#couldn't load TLS file database

Hey guys,
I have build my tauri app on ubuntu18 , while running the app on dev mode all good.
But once i build it. I try to run the appimage, i get CORS issue and terminal shows the following messages:

(process:2619): GLib-Net-WARNING **: 05:42:10.093: couldn't load TLS file database: Failed to open file ?/etc/ssl/certs/ca-certificates.crt?: No such file or directory

** (testing:2587): WARNING **: 05:42:34.855: atk-bridge: get_device_events_reply: unknown signature

Help appreciated,
Thank you.

Run this

sudo apt install -y ca-certificates
sudo update-ca-certificates

@edgy grove on build machine before compile?

On the machine where you're running the appimage

Might also need to be ran on the device building the image

It shouldn't be relevant during build because the certificates on the build device shouldn't be added to the appimage

Going to try that. ubuntu 18 has webkit2gtk version 2.32.4, which i have been reading it has some bugs that are fixed on later version.
Do you think its worth compiling webkit2gtk on ubuntu18 is worth it, in order to support older OS?

Do not know if its relevant but tauri app is calling letsencrypt ssl enabled site.

That's what I figured, hence why the first thing to try is updating the CA certificates

what i means is my tauri app is calling an api backend that is using ssl letsencrypt

Yep

I tried on both machines, found out the package already installed

Did you also run update-ca-certificates? It's not enough that it's just installed

Yes

Hmm

Does the /etc/ssl/certs/ca-certificates.crt file exist?

nop

That's strange, it should after the command was ran 🤔

i have ca-bundle.pem

Side question to help me get the big picture, lets assume the problem solved, does that mean, all my tauri.appimage users need to install ca package and then run it to update before actually using my app?

How much do you know about how SSL works?

average

perhabs bellow average

consider me SSL noob if it helps

Lets see if I can sort of summarize it a bit 🤔

A .pem file is a public key from a server that is SSL encrypted (.pem files can be used for other things but we're talking SSL currently)

In order to encrypt your traffic you use the public key of the server in order to encrypt your data so only the server holding the private key can receive the information

But to make sure there's no shenanigans going on with the keys you use a CA, a Certificate Authority, as an extra part of the encryption process

CA certificates are installed on the users system, and they allow a user to communicate with a lot of SSL encrypted sites where they can trust that the end site is who they say they are because the CA is there

What it says you're missing is the CA certificates on your device. In other words, I'm surprised you're able to access pretty much anything that's SSL encrypted right now. There's probably more root certficates elsewhere on your device, but those are like the main ones most systems should have

So in a way, yes, users need to have their CA set up properly, but no they don't technically need that specific package and run stuff to get it

This is a type of thing that's related to their system being messed up basically. If they need to run these commands it's not because your app is missing a dependency or anything like that, it's because their system doesn't have its certificates set up properly to enable proper SSL communication

That's at least the gist of how SSL works, I might have some stuff incorrect, I'm tired and this stuff isn't fresh in my head atm 😅

Well done. I think am getting there.

1. public server has rest-api's SSL enabled using letsencrypt.
2. my machine running my app needs to have the ca-certificates.crt file in order to verify letsencrypt authority, right?

Yep

You are completley fine, i apprecaite your time here, I am trying to figure out things

Going to span fresh vm and test

now getting ** WebKit encountered an internal error**

Very descriptive 😅

I am trying to specify the root cause by gussing before going so deep.
Could it be old version of webkit causing the problem.
Side question:
My understandign of CORS
tauri app needs to "scope": [ "*.*" ]
my res-api enpoint.
and my rest-api endpoit needs to allow
tauri://localhost tauri://localhost/ tauri://localhost/* tauri://localhost.* https://tauri.localhost http://tauri.localhost http://localhost:* https://localhost:*

I mean it could, not sure 🤔 Afaik webkitgtk on ubuntu18 should be working, but I also remember vaguely that for Ubuntu we might need to have 20 as the minimum version for some reason that I can't remember at all... Thinking... Hmmm...

While I have some opinions on that (those are going to be pretty permissive) it's essentially correct yes

I have a feeling that you might need ubuntu 20 for building but what you build on 20 can be used on 18, something like that, quite possibly related to the webkit version available in the default repos

Oh and also, tauri://localhost is what you should need, never like tauri://localhost/*, because the origin isn't supposed to be the entire path requested, just that base domain + port

Buuuut some REST API frameworks can be weird about that

So, you do confirm generally CORS is fine?
leaving me with a task here. lol.
Going to try upgrading libwebkit with some minor versions and see if that helps. else ubuntu20.
I am not sure if building on ubuntu20 going to work on ubuntu18 as the highest available version is 2.32.4

but CORS , do i ahve your confirmation?

