Fixing: Unacceptable TLS error #2580
Comments
|
hi, i think i've figured this out. this stems from the let's encrypt expiry. if i copy if flathub can update to a non-let's encrypt cert, this will fix things for people using older OSes, etc. |
|
I can reproduce this on older RHEL installation (flatpak-1.0.9-12) and I found a workaround which is installing flathub through gnome-software. |
|
Can you try to figure out which of curl's TLS backends flatpak is using on Ubuntu? As far as I can tell, I think the default is OpenSSL, which is the same we have on Fedora. But there should be no way OpenSSL should be failing with this simple chain unless it is way older than you have in Ubuntu 20.04. Please paste the output of:
Your distro's command-not-found handler should be able to install these tools for you if you are missing them.
Not good. What version of RHEL? |
I mixed this up with #2123. Suffice to say: distro is very relevant. The curl TLS backend used varies by distro and by distro version. RHEL 8 should be openssl. I think RHEL 7 would be... NSS? Or perhaps GnuTLS? I'm really not sure. Would have to check to be certain. |
|
Also check to ensure you have ISRG Root X1 in your trust store. How to do this varies by distro. Using seahorse would be a safe bet that should work everywhere. |
|
Hopefully someone can help me with this. I'm a total newb to linux hopefully someone can explain in super easy terms (this was a Christmas present, so I;m just learning this. back in the mid 90s I thought nothing of using DOS commands to do everything on a computer. then windows went and made everything to easy. So I am not computer illiterate, just have been dumbed-down . I know my chromebook is Lenovo and is using the ARM (my husband has the pixel slate and has helped trying to set up Prusa Slicer) |
|
Blender is not available ARM so it's gonna be pointless. |
so i think there's two audiences interested in this issue ... 1. is people trying to install software, 2. is people publishing software. for 1. i'm like "sure, i don't mind noodling around in my computer, figuring out what this seahorse thing is", etc. for 2. i'm like ... "wait? so exactly what do i communicate to my [often complete novice] users?" the exciting thing about flatpaks is that we can make software available to chromebooks, a whole class of user traditionally cut off from the linux ecosystem. so it would be great if these sorts of issues could generate a more sympathetic response, and perhaps even a solution. it's easy to dismiss novice users, but i think there's real value in making things accessible to as broad an audience as possible. a reasonably simple solution here would be to use a non-let's encrypt cert, or if that's too much, simply mirroring the with thanks |
I replied above with a request for several bits of info, which you haven't provided yet. Maybe you missed that? This issue is blocked on you, not on devs. If you provide the requested info, I'll take a look.
No, we need to figure out what is actually wrong. |
seahorse is a graphical application (possibly still installed by default on Ubuntu, last I checked?) so it should be pretty simple, but this step can be optional, as it's unlikely that you would be missing this cert. |
|
this is from the focal image running on appveyor |
|
Er, but all of those succeeded. Hmm. Please try your original failing command again to confirm it is really still failing: Is it really still broken? If only flatpak fails to handle flathub.org, that would be weird, but would certainly indicate a flatpak bug. I just noticed this is the flathub issue tracker. This issue should be closed as there is obviously nothing wrong with flathub here. We can continue here to figure out which component is really to blame, then move to a more appropriate location. |
BTW I should clarify: having examined the TLS certificate chain, it's clear that flathub.org is presenting a good chain. Whatever is going wrong is a bug on the client side software (ca-certificates -> openssl -> libcurl -> flatpak), not on flathub's end. That's not to say that this was a bad place to originally report the issue, but that we now know enough to confidently say it's not the right place to fix it. |
|
Trying to install a flatpak on RHEL 7, facing the same problem. Was there a fix found? |
No, the last action in this issue was a request for me for further info. P.S. There is no way flatpak applications will work properly on RHEL 7 because the host system is just not new enough. You're going to be missing p11-kit-server, xdg-desktop-portal[-gtk], and more. So honestly, I don't recommend even trying to get it to work. But if you really want to try, I would create a separate issue report for starters. |
|
@mcatanzaro I was able to install flatpak on a rhel 7 using |
Er... are you sure you simply didn't have it configured already? If you deleted the configuration that was causing the command to fail without saving it somewhere, then of course you've probably lost the reproducer required for a bug report.... |
|
It was on a virtualbox RHEL 7.6 VM. I can try to reproduce the problem on a new VM and get back to you. @mcatanzaro |
|
My hunch is the original case has something to do with https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ (and the fact that the second root CA expired) but I can't figure out how. |
That was my first thought too, but it shouldn't be happening because Ubuntu 20.08 has the ISRG Root X1 certificate (we know this because all the commands that I asked for succeeded). And the OpenSSL version in Ubuntu 20.08 is also new enough to handle the chain of trust. IMO there's nothing more to do here besides to wait for Jonathon to confirm whether the original command is really still failing. Maybe there really was a bug with flathub.org, but it was transient and already long since fixed? Who knows.
