SUMMARY Using the flatpak runtime org.kde.Platform/x86_64/6.6 it seems to have issues validating SSL certificates on openSUSE hosts. Other distros running the same runtime do work. org.kde.Platform/x86_64/6.5 (previous release) does not have this issue on openSUSE. STEPS TO REPRODUCE 1. Install or build OBS Studio with runtime org.kde.Platform 6.6 using flathub 2. Add a browser source 3. Notice browser sourceces keep empty 4. On X11 using a browser dock it shows an error: "ERR_CERT_AUTHORITY_INVALID URL: https://obsproject.com/browser-source" OBSERVED RESULT - SSL certificates seem to be broken - This seem to only happen on openSUSE as of now. Tested openSUSE Leap 15.5, openSUSE Tumbleweed, openSUSE Aeon and openSUSE Kalpa - With runtime 6.5 everything works as expected on openSUSE - Tested Ubuntu VM using the OBS flatpak and runtime 6.6 and browser sources do still work - Tested a Ubuntu distrobox on an openSUSE host using the OBS Studio dep package and things do work as well EXPECTED RESULT - SSL certs to be validated SOFTWARE/OS VERSIONS Linux/KDE Plasma: openSUSE Aeon Flatpak runtime org.kde.Platform/x86_64/6.6 KDE Plasma Version: Flatpak runtime org.kde.Platform/x86_64/6.6 KDE Frameworks Version: Flatpak runtime org.kde.Platform/x86_64/6.6 Qt Version: Flatpak runtime org.kde.Platform/x86_64/6.6 ADDITIONAL INFORMATION - This issue cam to my attention during: https://github.com/obsproject/obs-studio/issues/10385
(In reply to vortex from comment #0) > SUMMARY > Using the flatpak runtime org.kde.Platform/x86_64/6.6 it seems to have > issues validating SSL certificates on openSUSE hosts. > Other distros running the same runtime do work. > org.kde.Platform/x86_64/6.5 (previous release) does not have this issue on > openSUSE. > > > STEPS TO REPRODUCE > 1. Install or build OBS Studio with runtime org.kde.Platform 6.6 using > flathub > 2. Add a browser source > 3. Notice browser sourceces keep empty > 4. On X11 using a browser dock it shows an error: > "ERR_CERT_AUTHORITY_INVALID URL: https://obsproject.com/browser-source" > > OBSERVED RESULT > - SSL certificates seem to be broken > - This seem to only happen on openSUSE as of now. Tested openSUSE Leap 15.5, > openSUSE Tumbleweed, openSUSE Aeon and openSUSE Kalpa > - With runtime 6.5 everything works as expected on openSUSE > - Tested Ubuntu VM using the OBS flatpak and runtime 6.6 and browser sources > do still work > - Tested a Ubuntu distrobox on an openSUSE host using the OBS Studio dep > package and things do work as well > > EXPECTED RESULT > - SSL certs to be validated > > > SOFTWARE/OS VERSIONS > Linux/KDE Plasma: openSUSE Aeon Flatpak runtime org.kde.Platform/x86_64/6.6 > KDE Plasma Version: Flatpak runtime org.kde.Platform/x86_64/6.6 > KDE Frameworks Version: Flatpak runtime org.kde.Platform/x86_64/6.6 > Qt Version: Flatpak runtime org.kde.Platform/x86_64/6.6 > > ADDITIONAL INFORMATION > - This issue cam to my attention during: > https://github.com/obsproject/obs-studio/issues/10385 Also I locally build OBS Studio flatpak with runtime org.kde.Platform/x86_64/6.6 which was still broken But building the OBS Flatpak locally using org.kde.Platform/x86_64/6.5 does work again. There seems to be something off with the runtime.
Can you maybe reach out to openSUSE about this issue? I am not sure how we can help you there.
(In reply to Aleix Pol from comment #2) > Can you maybe reach out to openSUSE about this issue? I am not sure how we > can help you there. Probably a good idea yes. Will do. Maybe could someone point me somewhere where I can see what changed from runtime 6.5 to 6.6 so I may be able to better guide the bug report over at openSUSE to what actually changed?
Bug also reported to openSUSE: https://bugzilla.opensuse.org/show_bug.cgi?id=1221557
Response of openSUSE maintainer as of now: Fabian Vogt 2024-03-18 10:14:34 UTC: No idea how flatpak works with SSL certs. It's likely a flatpak or runtime bug, as nothing changed on the openSUSE side.
(In reply to Aleix Pol from comment #2) > Can you maybe reach out to openSUSE about this issue? I am not sure how we > can help you there. Hello there. I tested building OBS Studio using KDE Framework 6 on openSUSE Tumbleweed locally as an RPM package using KDE Frameworks 6 (hence Qt 6.6.2). Form my brief observation the set of KDE libraries shipped with openSUSE Tumbleweed are pretty much the same as those included in the flatpak runtime 6.6. At least judging by just the version numbers. However the native RPM works just fine and has not SSL issues. Also the KDE Runtime 6.5 works fine as well. Simply runtime 6.6 fails for the 3 distributions I tried. It's looking more and more to be an issue with the runtime itself to me? As of why this bug triggers (as of now) only on openSUSE idk though. What's also suspicious is that openSUSE Leap 15.5 also has issues with runtime 6.6 but not with 6.5. Except of that Qt was updated from 6.5 to 6.6 I don't know what's different with both runtimes.
Hm, I did some more testing. Using neochat, which also uses Runtime 6.6 I can connect, and log in. Looking into the logs it also properly connecting to https webpages. Things are getting really strange now. Maybe the embedded chromium OBS Studio uses has issues with runtime 6.6 under certain circumstances?
Just some updates from the issue reported originally to OBS. Since opening this issue, we have confirmed at least 3 more affected distros: Alpine Linux, MX Linux, and Peppermint Linux. All show the exact same symptom and for all of them a runtime-downgraded custom build of our Flatpak worked to get around the issue. Just about 2 weeks ago however we received a comment from one of our users on the issue: https://github.com/obsproject/obs-studio/issues/10385#issuecomment-2177754924 > I solved a SSL error in another flatpak application recently by installing p11-kit-server package. After installing the package, log out and log in or restart the system. In response we had several users confirming this fixed their issue. One also removed the package on purpose to replicate the issue, and they could confirm it. It is still unclear to me why a runtime upgrade would trigger a sudden requirement of said package, but I do wanted to let you know since you likely have more of an idea what to look at. For reference: The aforementioned tester removing the package was on Fedora, and Fedora installs p11-kit-server as a weak dependency with the Flatpak package: https://src.fedoraproject.org/rpms/flatpak/blob/rawhide/f/flatpak.spec#_91 This raises the question whether p11-kit-server should be a hard dependency of Flatpak, or if it is an issue specific to the KDE runtim.
Came across another KDE runtime based flatpak app which does not work due to this (or similar issues) Stremio, uses "runtime-version": "5.15-23.08" and does run into a ERR_CERT_AUTHORITY_INVALID erros. At this point I'd be really glad if someone could look into this issue. :/ Stremio Manifest: https://github.com/flathub/com.stremio.Stremio/blob/master/com.stremio.Stremio.json
I close this issue as it is no longer relevant. p11-kit-server was missing on openSUSEs flatpak package which was added just recently: https://build.opensuse.org/request/show/1192619 therefore the runtime never really was an issue as p11-kit-server should be available on distros alongside flatpak: https://build.opensuse.org/request/show/1192619