Looks fine to me, in the Tauri end you need CSP set up (you wrote "scope" but it's the "csp" field you need to configure) https://tauri.app/v1/api/config#securityconfig.csp and in the REST API you need CORS set up. The CORS you listed should be all you need afaik and a bit extra

"security": { "csp": null },

And afaik the AppImage version should work because it packages the webview then from ubuntu 20. The .deb however might fail

Going to do some testing

null should be fine?

Not sure you can use null for that to disable it 🤔 Though "csp": "default-src *" should work

Ofc I gotta hit you with the "OH DEAR PLEASE GOD DON'T NOOooooo...." on using such a permissive CSP, but I'm tired so won't press it 😅

TODO: Extra reading here

Unacceptable TLS certificate compiled on ubuntu18 run on tumbleweed latest

Shot in the dark, your system time is correct, right?

Like it doesn't say it's like 2022 or something

My system time is correct and current, but i personnaly might be an overdone

Hmmmmmmmm... I mean if the TLS certificate is unacceptable I can only think of running sudo update-ca-certificates again then double triple checking that your REST API is actually properly set up to use your SSL certificate

rest-api is being nginx-reverse-proxy and i am 100% sure its working as intended.
I am going to test .deb compiled on 18 and see if itworks on 22. the result should provide some directions i guise

.deb compiled on 18 works on 22.
now going to compile 20 and see if it works on 18 appimage wise

i only glanced over your messages so apologies if i miss something you said already, but in general here's what's going on: AppImages

AppImages will be the death of me i'm not even kidding

anyway, certificates are just broken in appimages right now if the build and target systems differ

because lo and behold, Linux is being Linux again so the location of the certificates is different across distros, and often across distro versions

I also tried copying the certs into the appimage, which is generally super bad but i thought it may be the easiest solution but i couldn't make it pick them up

same for telling it about common known system paths, didn't want to use them either.

Yea certs should definitely not be copied over

@copper meteor I figured I'd sit down for a while and see if I can't make heads or tails of AppImages and share the headache, is this where the main source of your pain resides?
https://github.com/tauri-apps/tauri/blob/dev/tooling/bundler/src/bundle/linux/appimage.rs
https://github.com/tauri-apps/tauri/blob/dev/tooling/bundler/src/bundle/linux/templates/appimage

maybe a necessary evil though, we'll see.

Also somewhat relevant: https://github.com/openssl/openssl/issues/7481

and yes, i tested the ssl_cert_file/ssl_cert_dir too and couldn't make it work and after hearing that it didn't work for them either i gave up pretty quickly.

though i do have it on my todo list to try cert_file again because they only said cert_dir didn't work

well, that's the nice parts i think. like tauri's entrypoints

the pain resides in the appimage format and its ecosystem itself i'd say.

or maybe that's a bit unfair since it works for many usecases, but at least not for those using webkitgtk

my main headache starts with the fact that because of webkitgtk we can't really go with the "build on the oldest system you want to support" approach. for that we're too dependent on new webkitgtk releases, especially in v2

Also, most of the pain i experiences lately was researching linuxdeploy alternatives, but i couldn't make webkitgtk work in them at all (btw, we also have to binary patch the webkitgtk libs for them to work in linuxdeploy appimages too)

Alright, I'll dive into it and see what happens 🙂 Gotta fix the .deb packages as well anyway so yay, reading technical specifications!!

Hey guys, I am enjoying this conversation.
Personally my test has failed so far. I should be able to provide more info in the next couple of hours.
Appimage seems to be the only good solution for cross-platform at least how i see it. it saves me time build on one old OS and have it work on all newer once's, but only if could make it work.
Side-questions; I noticed next to deb output there are source files which containes the binary of my app, would it be possible to do a manual rpm using that binary, or there is more to it?

I've never built RPM but i know some users have done it manually, not sure if they used that approach, I'm more of a .deb kind of guy 🙂

using that binary, or re-using the .deb which we also do for the appimage should be enough yeah. There's also a wip pr https://github.com/tauri-apps/tauri/pull/5202

I am back any update on this?

compiled on u20 run on latest tubleweed i get Network Error that is all axios is returning

compiled on 20 works on u22

talking appimage wise

Not really any updates yet, no. For me to provide anything useful I'll first have to get into how our AppImage stuff is set up, read up on specifications, fiddle with the code a bit to understand it, then I can start trying to add anything meaningful to it, which will only be actually meaningful once I've set up a minimal reproduction of your issue

So if you'd like to speed this along a bit you could help me with setting up a minimal repro

I will see what i can do. Are you aware of any tauri example that i can start with to make the required changes and then sahre it?

