SSL errors occurred: The certificate has expired

[ghost]

VERSION / OS / ENVIRONMENT

• release/0.1 AppImage: https://download.librepcb.org/nightly_builds/release_0_1/librepcb-nightly-linux-x86_64.AppImage

LibrePCB Version: 0.1.6-rc1
Git Revision:     32a1097
Build Date:       2021-09-30T11:36:43
Qt Version:       5.14.2 (built against 5.14.2)
CPU Architecture: x86_64
Operating System: Debian GNU/Linux 10 (buster)
Platform Plugin:  xcb

• master AppImage: https://download.librepcb.org/nightly_builds/master/librepcb-nightly-linux-x86_64.AppImage

LibrePCB Version: 0.2.0-unstable
Git Revision:     6c6ba1f
Build Date:       2021-09-25T09:43:02
Qt Version:       5.14.2 (built against 5.14.2)
CPU Architecture: x86_64
Operating System: Debian GNU/Linux 10 (buster)
Platform Plugin:  xcb

SUMMARY

LibrePCB can't load libraries via "Library Manager"

STEPS TO REPRODUCE

1. Launch LibrePCB;
2. Open "Library Manager"
3. See error message.

EXPECTED RESULTS

"Library Manger" should work without issues.

ACTUAL RESULTS

"Library Manager" does not work due to next issue:

SSL errors occurred:

The certificate has expired

ADDITIONAL INFORMATION

[ubruhin]

That's very bad 😭 But I don't understand yet why this happens, actually the certificate of api.librepcb.org looks valid. Maybe it's somehow related to the OpenSSL library bundled within the AppImage 🤔 At least I can't reproduce this problem when building LibrePCB from sources.

[ghost]

Maybe it's somehow related to the OpenSSL library bundled within the AppImage

Take a look on next issues:

• Libreoffice Appimage SSL certificate expired antoniofaccioli/libreoffice-appimage#15
• AppImage SSL errors on load keepassxreboot/keepassxc#4219
• Detect when included into AppImage; root CA and engines path openssl/openssl#7481

As side note, does OpenSSL really needed to be included in AppImage? Why just not left its outside and lets LibrePCB-*.AppImage would use installed openssl package on each distro instead?

[ghost]

At least I can't reproduce this problem when building LibrePCB from sources.

What Linux distro you use? I use Debian, and there are some default path may be differ from Ubuntu or other dstros.

[ubruhin]

I think I have found the reason for this problem. Older OpenSSL library versions do no longer work with recent Let's Encrypt certificates: https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816

There seem to be a server-side workaround available, but I do not understand yet how to implement this workaround exactly. I'm working on it... In the worst case (if the workaround doesn't work) I think we have to create a new LibrePCB release.

As side note, does OpenSSL really needed to be included in AppImage? Why just not left its outside and lets LibrePCB-*.AppImage would use installed openssl package on each distro instead?

That's a good question. Of course this avoids the dependency to OpenSSL, but as we see now, bundling also leads to problems 🙈

Btw, our Windows builds are still working so probably only our Linux binaries (and maybe macOS?) are affected by this issue.

[ghost]

Btw, our Windows builds are still working so probably only our Linux binaries

Does Windows builds also include same OpenSSL version as it bundled into AppImage?

Also, take a look here — Windows may be affected too:

• https://stackoverflow.com/questions/69387175/git-for-windows-ssl-certificate-problem-certificate-has-expired

[ubruhin]

I think I could fix it server side! 🚀 @Symbian9 can you confirm it is working on your setup as well?

However, it's just a temporary workaround. Now we should think about how to avoid such issues in the future.

[ghost]

can you confirm it is working on your setup as well?

Confirmed!

[ghost]

Now we should think about how to avoid such issues in the future.

For any AppImage specific help:

• https://github.com/AppImage/AppImageKit/wiki#-where-do-i-get-support
• irc://irc.libera.chat:6697#AppImage

[dbrgn]

I think I could fix it server side!

What did you change?

[ubruhin]

What did you change?

I switched to the alternate certificate chain as explained in https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816.

[ubruhin]

So after thinking a bit about this, I propose to do the following:

• Update CI environment to bundle a much more recent OpenSSL version with our binary releases, and try to keep it up to date in future.
• Show the OpenSSL library version in the "About LibrePCB" dialog (tab "Details") to make it much easier to verify if the version is sufficient and bundling worked properly (it's known only at runtime, we can't assert for the OpenSSL library at compile time).
• Keep the alternate certificate chain for api.librepcb.org for quite some more time to avoid breaking LibrePCB <= 0.1.5 again.

So far I do not have any better idea. Unbundling OpenSSL is not really an option since then we couldn't ensure that the used OpenSSL version is compatible with the Qt version. So I think we really have to bundle it.

I also thought about using HTTP+signatures instead of HTTPS (like APT does), but I think this would be overkill and not worth the effort...

I'll close this issue since the current problem is fixed for now, and I'll open PRs to apply the suggested changes. Feel free to reopen if one does not agree.

[dbrgn]

Unbundling OpenSSL is not really an option since then we couldn't ensure that the used OpenSSL version is compatible with the Qt version.

This is only for our AppImage binary releases, right?

Keep in mind: This means we should probably publish new builds if there are any critical OpenSSL vulnerabilities being published (affecting the version we are bundling).

[ubruhin]

This is only for our AppImage binary releases, right?

No, it's for all binaries. Windows, Linux, macOS; Installers, archives and AppImages.

Keep in mind: This means we should probably publish new builds if there are any critical OpenSSL vulnerabilities being published (affecting the version we are bundling).

That's what I meant with "[...] and try to keep it up to date in future.". However, I don't think we have to create new LibrePCB releases each time a new vulnerability is known since LibrePCB is not a security critical application like a web browser. The API is accessed only rarely and supports only a very limited set of features. Also the downloaded libraries are not confidential at all (thus I thought about even using HTTP instead of HTTPS). So IMHO it would be totally fine to just update OpenSSL when we create a new release anyway. Yes, this opinion might be different to yours 😉

[dbrgn]

Sure, with "critical" I mean "critical with regards to LibrePCB". That's probably a small subset of vulnerabilities. And yes, libraries are most probably not critical at all, but projects (being sent to the ordering API) might be. (Although people with sensitive projects will probably not upload them to some ordering API, so this is not very realistic 😉)