module glu: server certificate verification failed

[Mailaender]

Downloading sources
Downloading https://mesa.freedesktop.org/archive/glu/glu-9.0.2.tar.xz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   162  100   162    0     0    439      0 --:--:-- --:--:-- --:--:--   440
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
Failed to download sources: module glu: server certificate verification failed. CAfile: none CRLfile: none

This happens on Ubuntu 22.04 based operating systems.

[TingPing]

Does https://archive.mesa3d.org/glu/glu-9.0.2.tar.xz work for you?

[Mailaender]

No, same error.

[Dretch]

I had this issue too.

It seems to be a duplicate of https://github.com/flatpak/flatpak-builder/issues/468

One workaround is (from the linked ticket) to use the flatpak version of flatpak-builder. I.e.

flatpak install org.flatpak.Builder
flatpak run org.flatpak.Builder --force-clean --repo=$FLATPAK/repository ...

[orowith2os]

If using the flatpak version of flatpak-builder fixed it, I think it can be considered fixed already. Native packages of flatpak-builder are iffy.

[Kentoseth]

This problem is still not fixed as at 16 January 2024 using

runtime: org.freedesktop.Platform
runtime-version: '23.08'
sdk: org.freedesktop.Sdk

none of the addresses work:

https://mesa.freedesktop.org/archive/glu/glu-9.0.3.tar.xz

https://archive.mesa3d.org/glu/glu-9.0.3.tar.xz

I have not tested @Dretch solution because it seems more like a 'hack' than a fix.

Failed to download sources: module glu: server certificate verification failed. CAfile: none CRLfile: none

Even after:

apt install --reinstall ca-certificates

[TingPing]

@Kentoseth flatpak-builder uses the certificates from your host, so there is nothing more it can do.

On my OS (Fedora 39) all of those URLs have valid certificates.

The workaround mentioned above probably bypasses this by having certs from the flatpak runtime used.

[Kentoseth]

@TingPing are you sure the issue is not with flatpak?

I can visit that URL fine without an error in the browser and wget gives no error either:

wget https://archive.mesa3d.org/glu/glu-9.0.3.tar.xz
--2024-01-16 xxx--  https://archive.mesa3d.org/glu/glu-9.0.3.tar.xz
Resolving archive.mesa3d.org (archive.mesa3d.org)... xxx, xxx
Connecting to archive.mesa3d.org (archive.mesa3d.org)|xxx|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 218968 (214K) [application/x-xz]
Saving to: ‘glu-9.0.3.tar.xz’

glu-9.0.3.tar.xz       100%[=========================>] 213.84K   168KB/s    in 1.3s    

2024-01-16 xxx (168 KB/s) - ‘glu-9.0.3.tar.xz’ saved [218968/218968]

The only thing I can think of that might be an issue is that I'm using an nspawn container, but none of the other HTTPs URLs gave any errors till now.

Is there an alternative way to tell the build process that the .tar.xz file is located at /path/to or is it necessary to have it download the package as per the build process?

[TingPing]

I can visit that URL fine without an error in the browser and wget gives no error either:

flatpak-builder uses libcurl, so testing curl would be interesting.

Is there an alternative way to tell the build process that the .tar.xz file is located at /path/to or is it necessary to have it download the package as per the build process?

It expects the files in .flatpak-builder/downloads/fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c/foo.tar.xz, I'm not sure what hash it expects offhand though.

[hfiguiere]

the hash is the checksum specified in the manifest.

[Kentoseth]

flatpak-builder uses libcurl, so testing curl would be interesting.

So this is what I get:

curl -O https://archive.mesa3d.org/glu/glu-9.0.3.tar.xz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 213k 100 213k 0 0 90361 0 0:00:02 0:00:02 --:--:-- 90370

I also closely inspected the download when running flatpak builder:

Downloading sources Downloading https://mesa.freedesktop.org/archive/glu/glu-9.0.3.tar.xz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 162 100 162 0 0 154 0 0:00:01 0:00:01 --:--:-- 155 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 Failed to download sources: module glu: server certificate verification failed. CAfile: none CRLfile: none

It looks like something does download till 100%.

The issue seems to be in flatpak somewhere, so I hope this bug report is helpful and accurate.

[TingPing]

I'm just not sure it is very actionable. It could have been fixed in an update of something.

Just for context I have:

• flatpak-builder-1.4.0
• curl 8.2.1 (x86_64-redhat-linux-gnu) libcurl/8.2.1 OpenSSL/3.1.1 zlib/1.2.13 brotli/1.1.0 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh/0.10.6/openssl/zlib nghttp2/1.55.1 OpenLDAP/2.6.6 Release-Date: 2023-07-26 Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets

[bbhtt]

The bug was when cURL was built with gnuTLS backend These days everyone builds it with OpenSSL which was not affected.

What version of Ubuntu are you on? I'm guessing the fix never reached there.

gnuTLS fixed the issue in 3.7.1.

We can switch it to tarballs from gitlab.freedesktop.org to bypass the whole issue I think.

[Kentoseth]

What version of Ubuntu are you on? I'm guessing the fix never reached there.

sorry for not providing that info before. I commented here cause it is the same OS/version as OP:

Ubuntu 22.04