Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resonite Infrastructure Uses Mono Incompatible SSL Certificates #724

Closed
Nammi-namm opened this issue Nov 17, 2023 · 6 comments
Closed

Resonite Infrastructure Uses Mono Incompatible SSL Certificates #724

Nammi-namm opened this issue Nov 17, 2023 · 6 comments
Labels
bug Something isn't working as intended.

Comments

@Nammi-namm
Copy link

Nammi-namm commented Nov 17, 2023

Describe the bug?

Basically Mono has a garbage SSL certificate store and doesn't work properly with Let's Encrypt, at least not reliably. The workaround for this is to either A) not use Mono or B) use any SSL certificate other than Let's Encrypt. Actual SSL certificates are stupidly cheap these days so that shouldn't be an issue, alternatively there's a handful of free SSL providers now (some even compatible with certbot) that could be used instead, none of which have this issue (that I'm aware of).

To Reproduce

Use a Linux server running Mono. You'll see errors like:

Exception running PUT request to https://skyfrost-archive.resonite.com/assets/(redacted). Remaining retries: 6. Elapsed: 3.88s
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> 
System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

... resulting in those connections outright failing.

Expected behavior

For the connection to succeed.

Screenshots

No response

Resonite Version Number

Beta 2023.10.19.620

What Platforms does this occur on?

Linux

What headset if any do you use?

No response

Log Files

Headless log showing the issue:

headless.log

Additional Context

Tangently this is also why https:// links to some content content outside of Neos/Resonite in worlds didn't work, again I assume due to the use of Mono so it's all round best that anyone also hosting content for the game outside of the platform itself also avoid using Let's Encrypt.

Reporters

Enverex @Enverex

@Nammi-namm Nammi-namm added the bug Something isn't working as intended. label Nov 17, 2023
@shadowpanther
Copy link

The way this is fixed for my Headless image:

https://github.com/shadowpanther/resonite-headless/blob/97868888c43a903a2c47d54711c2103e8d99fe90/Dockerfile#L36C1-L37

# Fix the LetsEncrypt CA cert
RUN	sed -i 's#mozilla/DST_Root_CA_X3.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf && update-ca-certificates

@Frooxius
Copy link
Member

Unfortunately neither A) or B) are viable solutions right now.

A) On Linux, you need to use Mono to run the server. We will switch to .NET 8+ at some point, but that's not a quick solution
B) The Skyfrost Archive service for R2 buckets is managed by Cloudflare and we don't control the certificates they use.

In absence of any other solutions you might just need to update your Mono certificates to work around this.

@shiftyscales shiftyscales removed their assignment Jan 13, 2024
@win189
Copy link

win189 commented Jan 19, 2024

Any updates on this issue ?

@shiftyscales
Copy link
Collaborator

Everything Frooxius said above is still current, @win189. We've not yet moved over to .NET 8+, and as he indicated, we don't control which certificates Cloudflare use.

"In absence of any other solutions you might just need to update your Mono certificates to work around this."

@stiefeljackal
Copy link

Since the Headless Client, also known as the Headless Server Software, is now on .NET 8, this issue should be resolved now, correct?

@shiftyscales
Copy link
Collaborator

This issue should have been implicitly resolved by #2265.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working as intended.
Projects
None yet
Development

No branches or pull requests

6 participants