[Pkg-utopia-maintainers] Bug#1042999: flatpak: remote-add'ing flathub fails with error: SSL peer certificate or SSH remote key was not OK

Steve Mcqueen stevemcqueen at mailinator.com
Sat Aug 5 04:03:48 BST 2023 

Package: flatpak
Version: 1.14.4-1
Severity: important
X-Debbugs-Cc: stevemcqueen at mailinator.com

Dear Maintainer,

>From a new install of Debian bookworm, i'm attempting to install flatpak
and flathub for the first time. I run the remote-add command and get
back an ssl error. example:

$ flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
error: Can't load uri https://flathub.org/repo/flathub.flatpakrepo: While fetching https://flathub.org/repo/flathub.flatpakrepo: [60] SSL peer certificate or SSH remote key was not OK

That flathub URL is a 301 redirect to: https://dl.flathub.org/repo/flathub.flatpakrepo

As far as I can tell there's nothing wrong with the certs on flathub's
end. I tried a few random online SSL validators and they gave no
complaints. The cert isn't expired, and is properly chained. directly 
using curl doesn't seem to complain. Firefox doesn't complain. 
Interestingly, wget DOES complain about the url, saying the certificate
is not trusted. 

Manually downloading the .flatpakrepo file and installing that way gets
a little further, but complains again the same way when trying to
download another metadata file.

So this may not be flatpak related, but maybe something to do with 
ca-certificates or curl or something like that? Expired root CA or
something? This is the edge of my knowledge.

The end result of this is that I cannot use flatpak in Debian bookworm
because I cannot add the main remote repository from flathub.

-- Package-specific info:
Permissions of /usr/bin/bwrap:
-rwxr-xr-x 1 root root 72080 Feb 28 02:38 /usr/bin/bwrap
/etc/sysctl.d/*-bubblewrap.conf:
cat: '/etc/sysctl.d/*-bubblewrap.conf': No such file or directory
/usr/lib/sysctl.d/50-bubblewrap.conf:
# Enable unprivileged creation of new user namespaces in older Debian
# kernels.
#
# If this is not desired, copy this file to
# /etc/sysctl.d/50-bubblewrap.conf and change the value of this parameter
# to 0, then use dpkg-statoverride to make /usr/bin/bwrap setuid root.
#
# For more details see https://deb.li/bubblewrap or
# /usr/share/doc/bubblewrap/README.Debian
kernel.unprivileged_userns_clone=1
/proc/sys/kernel/unprivileged_userns_clone:
1
/proc/sys/user/max_cgroup_namespaces:
126235
/proc/sys/user/max_ipc_namespaces:
126235
/proc/sys/user/max_mnt_namespaces:
126235
/proc/sys/user/max_net_namespaces:
126235
/proc/sys/user/max_pid_namespaces:
126235
/proc/sys/user/max_time_namespaces:
126235
/proc/sys/user/max_user_namespaces:
126235
/proc/sys/user/max_uts_namespaces:
126235

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages flatpak depends on:
ii  adduser                         3.134
ii  bubblewrap                      0.8.0-2
ii  dbus [default-dbus-system-bus]  1.14.8-2~deb12u1
ii  fuse3                           3.14.0-4
ii  libappstream4                   0.16.1-2
ii  libarchive13                    3.6.2-1
ii  libc6                           2.36-9+deb12u1
ii  libcurl3-gnutls                 7.88.1-10+deb12u1
ii  libdconf1                       0.40.0-4
ii  libfuse3-3                      3.14.0-4
ii  libgdk-pixbuf-2.0-0             2.42.10+dfsg-1+b1
ii  libglib2.0-0                    2.74.6-2
ii  libgpgme11                      1.18.0-3+b1
ii  libjson-glib-1.0-0              1.6.6-1
ii  libmalcontent-0-0               0.11.0-4
ii  libostree-1-1                   2022.7-2
ii  libpolkit-agent-1-0             122-3
ii  libpolkit-gobject-1-0           122-3
ii  libseccomp2                     2.5.4-1+b3
ii  libsystemd0                     252.12-1~deb12u1
ii  libxau6                         1:1.0.9-1
ii  libxml2                         2.9.14+dfsg-1.3~deb12u1
ii  libzstd1                        1.5.4+dfsg2-5
ii  xdg-dbus-proxy                  0.1.4-3

Versions of packages flatpak recommends:
ii  ca-certificates                                      20230311
ii  desktop-file-utils                                   0.26-1
ii  gtk-update-icon-cache                                3.24.37-2
ii  hicolor-icon-theme                                   0.17-2
ii  libpam-systemd                                       252.12-1~deb12u1
ii  p11-kit                                              0.24.1-2
ii  polkitd                                              122-3
ii  shared-mime-info                                     2.2-1
ii  xdg-desktop-portal                                   1.16.0-2
ii  xdg-desktop-portal-gtk [xdg-desktop-portal-backend]  1.14.1-1
ii  xdg-desktop-portal-kde [xdg-desktop-portal-backend]  5.27.5-2
ii  xdg-user-dirs                                        0.18-1

Versions of packages flatpak suggests:
ii  avahi-daemon    0.8-10
pn  malcontent-gui  <none>

Versions of packages bubblewrap depends on:
ii  libc6        2.36-9+deb12u1
ii  libcap2      1:2.66-4
ii  libselinux1  3.4-1+b6

Versions of packages bubblewrap recommends:
ii  procps  2:4.0.2-3

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list