Problems with DigiCert Global Root G2 TLS certificate

asked 2018-07-25 16:07:31 +0200

funkyboris gravatar image

updated 2018-12-11 19:30:29 +0200

Hi folks

I am having problems with my digital certificates. On 2018-06-03 my email accounts stopped working. When trying to sync my mail I get asked to check the certificate.

The server in question ( with TLS (port 993), presents a certificate from DigiCert (CN = RapidSSL TLS RSA CA G1) which in turn refers to CN = DigiCert Global Root G2 as the root certificate.

The DigiCert Global Root G2 is among those listed at the Sailfish certificate manager.

When comparing the public signatures of the two, I find for some reason that the one in the Sailfish OS version of the signature has "00:" prefixed to its value, whereas the one in Firefox on my laptop does not. Otherwise, they seem similar.

I installed openssl on my jolla as suggested in this thread. The one-liner

openssl s_client -showcerts -connect


depth=2 C = US, O = DigiCert Inc, OU =, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU =, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = *
verify return:1


This is the same result I get when running the same command on my laptop.

I have also tried to delete the account and re-establish it as suggested in this thread. No dice - still asks me to check certificate.

I don't want to disable certificate validity check. It has worked flawlessly in the past and as far as I can tell, it still should.

EDIT (2018-12-11)

This one is still relevant as of Sailfish 3.0. I have tried to delete the mail account from Jolla (Settings app -> Accounts -> select account -> drop down -> delete account) after which I tried to create it again. It fails with the message that the certificate validation fails, and that I need to allow all untrusted certificates if I want to access that account.

It is still not in my best interest to disable validation of certificates against trusted sources.

Will someone from Sailfish please look into this? I have been unable to access my personal mail account on my Jolla for over 6 months now.

edit retag flag offensive close delete


well, your certificate is a * but your mail server is at and therefore cannot be matched with your server FQDN.

Nieldk ( 2018-07-25 18:33:35 +0200 )edit

@Nieldk iirc there's exceptions for third-level wildcard certs.

tortoisedoc ( 2018-07-25 21:25:52 +0200 )edit

@Nieldk erhm.. no?

* matches That is the whole point. Besides, Firefox gets the validation right, as does Thunderbird and plain OpenSSL from CLI. Only Sailfish chokes on the certificate.

funkyboris ( 2018-07-26 03:23:14 +0200 )edit

Try: (remember to tick: Do not show the results on the boards)

Is it a cert you have bought from DigiCert?

emva ( 2018-07-26 15:17:58 +0200 )edit

@emva: is not "my server". It is a managed server hosted by - a professinal hosting provider. I did not have anything to do with its setup, and it hosts hundreds if not thousands of other clients. If there was a problem with their TLS setup, I would not be the only one affected. Again, you are missing the point: Everyone is satisfied with the certificate, except Sailfish OS and even this has not always been the case. It stopped working a couple of weeks ago.

funkyboris ( 2018-07-26 15:23:47 +0200 )edit