If you're a Red Hat customer, you can report this downstream using a customer case, and the NSS developers might be willing to investigate. I see the ca-certificates package in RHEL 7.6 has been upgraded recently, so it ought to have ISRG Root X1, but maybe the old version of NSS is tripping over the expiration of DST Root CA X3. I certainly wouldn't expect this to work due to the very unusual configuration and old software versions, so from an upstream perspective, I wouldn't worry about this any further unless you can reproduce in RHEL 8, where things are much more normal (curl using a recent version of OpenSSL) and would be expected to work. If you really really need things to work in RHEL 7, I would try rebuilding the libcurl package to use OpenSSL instead of NSS, which ought to be able to handle this chain fine. One thing's for sure: it's extremely unlikely to be the same problem that Jonathon is experiencing, since you are using entirely separate distros with different curl backends and different ca-certificate packages. |
hi, apologies for the delay, yes, the command seems to be now working. i'll touch base with some of my users and see if it is resolved for them now too. i'd close this issue, but i'm not quite sure if i should with the subsequent discussion ... so i'll leave it to you guys. thanks for you help. |
|
Something I noticed: libsoup in Debian does not pull in ca-certificates while libcurl does. Curl package also does. So most likely in various installations by the time you start debugging CA issues, they become fixed through testing. |
It should be closed. |
|
@jonathon-love yes, please, close this. The ca-certificates dependency mess is something Debian should resolve. |
|
This is what I did and It resolved the problem for me: |
Interesting! This should definitely not be required. That certificate should be ignored because it is expired. I think you have proved that there is a Debian bug here. If you are using a supported version of Debian (either Buster or Bullseye) then you should (1) determine whether there is a problem with libcurl's OpenSSL backend, or a problem with OpenSSL itself, using the commands I've provided here, then (2) report a bug against the appropriate component on Debian's bug tracker. My suspicion is that somehow Debian's OpenSSL is too old, and there is nothing wrong with the ca-certificates. But it's hard to be certain, since there are now three different users in this issue with at least two different problems, which is confusing things. Moving to downstream bugtracker is certainly required now. |
|
FWIW Debian 9 -> https://packages.debian.org/stretch/libcurl3 OpenSSL 1.0.2d. |
OK, wow, you are right. Debian 9 (Stretch) is expected to be broken, then. I got confused because I saw the default version of OpenSSL in Stretch was 1.1.0l, but that doesn't matter because curl is using the older version of OpenSSL. You need at least OpenSSL 1.1.0 to use Flathub. |
|
Well, I would even state you need Debian 10 or higher to use the Internet with anything curl-based given how common Let's Encrypt is. |
|
i on artix linux got same problem, but on |
|
In case someone runs an elderly version of openSUSE, the solution is: Be sure not to replace the existing ISRG_Root_X1.pem with a freshly downloaded version. |
|
@SamsonovAnton is that yet another bug in crypto library that fails to ignore expired CA? |
This is the same bug as referred to by @iamihgam in the comment above. Funny enough, out of all tests the only one that was failing for me was the last one with |
|
I will throw in our experience with EasyOS. We have a fix, but it is very strange... EasyOS has "Flapi", Flatpak Installer, and it works great. No problem with registering with flathub.org, but then I received a report from one person who got that "unacceptable TLS certificate" when try to register with flathub. So far, three people have reported this failure. Which is very puzzling, as it works for the rest of us. Then one of those three stumbled upon a fix: to set the time from the Internet. Another of those three has tried that, and it also fixed the problem. Yeah, but why? Federico has suggested why on page 6 where we have been discussing this on the Puppy Linux Forum: https://forum.puppylinux.com/viewtopic.php?t=9038 Yet federico has no problem with TLS anywhere else, only with flathub. Oh, and for the record, EasyOS has flatpak 1.12.8. The reason we are not using a later series is because Easy has 'appstream-glib' and the later series have dropped that and require more dependencies that Easy doesn't have. |
|
Also, as this person reported, updating the ca-certificates did not fix the problem, but syncing time from Internet did: https://itsfoss.com/unacceptable-tls-certificate-error-linux/ Why this problem is occurring only with flathub.org, and why the sync time with Internet fixes it? |
If that's the fix then that's a problem in the client machines whose clock isn't on tim. Why it (seems to) happen only for flathub is left as an exercise to the reader. But it could just mean the clock drift cause a certificate to be invalid (future or past), and that could also happen with many other certs. |
hi,
this is a dupe of #502, and i think relevant to #2123
the command
flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepofails on appveyor, witherror: Can't load uri https://flathub.org/repo/flathub.flatpakrepo: Unacceptable TLS certificatei'm using theUbuntu2004image.there is some discussion of how this might be fixed on #502, however there seems to be assumed knowledge as to what is actually failing here, which i don't possess. any tips on how this might be addressed?
i note that it's possible to install the flathub remote as a by-product of perfoming this sort of install:
i can install the remote by performing an installation as the above, then uninstall that, then i can install from flathub with:
with thanks
The text was updated successfully, but these errors were encountered: