DDNet's HTTPS requests fail on nixOS on steam

[heinrich5991]

[2021-06-14 09:18:48][http]: libcurl version 7.22.0 (compiled = 7.55.0-DEV)
[…]
[2021-06-14 09:18:49][http]: http https://master4.ddnet.tw/ddnet/15/servers.json
[2021-06-14 09:18:49][http]: http https://info2.ddnet.tw/info
* About to connect() to info2.ddnet.tw port 443 (#0)
*   Trying 104.21.78.207... * getaddrinfo(3) failed for master4.ddnet.tw:443
* Couldn't resolve host 'master4.ddnet.tw'
* Closing connection #0
[2021-06-14 09:18:49][http]: task failed. libcurl error: Couldn't resolve host 'master4.ddnet.tw'
[2021-06-14 09:18:49][http]: http https://master1.ddnet.tw/ddnet/15/servers.json
* About to connect() to master1.ddnet.tw port 443 (#0)
*   Trying 172.67.137.130... * connected
* connected
* successfully set certificate verify locations:
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
[2021-06-14 09:18:49][http]: task failed. libcurl error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[2021-06-14 09:18:49][http]: http https://master3.ddnet.tw/ddnet/15/servers.json
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
[2021-06-14 09:18:49][http]: task failed. libcurl error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* getaddrinfo(3) failed for master3.ddnet.tw:443
* Couldn't resolve host 'master3.ddnet.tw'
* Closing connection #0
[2021-06-14 09:18:49][http]: task failed. libcurl error: Couldn't resolve host 'master3.ddnet.tw'
[2021-06-14 09:18:49][http]: http https://master2.ddnet.tw/ddnet/15/servers.json
* About to connect() to master2.ddnet.tw port 443 (#0)
*   Trying 43.128.22.103... [2021-06-14 09:18:50][storage]: failed to remove: /home/dansman805/.teeworlds/ddnet-info.json.30653.tmp
* connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
[2021-06-14 09:18:50][http]: task failed. libcurl error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[2021-06-14 09:18:50][serverbrowse_http]: WARNING: no usable masters found
[2021-06-14 09:18:50][serverbrowse_http]: no working serverlist URL found

The TLS certificate is correct in the browser. Apparently this only occurs with steam-run, but not steam-run-native.

Maybe libcurl can't find the certificate store.

[def-]

Is that a bug from our side? Seems like it might be a Steam/NixOS issue. Do other Steam games work that use curl?

[arashsm79]

A hacky way that I managed to somehow make it work: I first created the ddnet-serverlist-urls.cfg file in the .teeworlds directory with a URL that points to a local host static file webserver.

echo "http://0.0.0.0:8000/servers.json" > ~/.teeworlds/ddnet-serverlist-urls.cfg

Then created a script that first downloads the server list JSON file from master1.ddnet.tw/ddnet/15/servers.json and then serves it using an HTTP server. (here I used simple-http-server)

#!/run/current-system/sw/bin/bash

wget -O ~/.teeworlds/serverlist/servers.json https://master1.ddnet.tw/ddnet/15/servers.json

simple-http-server ~/.teeworlds/serverlist &
HTTPPID=$!

$@

kill -9 "$HTTPPID"

Finally, in the launch options of DDRaceNetwork I added the following:

~/.teeworlds/serverlist/fetchservers %command%

[Scrumplex]

Still an issue to this day. Looking at /proc/<pid>/maps, it is apparent that Steam Runtime's libcurl is loaded. This can be worked around by enabling Steam Linux Runtime as a compatibility tool for the game.

---

It sounds like libcurl (or libssl) is not able to find the CA store. On NixOS they are at /etc/ssl/certs/ca-bundle.crt. I tried setting SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt with no luck.

[heinrich5991]

Still an issue to this day. Looking at /proc//maps, it is apparent that Steam Runtime's libcurl is loaded. This can be workedaround by enabling Steam Linux Runtime as a compatibility tool for the game.

That sounds like a general problem of Steam Runtime's libcurl on Nix. Why are other games not affected?

[Robyt3]

Looks like this is caused by https://github.com/ValveSoftware/steam-runtime/issues/52.

@Scrumplex Can you try recompiling the client with the following change? Add the line

curl_easy_setopt(pH, CURLOPT_CAINFO, "/etc/ssl/certs/ca-bundle.crt"); // use the correct path

at the end of the CHttpRequest::ConfigureHandle function in http.cpp.

Alternatively, can you try running Steam with STEAM_RUNTIME_PREFER_HOST_LIBRARIES=0 steam as a workaround?

[Scrumplex]

STEAM_RUNTIME_PREFER_HOST_LIBRARIES=0 steam didn't do it for me. Running the game using Steam Linux Runtime still works fine, though.

I am not sure if the upstream issue applies here, as NixOS symlinks the CA bundle at both /etc/ssl/certs/ca-bundle.crt and /etc/ssl/certs/ca-certificates.crt (the latter being the same as Ubuntu/Debian)

[Scrumplex]

Adding CURLOPT_CAINFO as you mentioned does fix it when I run my own builds using steam-run(which uses Steam Runtime)

Interesting :thinking:

[Scrumplex]

Sniper runtime on the rc branch fixes this!