Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#72762 - [godot] unbundling 'certs' causes some issues

Attached to Project: Community Packages
Opened by Sacha Delanoue (Shaac) - Monday, 15 November 2021, 20:25 GMT
Last edited by Alexander F. Rødseth (xyproto) - Monday, 13 December 2021, 14:28 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Alexander F. Rødseth (xyproto)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

With the current packaged godot, I can not connect to a websocket to my server. I have no problems with an exported version of my project (tested on linux, web and android), or with the editor downloaded from godot website, or if I package godot myself and remove 'cert' from the 'to_unbundle' list.

I had not tested my project for several months, but the bug has been here for a least a few weeks. I can at least confirm it was present with the previous 3.3 version, and the current 3.4 one.

In my opinion, this feels like it is linked with Let’s encrypt root certificate expired in September. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ However server-side my certificates are up to date (still not due to renewal), and my client is up to date (with ca-certificates, ca-certificates-mozilla and ca-certificates-utils packages installed). So I don’t know what additional entries godot’s certificate file has, but maybe it’s not a good idea to unbundle it after all.


Steps to reproduce:

I’ve created a minimal reproduction:

Client side, I create a scene, and attach a script containing the websocket example from https://docs.godotengine.org/en/stable/tutorials/networking/websocket.html
The address to use can be my own server for testing: "wss://porygon.shaac.me:46321". I attach to this ticket this minimal project for simplicity, but it really take 2 minutes to recreate it.

Server side, I have the simplest websocket server, in python (with python-websockets package). Code is the following:

```
#!/usr/bin/env python3

import asyncio
import ssl
import sys
import websockets


async def handler(websocket, path):
print(f"Accepted client {websocket.remote_address}")


ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ssl_context.load_cert_chain(sys.argv[1])

start_server = websockets.serve(handler, "", 46321, ssl=ssl_context)

asyncio.get_event_loop().run_until_complete(start_server)
asyncio.get_event_loop().run_forever()
```

I feed it in argument the path to a relay.pem wich is obtained with `cat {privkey,fullchain}.pem` in let's encrypt certificate folder. I’m letting my server open on "wss://porygon.shaac.me:46321" for the purpose of this ticket.
This task depends upon

Closed by  Alexander F. Rødseth (xyproto)
Monday, 13 December 2021, 14:28 GMT
Reason for closing:  Fixed
Comment by loqs (loqs) - Monday, 15 November 2021, 21:47 GMT Comment by Sacha Delanoue (Shaac) - Tuesday, 16 November 2021, 13:52 GMT
I tried workaround 1 by doing sudo cp /etc/ca-certificates/extracted/cadir/DST_Root_CA_X3.pem /etc/ca-certificates/trust-source/blocklist
I’ve even created a blacklist folder because I found strange that the folder was called blocklist but is refered to blacklist everywhere.
After update-ca-trust, DST_Root_CA_X3.pem is no longer in /etc/ca-certificates/extracted/cadir/, but even after reboot the problem is still here.
To be fair, the workaround is for OpenSSL 1.0.2 and I have 1.1.1, so I did not expect it to change something.

Note that only godot (in editor mode) fails to connect to the server (the exact error is: _do_handshake: TLS handshake error: -9984). If I do a python websocket client it works fine. Calling curl with https works fine as well, so it’s not a system-wide issue. I’ve encountered issues only with the packaged version of godot so far.

It seems godot uses mbedtls instead of openssl, maybe there is some specify steps to do for that library.
Comment by Alexander F. Rødseth (xyproto) - Friday, 10 December 2021, 17:27 GMT
Thanks for reporting. I unbundled cert in the godot package that is now in [community] (godot 3.4-3).

I hope that it can be unbundled again in the future.

Please confirm that the godot package is now working as expected.
Comment by Sacha Delanoue (Shaac) - Sunday, 12 December 2021, 14:37 GMT
I confirm that godot 3.4-3 works as expected, thanks!

Loading...