DST root cerficate expired, effects syncs.

[jtagcat]

syncs: failed, reason: certificate has expired, where the sync server is accessible to the user via other means.

This is very likely due to the DST root cert expiring

Related: laurent22/joplin#3348

It effectively breaks sync.

[GabrielMPhi]

I have the same problem just this morning.

[Derkades]

Same issue using the appimage instead of flatpak. It works fine on android.
(I didn't know there was a flatpak package until I found this issue, I'll definitely move over!)

[jtagcat]

Appimage is upstream, I haven't tested the upstream package yet.

[jtagcat]

Paging @laurent22 @catsout (mobilize for everything is broken spam)

[jtagcat]

Temporary (bad) workaround: Settings → Sync → Ignore TLS failures

[laurent22]

Is there something that needs to be changed in the app?

[PetrVladimirov]

Same problem is here. Joplin client on Linux (Fedora 33, direct install) doesn't want to sync via valid certificate (Let's Encrypt), Android client syncs.

Checked the certificate itself - URL opens fine via Firefox (without any warnings)
Checked the Nextcloud address via https://whatsmychaincert.com service - it says chain is valid.

[PetrVladimirov]

Is there something that needs to be changed in the app?

From https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/:
What should you do? For most people, nothing at all! We’ve set up our certificate issuance so your web site will do the right thing in most cases, favoring broad compatibility. If you provide an API or have to support IoT devices, you’ll need to make sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.

Not sure though whether it should be done in Joplin app or in the package it uses... If the latter, I suppose an issue should be raised to the upstream maintainer.

[chuglo]

Same exact issue here. Running Joplin v2.4.9 on Windows 10 client. Let's Encrypt cert. I can confirm the cert IS valid.

[laurent22]

To fix your server you can follow these steps: electron/electron#31212 (comment)

Hopefully a fix for the desktop app will also be available at some point.

[AUSBird]

Can't ignore TLS failures when using S3
Maybe this should be an option

[laurent22]

Yes, and I'd accept a PR for it.

[AUSBird]

Unless someone beats me to it, I will give it a crack after work :)

[Felecarpp]

I have the same issue on Ubuntu 20.04.2 LTS, Joplin 2.4.9, Nextcloud/Let's Encrypt account
I get "reason: certificate has expired" after synthing and I can temporaly fix it with "Ignoring TLS cert errors" also.

[Derkades]

It's fixed (in upstream)! https://github.com/laurent22/joplin/releases/tag/v2.5.1