regression: remote-build fails OpenSSL error

[Hook25]

Bug Description

Using snapcraft 8.0.1 when issuing remote-build of a snap it fails with the following error:

 series_classic16 (main) >  snapcraft remote-build
Traceback (most recent call last):
  File "/snap/snapcraft/10279/bin/snapcraft", line 5, in <module>
    from snapcraft.cli import run
  File "/var/lib/snapd/snap/snapcraft/10279/lib/python3.10/site-packages/snapcraft/cli.py", line 35, in <module>
    from snapcraft.remote import RemoteBuildError
  File "/var/lib/snapd/snap/snapcraft/10279/lib/python3.10/site-packages/snapcraft/remote/__init__.py", line 29, in <module>
    from .git import (
  File "/var/lib/snapd/snap/snapcraft/10279/lib/python3.10/site-packages/snapcraft/remote/git.py", line 27, in <module>
    import pygit2
  File "/var/lib/snapd/snap/snapcraft/10279/lib/python3.10/site-packages/pygit2/__init__.py", line 275, in <module>
    settings = Settings()
  File "/var/lib/snapd/snap/snapcraft/10279/lib/python3.10/site-packages/pygit2/settings.py", line 55, in __init__
    self._initialize_tls_certificate_locations()
  File "/var/lib/snapd/snap/snapcraft/10279/lib/python3.10/site-packages/pygit2/settings.py", line 61, in _initialize_tls_certificate_locations
    self.set_ssl_cert_locations(
  File "/var/lib/snapd/snap/snapcraft/10279/lib/python3.10/site-packages/pygit2/settings.py", line 191, in set_ssl_cert_locations
    option(_pygit2.GIT_OPT_SET_SSL_CERT_LOCATIONS, cert_file, cert_dir)
_pygit2.GitError: OpenSSL error: failed to load certificates: error:00000000:lib(0)::reason(0)

When downgrading to snapcraft 7.x (7.5.4) it works:

 series_classic16 (main) >  snap refresh snapcraft --channel=7.x
snapcraft (7.x/stable) 7.5.4 from Canonical✓ refreshed
 series_classic16 (main) >  snapcraft remote-build
snapcraft remote-build is experimental and is subject to change - use with caution.                                                                                                  
All data sent to remote builders will be publicly available. Are you sure you want to continue? [y/N]: y
Using build ID snapcraft-checkbox-c928b55e6efa0183cc3c1512dd0ca526

To Reproduce

• Install Snapcraft 8.0.1
• Run snapcraft remote-build

Environment

• snapd 2.61.1
• snapcraft 8.0.1
• ArchLinux

snapcraft.yaml

name: checkbox
summary: Checkbox test runner
description: |
  Checkbox is a flexible test automation software.
  It’s the main tool used in Ubuntu Certification program.
adopt-info: version-calculator
grade: stable
confinement: classic

base: core

apps:
  checkbox-cli:
    command-chain: [bin/wrapper_local]
    command: bin/checkbox-cli-wrapper
  test-runner:
    command-chain: [bin/wrapper_local]
    command: bin/test-runner
  sru:
    command-chain: [bin/wrapper_local]
    command: bin/sru
  client-cert-iot-server:
    command-chain: [bin/wrapper_local]
    command: bin/client-cert-iot-server
  configure:
    command: bin/configure
  agent:
    command-chain: [bin/wrapper_local]
    command: bin/checkbox-cli-wrapper run-agent
    daemon: simple
    restart-condition: always
    restart-delay: 1s
  shell:
    command-chain: [bin/wrapper_local]
    command: bin/shell-wrapper

passthrough:
  hooks:
    configure:
      command-chain: [bin/wrapper_local]

parts:
  version-calculator:
    plugin: dump
    source: .
    override-pull: |
      snapcraftctl pull
      # version.txt created by prepare.sh
      export version=`cat $SNAPCRAFT_PART_SRC/version.txt`
      [ $version ] || exit 1
      snapcraftctl set-version $version
    stage:
      - version.txt
  launchers:
    plugin: dump
    source: launchers/
    organize:
      '*': bin/
  config-variables:
    plugin: dump
    source: .
    stage: [config_vars]
  workaround-automated-review-issue:
    plugin: nil
    override-build: |
      # This is a workaround for an upstream bug in the automated snap review tool
      # remove this once this issue is resolved:
      # https://bugs.launchpad.net/review-tools/+bug/2049093
      dd if=/dev/urandom of=$SNAPCRAFT_PART_INSTALL/size_workaround bs=16k count=1

Relevant log output

N/A (see above)

Additional context

No response

[mr-cal]

Two more occurrences of this issue have been reported here, one on Rocky Linux and the other on Arch.

I believe this occurs for Ubuntu if ca-certificates is not installed. I'm not sure of the cause or solution for Rocky, Arch, and others. Possibly SSL_CERT_DIR or SSL_CERT_FILE is set.

We'll need to do some research on how pygit2 determines which SSL directory or files to set.

[sergiusens]

Hi, seems you skipped the OS in Environment, mind clarifying? If so a fix may or may not work in your case.

[Hook25]

Sorry I have updated the issue with my OS. I have reported this from ArchLinux but I can not recreate the same problem on Ubuntu23.10 or 22.04.

[sergiusens]

this should be fixed and available on candidate shortly then! Feel free to reopen if not