Never mind am starting new fresh app, will add axios, some fake api call and see if it reprecuice then will share it

Yea you can just do npx create-tauri-app@latest --alpha (alpha because then it's v2 and I'd prefer fixing it for v2)

Then whatever template works for you works for me

But that does not mean we will face the same issue. It could be for the current version only.

v2 shouldn't have anything that's breaking in terms of the AppImage bundler

Should be more or less the same code

ok

but only because the appimage bundler is broken and copies both 4.0 and 4.1 webkitgtk binaries loool

btw, the repro is really just, build an app on one system, copy it to another, try to fetch a https side

simple as that

it's not a new issue so if you have any questions i can see if i can find my notes about it if i've made any

Sounds good I am doing that

Yes but this way I have someone else confirming that it's set up to fail 😅

maybe i should try the ssl_cert_file prop again today/tomorrow so you don't have to get depression look too much into appimages

i wouldn't even wish that my enemies

is that even a saying in english?

Yes it is 🙂

I wouldn't even wish AppImages upon my worst junior developers

Just realized I gotta set up two new VMs to test this properly, one for ubuntu 18 and one for ubuntu 20. Fun!

Lol my pc died this morning doing same thing, got stuck installing tauri0cli on them for 2 hours

What are you using to spin vms? I am using a mix vbox and lxd

I'm using VMWare Workstation

got any other existing vms?

doesn't have to be ubuntu

though i do wonder why 18 and 20 differ, they use the same openssl version and i don't get why they would change the paths just for funsies

Fedora and Nobara, yea I could use those, but if I'm gonna be actually doing some developing inside the VM's I'm gonna need an at least somewhat proper setup

    Updating crates.io index
error: failed to select a version for `tauri`.
    ... required by package `tauri-app v0.0.1 (/home/devs/tauri-testing-api/src-tauri)`
versions that meet the requirements `^2.0.0-alpha` are: 2.0.0-alpha.9, 2.0.0-alpha.8, 2.0.0-alpha.7, 2.0.0-alpha.6, 2.0.0-alpha.5, 2.0.0-alpha.4, 2.0.0-alpha.3, 2.0.0-alpha.2, 2.0.0-alpha.1, 2.0.0-alpha.0

the package `tauri-app` depends on `tauri`, with features: `http-all` but `tauri` does not have these features.

I am new to tauri on npx, any thing needs to be done?

I think you ran the command wrong

create-tauri-app is one word

When you use npx

npx create-tauri-app@latest --alpha .

true true. but building on ubuntu and running on fedora should repro the issue too, that was what i use(d) most of the time

[package]
name = "tauri-app"
version = "0.0.1"
description = "A Tauri App"
authors = ["you"]
license = ""
repository = ""
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[build-dependencies]
tauri-build = { version = "2.0.0-alpha", features = [] }

[dependencies]
tauri = { version = "2.0.0-alpha", features = ["http-all"] }
tauri-plugin-window = "2.0.0-alpha"
tauri-plugin-shell = "2.0.0-alpha"
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"

[features]
# this feature is used for production builds or when `devPath` points to the filesystem
# DO NOT REMOVE!!
custom-protocol = ["tauri/custom-protocol"]

{
  "name": "tauri-app",
  "private": true,
  "version": "0.0.0",
  "type": "module",
  "scripts": {
    "dev": "vite",
    "build": "vite build",
    "preview": "vite preview",
    "tauri": "tauri"
  },
  "dependencies": {
    "vue": "^3.2.45",
    "@tauri-apps/api": "^2.0.0-alpha.4",
    "@tauri-apps/plugin-window": "^2.0.0-alpha.0",
    "@tauri-apps/plugin-shell": "^2.0.0-alpha.0"
  },
  "devDependencies": {
    "@vitejs/plugin-vue": "^4.0.0",
    "vite": "^4.2.1",
    "@tauri-apps/cli": "^2.0.0-alpha.9",
    "internal-ip": "^7.0.0"
  }
}

Run npx create-tauri-app --version

Because your Cargo.toml looks different from mine

is this the version 2.0.0-alpha

Actually now that I think about it, just create a v1 repro instead

It's probably quicker and easier for me to upgrade a v1 template you make to v2 than it is for you to set up a v2 project if things like that are gonna be annoying

Re-creating ..

(the latest version of v2 removed the allowlist and changes how we handle features quite a bit)

thanks for making me looking into it again btw (even though you didn't ask me lol) i just noticed that linuxdeploy does have a flag to specify a custom AppRun (which we'll need for this issue too) which i can probably use to fix the libfuse issue without waiting for the ecosystem to switch default AppRuns 🤔

It's so pretty

Btw speaking of certificates, do you not run apt upgrade very often?

Done setup, going to compile on u20 and run on tublweed altest to see if it repreduice

same error , compiled on u20, run on latest tumbleweed

sharing source code in a sec

https://github.com/uwejan/testing-https-appimage

not much there, default setup, plus allowing CORS + axios fetching from https.

once axios failes, error catched and displayed on screen. Sorry for takling lazzy way not enabling debug

@edgy grove Please let me know if you need me to do anything here

Awesome, thanks! ^^

Will do 🙂

can you try running the appimage via SSL_CERT_FILE="/etc/ssl/ca-bundle.pem" ./app.appimage

if that was the path where the file was

onit

The path you mentioned is correct. same error message though

Found it guys
@copper meteor @edgy grove

It is working.

The timing, I literally just got everything set up 😂

How'd you solve it?

Yesterday while Simon trying to help the path /etc/ssl/certs/ca-certificates.crt is missing crt file.
So i been reading docs on certs extra. to find out /etc/ssl/certs/ca-certificates.crt is just a link of /etc/ssl/ca-bundle.pem

now opensuse tumbleweed for some reason is not creating the file even if i run sudo update-ca-certificates

so before i was all confident it is not the issue

but after hours 4 hours reading i figured it just now

sudo ln -s /etc/ssl/ca-bundle.pem /etc/ssl/certs/ca-certificates.crt

because every distro places the file somewhere else because consistency is not a thing in linux land

is the command you need to create the missing file

cool that this works for you, but that's the thing, it will only work for you. If you ship your appimage to other users it still won't work

and the appimage can't create that link automatically either because of sudo

Sad but true

Linux is very consistent... Consistently inconsistent 😅

Ok now we know where the issue is i guiose

and that path only works becuase you built on ubuntu where the cert is in that path. If you build on opensuse and run the app on ubuntu (if glibc would allow that), the paths would be swapped

meaning it would look for ca-bundle.pem on ubuntu

which also likely doesn't exist

OMG. its a loop, is this the matrix movie???

yeah but a really bad one

it's also a double loop, because problems like these always repeat themselves x)

https://tenor.com/view/linux-gnu-kernel-kernellinux-linuxkernel-gif-25835995

I am just sharing my thoughts out loud, would it make a sense of we could tell app-image, hey if you can not find ca here you find it here

that's what the SSL_CERT_FILE env var is for

and SSL_CERT_DIR

the latter just doesn't work for anyone

@edgy grove @copper meteor Thanks alot for all the time you guys spent here with me 🙂

and FILE is supposed to work but it doesn't work for us for some fucking reason

i'll try the custom apprun again

I am thinking about the code that is fetching this env var, we could put the 2 strings into an array and tell it to try them

i spent my first 3 months of my current employment researching appimage bullshit so i will be really really mad if i or simon can make it work now

If you wanna be real dirty about it you could create a list of all the locations for distros you support and then prompt for sudo from the user to create the link, but that's a very dirty workaround

since its constant string either 1 or 2

yeah, that part is easy

well, more like 10 but the idea is the same

right, do you guys know ehich part of the code responssible for this

doesn't exist yet

I mean if you could save me hours of reading

we use the default AppRun

let me try a scuffed version of it real quick, don't wanna make you waste your time if the env var above didn't work

sudo is not an option, why do you even need it the location allows read access for non-sudo users

simon was talking about the symlinks

I mean worst case story, is to make some jenkins jobs with ton of containers compiling for each OS version.

You need sudo to create the link since the location doesn't allow non-root write

Yup true, i get it now, i thought you were talking about read not actually creating the missing file link. you are right.

but ireally do not want to go that route, its depressing.

I mean maybe will do lighter setup for 32bit support, but i think it is not really worth it as in general the support for 32bit is decreasing

https://tenor.com/view/mr-bean-waiting-still-waiting-gif-13052487

me waiting for linuxdeploy to compress the appimage

alrighty, can you remove the symlink again and run this one? https://cdn.fabianlars.de/tauri/mwt-apprun.AppImage

(file's too big for discord)

i compiled on ubuntu 2204 so hopefully that won't give us glibc problems

i mayyy have messed up, i can't even start that myself lol

gonna try the fedora path too real quick

I'm so tired right now I actually managed to beak the Ubuntu 18.04 version while trying to fix installing Node.js. Pro tip, don't tell dpkg to install libc6 from a future version of Ubuntu, and ignore its warnings that this is going to break the computer

linus (from yt, not linux) is that you?

i can't believe it, the tauri::Builder was still commented out holy fuck

Welp this was enough Linux for me today, gonna take a fresh look at it tomorrow when I have the strength to set up things without trying to forcibly jam a square into a circle

did not work

^

appimage was broken

but it still didn't work on fedora for me after uncommenting it so gonna try to figure out what's happening

If you have the template maybe i can play with it too

Maybe you should try lxd if your aim to run u20 + they have not 18 which i plan on using vbox for it to test if appimages working there

not at the stage where i can share something rn. it's not that simple since we have to provide a custom apprun and that can break stuff too

gonna get back to you when i do have something

Got it. good work 🙂

you can also customize your own image, logins ..etc have not done that for u18 which i hope somebody already did the image for

Still doesn't work even though i use the exact same thing the other projects use. I must do something wrong i also did wrong the last time(s) i tried this. Gonna call it a day though but circle back to it tomorrow and try to give you guys a starting point too.

Thank you, sometimes all what you need is a breack from the screen

compiled on u20 run on u18 deos not work. appimage wise.

That's the glibc stuff i mentioned earlier

And why you have to compile on the oldest system you want to support

In theory there are solutions for that but so far they always broke webkitgtk

Kinda funny that's the exact same library that accidentally ruined my 18.04 VM 😂

I am confused

And you expect me to un-confuse you? 😅

I am the confusion x)

I reacll Simon telling me compiling on u20 should run on u18 appimage

compiled on mac throughs huge report
`
System Integrity Protection: enabled

Crashed Thread: 0 main Dispatch queue: com.apple.main-thread

Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fbfa486ffc0
Exception Codes: 0x0000000000000002, 0x00007fbfa486ffc0

Termination Reason: Namespace SIGNAL, Code 10 Bus error: 10
Terminating Process: exc handler [34355]

VM Region Info: 0x7fbfa486ffc0 is in 0x7fbfa485f000-0x7fbfa4900000; bytes after start: 69568 bytes before end: 589887
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
MALLOC_TINY 7fbfa485e000-7fbfa485f000 [ 4K] rw-/rwx SM=PRV
---> MALLOC_TINY 7fbfa485f000-7fbfa4900000 [ 644K] rw-/rwx SM=COW
MALLOC_TINY 7fbfa4900000-7fbfa4a00000 [ 1024K] rw-/rwx SM=PRV

Thread 0 Crashed:: main Dispatch queue: com.apple.main-thread
`

Assuming it gets built properly, that's kinda what AppImage is meant to be, bundling all your dependencies in a way where it doesn't matter so much where it gets ran. Clearly however the headache to put that into practise is greater than what was promised when it was first announced 😅 Cross versions of the same distro is effectively the same as cross distro support, if you can use a u20 appimage on for example fedora 38 then it should work on u18 as well, depending on how much the appimage depends on system dependencies, which again what I was promised back when appimage was introduced was the ability to package your dependencies in a way where you could get around all such things 😅

Informative 🙂

appimage compiled on u18 run on u18
NetworkError

I am pulling my hair now

Same for .deb

.deb fails when you move it between machines? That makes no sense 🤨 AppImage, sure, but .deb shouldn't fail unless there's something wrong in your code

I got this problem with .dep

Looks like ca-certs problem.
If you already have the setup from earlier please go ahead and test it.

Looks to me like a simple CORS error from that API

check tauri.conf.json, did not we already enable wild card cors

Either that or libgiognomeproxy is missing

CORS and CSP are different things

Related, but different

CORS is on the server, CSP is on the client

"http": { "all": true, "request": true, "scope": [ "https://*.*" ] }

is not this wild-card

It is, for the CSP rules on the client, I'm saying the remote server seems to be rejecting the connection when you're using the origin tauri://

The remote server probably just has https://* or something like that

do you have a rest api arround that you can test with?

to eleminate the possibility that jsonplaceholder is causing cors

No but I can set up a small actix-web https rest api for testing purposes, it's just... I've slept literally like 3 hours in the past 32 hours, and been to a funeral, I'm exhausted 🙃 So I'd prefer setting up a testing api once this nasty case of insomnia lets go of me

I am sorry to hear that. Be well please, no rush at all.

Yeah, get well bud!

And for the cors issue. You can use tauri's http api instead (that's the thing the Allowlist is actually for). cors issues were one of the main reasons for it to exist

Hey guys, any update on this?