Disroot email not working on Android apps

I have been using Disroot email with both K9 and Delta Chat on my Android 6.0.1 device for over a year with no problems. Sometime in the last week or two, both apps have stopped receiving new messages from the Disroot mailserver. I can still send email from K9 (not DC) and the web browser on the device can reach mail.riseup.net, so it doesn’t appear to be a DNS problem. Maybe a problem with the connection settings for IMAP?

Any suggestions (other than get a newer Android :wink: ?

Hey @strypey long time dont read. How are ya.
What Android version you are using. Perhaps the issue is with the change of letsencrypt root cert that changed last week?

Android version is 6.0.1

Perhaps the issue is with the change of letsencrypt root cert that changed last week?

The timing is about right. Is there any way we can test that?

@muppeth FYI Today I couldn’t get webmail to connect on one of my laptops either. It’s running Trisquel 8 (based off Ubuntu 16.04) and running an apt update spewed a bunch of ssl-related error messages. I’m wondering if this could all be connected?

Could very much be the fallout of the recent change at letsencrypt DST Root CA X3 Expiration (September 2021) - Let's Encrypt

OK @muppeth Is there anything I can do to get Delta Chat working with Disroot mail again? It’s become an important day-to-day communication channel for me.

I will be working on this starting from evening (CET) try to stil provide comatibility with older devices (had some non-disroot related priority work this week which is very bad timing), but in most cases, it’s the distros that should updated their root cert packages. I will dig around, read about this because this change in letsencrypt root cert has caused major issues all over the internet and try to make everyne happy. I will work on it as prio, and will keep you posted about it either here or will make seperate git issue to track the progress.

1 Like


Just a tip:

You can use BuyPass instead of LE - Free TLS-certificates that you can get over ACME with certbot and valid for 180 days. I think that Android down to 2.8 supports it too.

@muppeth could the Buypass certificates suggested by @selea be the solution to this problem?

I have to check but i dont want to move away from letsencrypt. Afaik you could install the new root cert from letsencrypt?


On Saturday, 23 October 2021, strypey via Disroot - Forum wrote:

@muppeth could the Buypass certificates suggested by @selea be the solution to this problem?

Visit Topic or reply to this email to respond.

You are receiving this because you enabled mailing list mode.

To unsubscribe from these emails, click here.

On my Android? How would I do that?

Sorry this is taking so long.
Started thread on our issue board:

1 Like

Just brainstorming here, but … what about including the necessary certs in the Disroot app, and somehow getting email apps to get them from there, could that work? Or getting the certs included in the F-Droid client somehow?

Do you have any links to documentation on this that you could post on that issue tracker thread linked by @muppeth ?

Is it necessary to switch all certificates to BuyPass (or other CAs)?


I dont have a old device to test with sadly,
Anyway, you are not able to install other Root-Certificates? I remember that I did it for my self-signed certificates a couple of years back

@selea Do you mean on the server or on my device? If it’s the latter, how do I do that?

Here’s some more details from Let’s Encrypt about how they planned to support Android versions older than 7.1.1. I can’t tell from my limited comprehension of this if it requires server admins to do anything, or users like myself to do anything, or if we’re all just waiting for something to happen at their end.

Update: The Delta Chat team has shipped a new version that includes updated certs, so it’s now working again on the Android 6.x device.

I’m not muppeth, but yes, on your android.

Preparing them in the right format is probably easiest on the PC so that’s what I’ll describe, though it probably is possible on your android as well. You can add just a couple certs if the ones on your device are reasonably up to date, or if they are very old you can clear out the whole lot and replace them with a fresh set.

If you want to replace the whole set, visit https://android.googlesource.com/platform/system/ca-certificates/+/master/files/, look for the link [tgz] near the top of the page, download that. You can use 7-Zip or similar to extract the files.somewhere. This set includes the X1 cert already formatted for you so you won’t have to make that one if you take this option. Depending what is currently on your device, you may also want to go to https://android.googlesource.com/platform/system/ca-certificates/+/master/wfa_certs/files/ and grab that *.tgz as well.

(One annoying detail about the google repository, the “txt” link at the bottom of the page seems like it should download what you see on the screen for an individual cert. But it does not work that way, the bottom link will give you useless gibberish so don’t bother using it. If you want an individual cert apart from the *.tgz bundle, you will need to manually scrape the page display into notepad to get it.)

For either option, visit https://letsencrypt.org/certificates/, scroll to the section Root Certificates. Look at the links for Active, X2, self signed. Download both the .pem and .txt formats. In Notepad or similar, paste first the contents of the .pem file, then below that paste the contents of the txt file. Save the result as filename 8794b4e3.0

If you are doing just the two certs and not the whole lot, also download the Active, X1 self signed, both .pem and .txt file, combine them in Notepad again, and this time save the result as 6187b673.0

Now that your files are prepared, visit https://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets for instructions on how to install these on your android. You can skip over the part about creating the certs since that is already done. (The funny filenames I gave you are the result of the openssl -subject_hash_old function they describe there.) If you are replacing the whole lot it might be a good idea to take a backup copy of your existing set beforehand just in case there are any “extras” that got added that you might need to keep, before you delete everything.

After the files are copied into their final resting place and chmod and/or chown is done, reboot your phone.