"SSL Handshake failed" on Google Fonts with latest Linux phantomjs binary

[obilodeau]

Not quite like #68 since this is not from within a Docker environment.

$ phantomjs decktape.js security-research.html security-research.pdf
Loading page security-research.html ...
+- Viewport argument key "minimal-ui" not recognized and ignored.
|_ file:///[...]/security-research.html: 1
+- Unable to load resource from URL: https://fonts.googleapis.com/css?family=Open+Sans:400,700,400italic,700italic
|_ Error code: 6
|_ Description: SSL handshake failed
+- Unable to load resource from URL: https://fonts.googleapis.com/css?family=Montserrat:700
|_ Error code: 6
|_ Description: SSL handshake failed
Loading page finished with status: success
Reveal JS DeckTape plugin activated
^C

Output with --debug=true:

[...]
2016-11-23T21:39:23 [DEBUG] WebPage - updateLoadingProgress: 47
2016-11-23T21:39:24 [DEBUG] Network - SSL Error: "The issuer certificate of a locally looked up certificate could not be found"
2016-11-23T21:39:24 [DEBUG] Network - SSL Error: "The root CA certificate is not trusted for this purpose"
2016-11-23T21:39:24 [DEBUG] Network - Resource request error: QNetworkReply::NetworkError(SslHandshakeFailedError) ( "SSL handshake failed" ) URL: "https://fonts.googleapis.com/css?family=Open+Sans:400,700,400italic,700italic"
+- Unable to load resource from URL: https://fonts.googleapis.com/css?family=Open+Sans:400,700,400italic,700italic
|_ Error code: 6
|_ Description: SSL handshake failed
2016-11-23T21:39:24 [DEBUG] Network - Resource request error: QNetworkReply::NetworkError(SslHandshakeFailedError) ( "SSL handshake failed" ) URL: "https://fonts.googleapis.com/css?family=Montserrat:700"
+- Unable to load resource from URL: https://fonts.googleapis.com/css?family=Montserrat:700
|_ Error code: 6
|_ Description: SSL handshake failed
2016-11-23T21:39:24 [DEBUG] WebPage - setupFrame ""
[...]

I tried playing with --ssl-certificates-path, including adding --ssl-certificates-path=/etc/ssl/certs/ but it didn't work.

To work around the issue, add: --ignore-ssl-errors=true between phantomjs and decktape.js on the command-line. However it would be preferable to find a proper fix than to completely drop security.

• Decktape current latest from git rev 244e4ab
• PhantomJS version 2.2.0-development, sha1 hash: 47a37457cb2a5c2bcbca02e36eec4ee67784e528

[astefanutti]

As you've pointed out, the Docker image faced a similar issue with #68, that's been fixed with @ee6891524d65406978032ed3d54fcfe7f82de31c, that is by installing the ca-certificates package. Could you give that a try?

[obilodeau]

ca-certificates is already installed. It is required by curl, the gnome desktop, QT and a bunch of other stuff. Actually, /etc/ssl/certs/ is a bunch of symlink to ca-certificates installed files.

[astefanutti]

Is it up-to-date?

[obilodeau]

Yes it is. This is my main system and I have no certificate errors on https://fonts.googleapis.com with Chrome, Firefox, curl, wget, etc.

[astefanutti]

Could you precise what's the Linux distro you're using so that I can try to reproduce?

[obilodeau]

Arch Linux. I just re-tested and the error is still happening. Sorry for the delayed response.

[astefanutti]

No pb. Thanks for the update. I'll try to reproduce ASAP.

[astefanutti]

I've tried reproducing the issue using the following Arch Linux based Docker image spec:

FROM base/archlinux:latest

RUN pacman -S archlinux-keyring
RUN pacman -Syu
RUN pacman -S curl fontconfig ca-certificates --noconfirm
RUN update-ca-trust

WORKDIR /
RUN curl -L https://github.com/astefanutti/decktape/archive/v1.0.0.tar.gz | tar -xz --exclude phantomjs
WORKDIR /decktape-1.0.0
RUN curl -L https://github.com/astefanutti/decktape/releases/download/v1.0.0/phantomjs-linux-x86-64 -o phantomjs
RUN chmod +x phantomjs

Exporting the default Remark presentation, that contains references to https://fonts.gstatic.com/ and https://fonts.googleapis.com/, works as expected.

So unfortunately I'm unable to reproduce. Even if you have no error with other applications on your system, I may suggest to:

• run update-ca-trust
• re-install ca-certificates
• install ca-certificates-mozilla

Let me know if I miss anything or I can do anything further to help.

[marquiz]

I'm seeing similar problem (with phantomjs v2.1.1) on Fedora25. Virtually all google urls fail to load. With PhantomJS version 1.9.8 they load perfectly fine

[astefanutti]

Should be fixed in version 2.0.1 that uses headless Chrome. Let me know if you still face this issue.