search

Yellow-Dog-Man / Resonite-Issues

Issue repository for Resonite.
https://resonite.com
139 stars 2 forks source link

Resonite Infrastructure Uses Mono Incompatible SSL Certificates #724

Closed Nammi-namm closed 5 days ago

Nammi-namm commented 11 months ago

Describe the bug?

Basically Mono has a garbage SSL certificate store and doesn't work properly with Let's Encrypt, at least not reliably. The workaround for this is to either A) not use Mono or B) use any SSL certificate other than Let's Encrypt. Actual SSL certificates are stupidly cheap these days so that shouldn't be an issue, alternatively there's a handful of free SSL providers now (some even compatible with certbot) that could be used instead, none of which have this issue (that I'm aware of).

To Reproduce

Use a Linux server running Mono. You'll see errors like:

Exception running PUT request to https://skyfrost-archive.resonite.com/assets/(redacted). Remaining retries: 6. Elapsed: 3.88s
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> 
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

... resulting in those connections outright failing.

Expected behavior

For the connection to succeed.

Screenshots

No response

Resonite Version Number

Beta 2023.10.19.620

What Platforms does this occur on?

Linux

What headset if any do you use?

No response

Log Files

Headless log showing the issue:

headless.log

Additional Context

Tangently this is also why https:// links to some content content outside of Neos/Resonite in worlds didn't work, again I assume due to the use of Mono so it's all round best that anyone also hosting content for the game outside of the platform itself also avoid using Let's Encrypt.

Reporters

Enverex @enverex

shadowpanther commented 11 months ago

The way this is fixed for my Headless image:

https://github.com/shadowpanther/resonite-headless/blob/97868888c43a903a2c47d54711c2103e8d99fe90/Dockerfile#L36C1-L37

# Fix the LetsEncrypt CA cert
RUN sed -i 's#mozilla/DST_Root_CA_X3.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf && update-ca-certificates
Frooxius commented 11 months ago

Unfortunately neither A) or B) are viable solutions right now.

A) On Linux, you need to use Mono to run the server. We will switch to .NET 8+ at some point, but that's not a quick solution B) The Skyfrost Archive service for R2 buckets is managed by Cloudflare and we don't control the certificates they use.

In absence of any other solutions you might just need to update your Mono certificates to work around this.

win189 commented 9 months ago

Any updates on this issue ?

shiftyscales commented 9 months ago

Everything Frooxius said above is still current, @win189. We've not yet moved over to .NET 8+, and as he indicated, we don't control which certificates Cloudflare use.

"In absence of any other solutions you might just need to update your Mono certificates to work around this."

stiefeljackal commented 2 months ago

Since the Headless Client, also known as the Headless Server Software, is now on .NET 8, this issue should be resolved now, correct?

shiftyscales commented 5 days ago

This issue should have been implicitly resolved by #2265.