Not working on Android 6 - ISRG SSL Certs missing

[srett]

Description of the issue

Installed Syncthing-Fork from GPlay (v1.27.9.0) on an old Xiaomi Phone with Android 6. The app starts up just fine, but fails to launch the native app.

Reproduction Steps

Install the app.

Version Information

• App Version: 1.27.9.0
• Syncthing Version: ???? Can't see version since it doesn't start up.
• Android Version: Android 6.0 (MIUI 10.2)
• Device manufacturer: Xiaomi
• Device model: Redmi Note 4X

Device platform info

[ro.product.board]: []
[ro.product.brand]: [Xiaomi]
[ro.product.cpu.abi]: [arm64-v8a]
[ro.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi]
[ro.product.cpu.abilist32]: [armeabi-v7a,armeabi]
[ro.product.cpu.abilist64]: [arm64-v8a]
[ro.product.cuptsm]: [XIAOMI|ESE|02|01]
[ro.product.device]: [nikel]
[ro.product.first_api_level]: [23]
[ro.product.locale]: [en-GB]
[ro.product.locale.language]: [de]
[ro.product.locale.region]: [DE]
[ro.product.manufacturer]: [Xiaomi]
[ro.product.mod_device]: [nikel_global]
[ro.product.model]: [Redmi Note 4X]
[ro.product.name]: [nikel]

Android Log

$ cat /sdcard/Android/data/com.github.catfriend1.syncthingandroid/files/syncthing.log.tmp                                                           
[DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
[DZDUN] INFO: listenerSupervisor@dynamic+https://relays.syncthing.net/endpoint: service dynamic+https://relays.syncthing.net/endpoint failed: Get "https://relays.syncthing.net/endpoint": tls: failed to verify certificate: x509: certificate signed by unknown authority
[DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
[DZDUN] INFO: listenerSupervisor@dynamic+https://relays.syncthing.net/endpoint: service dynamic+https://relays.syncthing.net/endpoint failed: Get "https://relays.syncthing.net/endpoint": tls: failed to verify certificate: x509: certificate signed by unknown authority
[DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
[DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
[DZDUN] INFO: listenerSupervisor@dynamic+https://relays.syncthing.net/endpoint: service dynamic+https://relays.syncthing.net/endpoint failed: Get "https://relays.syncthing.net/endpoint": tls: failed to verify certificate: x509: certificate signed by unknown authority

Similar story with logcat:

$ adb logcat v | grep --line-buffered Syncthing
09-07 21:11:35.637  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:36.638  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:37.640  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:38.643  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:39.529  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
09-07 21:11:39.644  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:39.802  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
09-07 21:11:39.821  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: listenerSupervisor@dynamic+https://relays.syncthing.net/endpoint: service dynamic+https://relays.syncthing.net/endpoint failed: Get "https://relays.syncthing.net/endpoint": tls: failed to verify certificate: x509: certificate signed by unknown authority
09-07 21:11:39.824  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
09-07 21:11:39.896  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
09-07 21:11:39.906  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) starting
09-07 21:11:39.926  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: listenerSupervisor@dynamic+https://relays.syncthing.net/endpoint: service dynamic+https://relays.syncthing.net/endpoint failed: Get "https://relays.syncthing.net/endpoint": tls: failed to verify certificate: x509: certificate signed by unknown authority
09-07 21:11:39.994  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: Relay listener (dynamic+https://relays.syncthing.net/endpoint) shutting down
09-07 21:11:39.995  4924  5213 I SyncthingNativeCode: [DZDUN] INFO: listenerSupervisor@dynamic+https://relays.syncthing.net/endpoint: service dynamic+https://relays.syncthing.net/endpoint failed: Get "https://relays.syncthing.net/endpoint": tls: failed to verify certificate: x509: certificate signed by unknown authority
09-07 21:11:40.646  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:41.648  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:42.650  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:43.650  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:44.651  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left
09-07 21:11:45.653  4924  4924 W SyncthingService: Deferring shutdown until State.STARTING was left

My guess now is that Syncthing shuts down when it can't connect to the relay service, but it's odd there is no further log output indicating that it will shutdown, making me doubt that theory. But in any case, I guessed the problem regarding the relay setup is that Android 6 doesn't have the recent ISRG root certificates; I added the two root certificates manually in the Android settings, but the error didn't change. I've no clue which certificate store the native go application within the Android wrapper would be using anyways...

[srett]

Using the browser on the device and navigating to http://127.0.0.1:8384 shows syncthing is running just fine. I managed to log in, add devices and get it to sync files. Just the wrapper app kept claiming syncthing would not be running or is still starting up. So syncthing would indeed run just fine if the relay pool is not reachable.

Still not convinced this has anything to do with the problem, I copied the two root certificates to /sdcard/certs and then added SSL_CERT_DIR=/sdcard/certs to the environment via the Debug menu, as this tells go about additional locations for trusted certificates. Lo and behold, now the GUI works perfectly fine. Just as to why, I don't really understand.

Just in case this isn't a problem specific to this device, or Xiaomi's fork, and given that it didn't start working for completely unrelated reasons, I suggest that in case you want to actually support devices with Android <= 7, the Syncthing-Android (probably even upstream) app should just ship the two ISRG certs (X1 X2) and pass them via the environment if running on affected devices. But I'd be happy if someone could confirm this issue first.