altons

@hans see the link, older systems will fail, eg. CentOS6:

> openssl s_client -connect f-droid.org:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=f-droid.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

Can something be done (regen certs or smth)? Else minSDK was just bumped to 22 lol @Bubu

1 Like

I’ve read the link, but to be honest, I don’t know what to do with it. Should I download new certificates?

1 Like

Same issue and toast message popped up for me today also. CM12 (Android 5.1) on an old Samsung Galaxy Light.
I have other setups with older Androids (KK, LP, MM) so I seriously hope this is a fixable situation with the certs.
I’ll test them tonight and see what happens.

Someone also opened an issue on GitLab about this.

1 Like

It might be a server side issue on the f-droid repository, because the Guardian Project Official Release is still working fine.

1 Like

Tracking this here: f-droid.org: expired root certificate (#174) · Issues · F-Droid / admin · GitLab

2 Likes

The error message displayed when I try to update the fdroid repository changed to this :

I hope this might help you debugging… Should I post this kind of stuff in the gitlab issue or here?

1 Like

That’s an intermediate cert that expired as planned. Problem is that some sites still ship it as part of their “certificate chain”. Would they not do that, the OS would try finding its own (alternative) chain and succeed.

I had the same issue here on my Linux machine for one site, lasting 2 or 3 days. It was solved OS-side when the ca-certs package was updated. I’ve checked the update, and indeed it “black-listed” that expired cert from AddTrust, forcing openSSL to use a different chain.

TL;DR: I don’t know how the certificates are updated on Android; the most likely variant is OTA updates for the OS. So devices no longer receiving updates are, well, unlucky. So the best way might be contact the site admins so they update the certificate chain they ship.

Ugh, say again: is that our repo? Strange, I didn’t experience that issue here with our repo. Can someone check what certificate chain we ship, and fix it if needed? Or has that already been done? Or did the very same ca-cert update on our servers fix that along the line?

Update: Looks like Ciaran did exactly that and removed the intermediate from our chain (or at least will do it shortly).

2 Likes

Same situation here, with an old lollipop 5.0 phone.
I just installed the latest fdroid via apk, but it still fails the ssl handshake.
Other sites are ‘broken’ for me as well with chrome browser or anything that uses system webview.
Firefox works instead.
I don’t know much about the theory, but from what i read, fdroid servers could use a workaround, but if i understood well, the issue depends on a bug on gnutls (due to an expired root certificare an the inability to use another one, or whatever…)

What concerns me is that i can’t update this (rooted) device for a number of reasons, so i ask you if is there a way for me to fix the issue locally ?

Thanks,

1 Like

Firefox uses its own certificate store and probably already had the AddTrust certificate disabled. As for Webview: Good pointer. You could try adding the Bromite repo and install their Webview, which is more up-to-date and might have fixed the issue. This would at least solve it for all apps using Webview – no idea if this affects the F-Droid client, though.

1 Like

I think things have been fixed. On my CM12 today, refreshing the repo worked and app updates are now displayed.

Regarding Bromite Webview, on that device it was already installed, updatable (Bromite repo was good), and updated during the issue. So I don’t think it affected the F-Droid client.
I also recommend that webview. Installed on all of my ROMs (save for OEM stocks and of course KitKat). Constantly updated.

2 Likes

It worked for me, but sometimes I still get an error :“Error getting F-Droid index file → SSL handshake timed out”

1 Like

The issue is finally solved ! Thanks a lot :clap:

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.