module glu: server certificate verification failed about shared-modules HOT 13 CLOSED

The bug was when cURL was built with gnuTLS backend These days everyone builds it with OpenSSL which was not affected.

What version of Ubuntu are you on? I'm guessing the fix never reached there.

gnuTLS fixed the issue in 3.7.1.

We can switch it to tarballs from gitlab.freedesktop.org to bypass the whole issue I think.

from shared-modules.

Does https://archive.mesa3d.org/glu/glu-9.0.2.tar.xz work for you?

from shared-modules.

No, same error.

from shared-modules.

I had this issue too.

It seems to be a duplicate of flatpak/flatpak-builder#468

One workaround is (from the linked ticket) to use the flatpak version of flatpak-builder. I.e.

flatpak install org.flatpak.Builder
flatpak run org.flatpak.Builder --force-clean --repo=$FLATPAK/repository ...

from shared-modules.

If using the flatpak version of flatpak-builder fixed it, I think it can be considered fixed already. Native packages of flatpak-builder are iffy.

from shared-modules.

This problem is still not fixed as at 16 January 2024 using

runtime: org.freedesktop.Platform
runtime-version: '23.08'
sdk: org.freedesktop.Sdk

none of the addresses work:

https://mesa.freedesktop.org/archive/glu/glu-9.0.3.tar.xz

https://archive.mesa3d.org/glu/glu-9.0.3.tar.xz

I have not tested @Dretch solution because it seems more like a 'hack' than a fix.

Failed to download sources: module glu: server certificate verification failed. CAfile: none CRLfile: none

Even after:

apt install --reinstall ca-certificates

from shared-modules.

@Kentoseth flatpak-builder uses the certificates from your host, so there is nothing more it can do.

On my OS (Fedora 39) all of those URLs have valid certificates.

The workaround mentioned above probably bypasses this by having certs from the flatpak runtime used.

from shared-modules.

@TingPing are you sure the issue is not with flatpak?

I can visit that URL fine without an error in the browser and wget gives no error either:

wget https://archive.mesa3d.org/glu/glu-9.0.3.tar.xz
--2024-01-16 xxx--  https://archive.mesa3d.org/glu/glu-9.0.3.tar.xz
Resolving archive.mesa3d.org (archive.mesa3d.org)... xxx, xxx
Connecting to archive.mesa3d.org (archive.mesa3d.org)|xxx|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 218968 (214K) [application/x-xz]
Saving to: ‘glu-9.0.3.tar.xz’

glu-9.0.3.tar.xz       100%[=========================>] 213.84K   168KB/s    in 1.3s    

2024-01-16 xxx (168 KB/s) - ‘glu-9.0.3.tar.xz’ saved [218968/218968]

The only thing I can think of that might be an issue is that I'm using an nspawn container, but none of the other HTTPs URLs gave any errors till now.

Is there an alternative way to tell the build process that the .tar.xz file is located at /path/to or is it necessary to have it download the package as per the build process?

from shared-modules.

I can visit that URL fine without an error in the browser and wget gives no error either:

flatpak-builder uses libcurl, so testing curl would be interesting.

Is there an alternative way to tell the build process that the .tar.xz file is located at /path/to or is it necessary to have it download the package as per the build process?

It expects the files in .flatpak-builder/downloads/fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c/foo.tar.xz, I'm not sure what hash it expects offhand though.

from shared-modules.

the hash is the checksum specified in the manifest.

from shared-modules.

flatpak-builder uses libcurl, so testing curl would be interesting.

So this is what I get:

curl -O https://archive.mesa3d.org/glu/glu-9.0.3.tar.xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 213k 100 213k 0 0 90361 0 0:00:02 0:00:02 --:--:-- 90370

I also closely inspected the download when running flatpak builder:

Downloading sources
Downloading https://mesa.freedesktop.org/archive/glu/glu-9.0.3.tar.xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 162 100 162 0 0 154 0 0:00:01 0:00:01 --:--:-- 155
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
Failed to download sources: module glu: server certificate verification failed. CAfile: none CRLfile: none

It looks like something does download till 100%.

The issue seems to be in flatpak somewhere, so I hope this bug report is helpful and accurate.

from shared-modules.

I'm just not sure it is very actionable. It could have been fixed in an update of something.

Just for context I have:

• flatpak-builder-1.4.0
• curl 8.2.1 (x86_64-redhat-linux-gnu) libcurl/8.2.1 OpenSSL/3.1.1 zlib/1.2.13 brotli/1.1.0 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh/0.10.6/openssl/zlib nghttp2/1.55.1 OpenLDAP/2.6.6 Release-Date: 2023-07-26 Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets

from shared-modules.

What version of Ubuntu are you on? I'm guessing the fix never reached there.

sorry for not providing that info before. I commented here cause it is the same OS/version as OP:

Ubuntu 22.04

from shared-modules.