Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#72762 - [godot] unbundling 'certs' causes some issues
Attached to Project:
Community Packages
Opened by Sacha Delanoue (Shaac) - Monday, 15 November 2021, 20:25 GMT
Last edited by Alexander F. Rødseth (xyproto) - Monday, 13 December 2021, 14:28 GMT
Opened by Sacha Delanoue (Shaac) - Monday, 15 November 2021, 20:25 GMT
Last edited by Alexander F. Rødseth (xyproto) - Monday, 13 December 2021, 14:28 GMT
|
DetailsDescription:
With the current packaged godot, I can not connect to a websocket to my server. I have no problems with an exported version of my project (tested on linux, web and android), or with the editor downloaded from godot website, or if I package godot myself and remove 'cert' from the 'to_unbundle' list. I had not tested my project for several months, but the bug has been here for a least a few weeks. I can at least confirm it was present with the previous 3.3 version, and the current 3.4 one. In my opinion, this feels like it is linked with Let’s encrypt root certificate expired in September. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ However server-side my certificates are up to date (still not due to renewal), and my client is up to date (with ca-certificates, ca-certificates-mozilla and ca-certificates-utils packages installed). So I don’t know what additional entries godot’s certificate file has, but maybe it’s not a good idea to unbundle it after all. Steps to reproduce: I’ve created a minimal reproduction: Client side, I create a scene, and attach a script containing the websocket example from https://docs.godotengine.org/en/stable/tutorials/networking/websocket.html The address to use can be my own server for testing: "wss://porygon.shaac.me:46321". I attach to this ticket this minimal project for simplicity, but it really take 2 minutes to recreate it. Server side, I have the simplest websocket server, in python (with python-websockets package). Code is the following: ``` #!/usr/bin/env python3 import asyncio import ssl import sys import websockets async def handler(websocket, path): print(f"Accepted client {websocket.remote_address}") ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ssl_context.load_cert_chain(sys.argv[1]) start_server = websockets.serve(handler, "", 46321, ssl=ssl_context) asyncio.get_event_loop().run_until_complete(start_server) asyncio.get_event_loop().run_forever() ``` I feed it in argument the path to a relay.pem wich is obtained with `cat {privkey,fullchain}.pem` in let's encrypt certificate folder. I’m letting my server open on "wss://porygon.shaac.me:46321" for the purpose of this ticket. 
godot_test_cert.tar.gz
(7 KiB)
|
This task depends upon
Closed by Alexander F. Rødseth (xyproto)
Monday, 13 December 2021, 14:28 GMT
Reason for closing: Fixed
Monday, 13 December 2021, 14:28 GMT
Reason for closing: Fixed
I’ve even created a blacklist folder because I found strange that the folder was called blocklist but is refered to blacklist everywhere.
After update-ca-trust, DST_Root_CA_X3.pem is no longer in /etc/ca-certificates/extracted/cadir/, but even after reboot the problem is still here.
To be fair, the workaround is for OpenSSL 1.0.2 and I have 1.1.1, so I did not expect it to change something.
Note that only godot (in editor mode) fails to connect to the server (the exact error is: _do_handshake: TLS handshake error: -9984). If I do a python websocket client it works fine. Calling curl with https works fine as well, so it’s not a system-wide issue. I’ve encountered issues only with the packaged version of godot so far.
It seems godot uses mbedtls instead of openssl, maybe there is some specify steps to do for that library.
I hope that it can be unbundled again in the future.
Please confirm that the godot package is now working as expected.