-
-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL errors occurred: The certificate has expired #919
Comments
That's very bad 😭 But I don't understand yet why this happens, actually the certificate of api.librepcb.org looks valid. Maybe it's somehow related to the OpenSSL library bundled within the AppImage 🤔 At least I can't reproduce this problem when building LibrePCB from sources. |
Take a look on next issues:
As side note, does OpenSSL really needed to be included in AppImage? Why just not left its outside and lets |
What Linux distro you use? I use Debian, and there are some default path may be differ from Ubuntu or other dstros. |
I think I have found the reason for this problem. Older OpenSSL library versions do no longer work with recent Let's Encrypt certificates: https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 There seem to be a server-side workaround available, but I do not understand yet how to implement this workaround exactly. I'm working on it... In the worst case (if the workaround doesn't work) I think we have to create a new LibrePCB release.
That's a good question. Of course this avoids the dependency to OpenSSL, but as we see now, bundling also leads to problems 🙈 Btw, our Windows builds are still working so probably only our Linux binaries (and maybe macOS?) are affected by this issue. |
Does Windows builds also include same OpenSSL version as it bundled into AppImage? Also, take a look here — Windows may be affected too: |
I think I could fix it server side! 🚀 @Symbian9 can you confirm it is working on your setup as well? However, it's just a temporary workaround. Now we should think about how to avoid such issues in the future. |
For any AppImage specific help:
|
What did you change? |
I switched to the alternate certificate chain as explained in https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816. |
So after thinking a bit about this, I propose to do the following:
So far I do not have any better idea. Unbundling OpenSSL is not really an option since then we couldn't ensure that the used OpenSSL version is compatible with the Qt version. So I think we really have to bundle it. I also thought about using HTTP+signatures instead of HTTPS (like APT does), but I think this would be overkill and not worth the effort... I'll close this issue since the current problem is fixed for now, and I'll open PRs to apply the suggested changes. Feel free to reopen if one does not agree. |
This is only for our AppImage binary releases, right? Keep in mind: This means we should probably publish new builds if there are any critical OpenSSL vulnerabilities being published (affecting the version we are bundling). |
No, it's for all binaries. Windows, Linux, macOS; Installers, archives and AppImages.
That's what I meant with "[...] and try to keep it up to date in future.". However, I don't think we have to create new LibrePCB releases each time a new vulnerability is known since LibrePCB is not a security critical application like a web browser. The API is accessed only rarely and supports only a very limited set of features. Also the downloaded libraries are not confidential at all (thus I thought about even using HTTP instead of HTTPS). So IMHO it would be totally fine to just update OpenSSL when we create a new release anyway. Yes, this opinion might be different to yours 😉 |
Sure, with "critical" I mean "critical with regards to LibrePCB". That's probably a small subset of vulnerabilities. And yes, libraries are most probably not critical at all, but projects (being sent to the ordering API) might be. (Although people with sensitive projects will probably not upload them to some ordering API, so this is not very realistic 😉) |
VERSION / OS / ENVIRONMENT
release/0.1
AppImage: https://download.librepcb.org/nightly_builds/release_0_1/librepcb-nightly-linux-x86_64.AppImagemaster
AppImage: https://download.librepcb.org/nightly_builds/master/librepcb-nightly-linux-x86_64.AppImageSUMMARY
LibrePCB can't load libraries via "Library Manager"
STEPS TO REPRODUCE
EXPECTED RESULTS
"Library Manger" should work without issues.
ACTUAL RESULTS
"Library Manager" does not work due to next issue:
ADDITIONAL INFORMATION
The text was updated successfully, but these errors were encountered: