Tuba

Tuba copied to clipboard

Describe the bug

When trying to setup the application to use an instance I only receive the error message "Unacceptable TLS certificate". This happens for many different instances I have accounts on. When viewing the certificate in the browser everything seems to be fine.

Steps To Reproduce

1. Open the application
2. Enter techhub.social into the Server URL portion
3. Hit enter and you see the returned error

Logs and/or Screenshots

G_MESSAGES_DEBUG=Tuba flatpak run dev.geopjr.Tuba
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.750: Application.vala:207: os: GNOME 45 (Flatpak runtime)
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.750: Application.vala:207: prefix: /app
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.750: Application.vala:207: flatpak: true
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.750: Application.vala:207: version: 0.6.2 (production)
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.750: Application.vala:207: gtk: 4.12.4 (4.12.4)
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.750: Application.vala:207: libadwaita: 1.4.2 (1.4.2)
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.750: Application.vala:207: libsoup: 3.4.4 (3.4.4)
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.750: Application.vala:207: libgtksourceview: 5.10.0 (5.10.0)
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.752: SecretAccountStore.vala:9: Using libsecret v0.21.2
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.802: SecretAccountStore.vala:92: Loaded 0 accounts
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.802: AccountStore.vala:83: Reset active account
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.802: Application.vala:321: Presenting NewAccount dialog
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.808: NewAccount.vala:78: Reset state
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:23.903: Application.vala:321: Presenting NewAccount dialog
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:30.788: NewAccount.vala:106: Checking instance URL
(dev.geopjr.Tuba:2): Tuba-DEBUG: 12:59:30.790: Network.vala:59: GET: https://techhub.social/api/v1/instance

(dev.geopjr.Tuba:2): Tuba-WARNING **: 12:59:30.864: Network.vala:91: Unacceptable TLS certificate

(dev.geopjr.Tuba:2): Tuba-WARNING **: 12:59:30.864: NewAccount.vala:86: Server returned an error   Unacceptable TLS certificate.

Instance Backend

Mastodon

Operating System

PopOS 22.04

Package

Flatpak

Troubleshooting information

No response

Additional Context

No response

I can't reproduce it from my side

• Can curl fetch it? curl -I https://techhub.social/api/v1/instance
• Is your device's time and date correct?
• Is your OS up to date?
• Are flatpak runtimes up to date?
• Some solutions from other issues I found on other software about this: sudo dpkg-reconfigure ca-certificates, sudo apt install --reinstall ca-certificates

I don't get this error when trying the same instances on the original Tootle project.

To answer your questions:

1. Yes I can curl fetch that endpoint on my terminal.
2. Time and date are correct for my location:

✗ date
Tue Jan 16 03:28:11 PM PST 2024

3. Everything is up to date on my OS. Pop!_OS 22.04 LTS with all apt packages updated.
4. Flatpak is up to date for PopOS:

✗ flatpak --version
Flatpak 1.14.4

5. Reinstalled ca-certificates but I already had the latest anyway:

ca-certificates is already the newest version (20230311ubuntu0.22.04.1).

Thanks for the info!

On 4. I meant the runtimes, not flatpak itself (flatpak update/flatpak update --user)

I don't get this error when trying the same instances on the original Tootle project.

Tootle uses libsoup 2 while Tuba libsoup 3, chances are the way they handle it is different.

Overall, the issue has little to do with Tuba itself and I'm unable to reproduce it so you are pretty much on your own. If you do find a solution let me know! I'll investigate it further at some point.

Actually, one last thing, could you try the following:

$ flatpak run --command=sh dev.geopjr.Tuba
[📦 dev.geopjr.Tuba ~]$ curl -Iv https://techhub.social/api/v1/instance

For 4, I think I have everything up to date across the board so not really sure. And makes sense if you are using a newer library that it will handle differently.

And here is the output of the commands you gave:

✗ flatpak run --command=sh dev.geopjr.Tuba
[📦 dev.geopjr.Tuba ~]$ curl -Iv https://techhub.social/api/v1/instance
* Host techhub.social:443 was resolved.
* IPv6: 2606:4700:20::ac43:48c3, 2606:4700:20::681a:9d6, 2606:4700:20::681a:8d6
* IPv4: 172.67.72.195, 104.26.8.214, 104.26.9.214
*   Trying 172.67.72.195:443...
* Connected to techhub.social (172.67.72.195) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=techhub.social
*  start date: Jan 12 06:57:50 2024 GMT
*  expire date: Apr 11 06:57:49 2024 GMT
*  subjectAltName: host "techhub.social" matched cert's "techhub.social"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1P5
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://techhub.social/api/v1/instance
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: techhub.social]
* [HTTP/2] [1] [:path: /api/v1/instance]
* [HTTP/2] [1] [user-agent: curl/8.5.0-DEV]
* [HTTP/2] [1] [accept: */*]
> HEAD /api/v1/instance HTTP/2
> Host: techhub.social
> User-Agent: curl/8.5.0-DEV
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
HTTP/2 200 
< date: Wed, 17 Jan 2024 01:18:05 GMT
date: Wed, 17 Jan 2024 01:18:05 GMT
< content-type: application/json; charset=utf-8
content-type: application/json; charset=utf-8
< vary: Accept-Encoding
vary: Accept-Encoding
< vary: Origin
vary: Origin
< x-frame-options: DENY
x-frame-options: DENY
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-xss-protection: 0
x-xss-protection: 0
< referrer-policy: same-origin
referrer-policy: same-origin
< x-ratelimit-limit: 300
x-ratelimit-limit: 300
< x-ratelimit-remaining: 298
x-ratelimit-remaining: 298
< x-ratelimit-reset: 2024-01-17T01:15:00.753037Z
x-ratelimit-reset: 2024-01-17T01:15:00.753037Z
< cache-control: max-age=300, public, stale-while-revalidate=30, stale-if-error=86400
cache-control: max-age=300, public, stale-while-revalidate=30, stale-if-error=86400
< etag: W/"9fc227bb6936e2191f38f979adc2a25c"
etag: W/"9fc227bb6936e2191f38f979adc2a25c"
< content-security-policy: default-src 'none'; frame-ancestors 'none'; form-action 'none'
content-security-policy: default-src 'none'; frame-ancestors 'none'; form-action 'none'
< x-request-id: c480af79-327d-4af6-b65c-94a8d542ae38
x-request-id: c480af79-327d-4af6-b65c-94a8d542ae38
< x-runtime: 0.021431
x-runtime: 0.021431
< strict-transport-security: max-age=63072000; includeSubDomains
strict-transport-security: max-age=63072000; includeSubDomains
< x-cached: HIT
x-cached: HIT
< x-source: web1
x-source: web1
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oDXC%2FjCFezh7f%2BfNFOv1BBt%2BysQMU4oJJPWzGREh7hZz4SVBGxQZwfyDcAQJFOMH30vw4zoYjWpm6Pa2iIeOPOBxTUuS0E45eOsJTRt1DHOA1Xwka7JVHn0WfF5La57B"}],"group":"cf-nel","max_age":604800}
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oDXC%2FjCFezh7f%2BfNFOv1BBt%2BysQMU4oJJPWzGREh7hZz4SVBGxQZwfyDcAQJFOMH30vw4zoYjWpm6Pa2iIeOPOBxTUuS0E45eOsJTRt1DHOA1Xwka7JVHn0WfF5La57B"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
server: cloudflare
< cf-ray: 846ac325fc032716-SJC
cf-ray: 846ac325fc032716-SJC

< 
* Connection #0 to host techhub.social left intact

If this doesn't help I'll keep playing around to try and find out why it isn't working on my machine. Not exactly sure why.

I'm bitten by this as well, any suggestions appreciated... flatpak on Fedor

If your account is on https://mastodon.sdf.org/ (only result returned when searching your name so it might be wrong!), tell your admins that their SSL certificate expired

@GeopJr , while theirs may be the case I still get the error and techhub.social has a valid cert:

And same goes for others I have an issue with. This is also a Flatpak of Tuba on PopOS 22.04. Some issue with the Flatpak on this Linux flavor and distro?

I really don't know how to debug this, especially since I can't reproduce it or see anything wrong with your setup.

I don't think there's anything wrong with techhub.social's certificate and libsoup's ability to verify it as it works here on my dummy techhub account. I don't think there's anything wrong with the flatpak as you could access techhub within the sandbox. I don't think there's anything wrong with your system packages but could be wrong. PopOS 22.04 is, as the version implies, from 2022 though the packages should be kept up-to-date (?)

It's a somewhat common issue it seems and the only suggested solution I see repeatedly is sudo apt install --reinstall ca-certificates which you already did.

Having more info on why it's unacceptable would be nice but there hasn't been any progress on that https://gitlab.gnome.org/GNOME/glib-networking/-/issues/134

This issue https://gitlab.gnome.org/GNOME/glib-networking/-/issues/180 sounds 100% the same as yours but the solutions and investigation does not apply to your case (techhub has SHA-1 from what I can tell)

I got this error for three different instances today...

Can you share them here? Just to make sure it's the same issue or, since it's first of March, certificates got expired

It's merveilles.town, sunbeam.city, and paktodon.asia. I checked, the certs haven't expired. I am running into the error on other flatpaks too though, so it's unlikely this is a problem with Tuba.

I have homebrew installed and came across this bug report: https://github.com/p11-glue/p11-kit/issues/404

I don't know if anyone else on this thread uses homebrew, but this may be the cause of the issue for you.

EDIT: yep, removing homebrew and all homebrew packages from my system fixed the issue