Introducing wpe-webkit-mir-kiosk snap

snap
82

New update.

Digging a little bit, I found failures related to secure layer reading data from TLS connection has failed: WOULD_BLOCK. So, I moved the video from HTTPS to HTTP connection, and the video was loaded and played. I’m still checking and started to study how snap works.

A piece of log

2021-05-25T19:20:25Z -[12723]: GSocketClient: Starting new address enumeration
2021-05-25T19:20:25Z -[12723]: GSocketClient: Address enumeration succeeded
2021-05-25T19:20:25Z -[12723]: GSocketClient: Starting TCP connection attempt
2021-05-25T19:20:25Z -[12723]: GSocketClient: TCP connection successful
2021-05-25T19:20:25Z -[12723]: GSocketClient: Starting application layer connection
2021-05-25T19:20:25Z -[12723]: GSocketClient: Connection successful!
2021-05-25T19:20:25Z -[12723]: CLIENT[0x560476efa1d0]: Starting asynchronous TLS handshake
2021-05-25T19:20:25Z -[12723]: CLIENT[0x560476efa1d0]: Asynchronous TLS handshake thread starts
2021-05-25T19:20:25Z -[12723]: CLIENT[0x560476efa1d0]: TLS handshake thread starts
2021-05-25T19:20:25Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_HANDSHAKE
2021-05-25T19:20:25Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_HANDSHAKE succeeded
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: verifying peer certificate
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: TLS handshake thread succeeded
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: yielding operation OP_HANDSHAKE
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: Asynchronous TLS handshake thread completed
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: finishing TLS handshake
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: TLS handshake has finished successfully
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: starting to write 306 bytes to TLS connection
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_WRITE
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_WRITE succeeded
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: yielding operation OP_WRITE
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: successfully write 306 bytes to TLS connection
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: starting to read data from TLS connection
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_READ
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_READ succeeded
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: yielding operation OP_READ
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: reading data from TLS connection has failed: WOULD_BLOCK
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: starting to read data from TLS connection
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_READ
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_READ succeeded
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: yielding operation OP_READ
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: reading data from TLS connection has failed: WOULD_BLOCK
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: starting to read data from TLS connection
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_READ
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: claiming operation OP_READ succeeded
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: yielding operation OP_READ
2021-05-25T19:20:26Z -[12723]: CLIENT[0x560476efa1d0]: reading data from TLS connection has failed: WOULD_BLOCK
83

I have been installed wpe-webkit-mir-kiosk and it’s work fine until few days ago on specific url I have TLS error : TLS certificate is expired. but in anther browser like chrome or firefox it’s work…

84

The problem is platforms that trust DST Root CA X3 but not ISRG Root X1

These platforms would have worked up to September 2021 but will no longer validate Let’s Encrypt certificates.

I think that you should update the wpe webkit in your code .

85

… update your base snaps, the certificates come from core, core18 and core20, this is nothing the wpe-webkit-mir-kiosk snap can do anything about, it relies on the cert from its base snap …

86

I have been updated my base snaps, and all upgrade for ubuntu , i have core20 ,also i update “ca-certificates” but it doesn’t work yet.(TLS error)

87

hmm, it looks like core18 has not been updated in the store yet, I i believe wpe-webkit-mir-kiosk uses base: core18 to get the fixed core18 base you can temporary switch to the candidate channel:

sudo snap refresh --candidate core18

once the revision from candidate has landed in stable, you can switch back with:

sudo snap refresh --stable core18
88

I tried and it didn’t work , I still have the TLS error.

89

and these sites work fine in other browsers ? (could well be that the sites simply still use the expired cert) …

90

Yes it’s work on chrome and i tried on firefox on the same ubuntu and it’s work… Other site that have different certificates(NotISRG Root X1) works on the wpe webkit

91

oops, seem i was wrong, for some reason wpe-webkit-mir-kiosk actually ships its own certs instead of using the ones from the base snap:

https://gitlab.com/glancr/wpe-webkit-snap/-/blob/main/snap/snapcraft.yaml#L327

looks like @tobias just needs to trigger a re-build of the snap though (since it pulls the certs from the base snap during build)

EDIT: and it looks like it has already been reported in the bugtracker:

https://gitlab.com/glancr/wpe-webkit-snap/-/issues/27

92

@ogra Thank you for help, @tobias How much time it takes to re-build of the snap ?

93

As a temporary measure I’ve rebuilt and renamed as wpe-webkit-frame-temp which can be installed with:

snap install --edge wpe-webkit-frame-temp

Please don’t rely on this being around for long.

[Update 2021-10-19]

As wpe-webkit-mir-kiosk has been fixed I’ve removed wpe-webkit-frame-temp

94

Thank you,

Are you update us here if you / @tobias rebuild the original snap?

95

If I could have updated the original snap I would have done that.

96

@amirsack @ogra
Sorry for the long silence! I was busy with another project and then on vacation for the last two weeks – bad timing :see_no_evil: I’m currently rebuilding the snap, which will take some time on Raspberry Pi. The new version also no longer bundles its own certificates. Will post here once the builds are finished, uploaded and tested.

97

as a german i was actually guessing that :wink:

98

The amd64 revision 58 is now available on the edge channel. Please test and provide feedback. armhf build en route :slight_smile:

1 Like
99

That fixes the cert problem. Only limited testing beyond that.

1 Like
100

armhf also available on edge.

EDIT: I successfully tested both revisions with https://wpewebkit.org this morning. amd64 rev 58 and armhf rev 59 are now available on all channels.

1 Like
101

Thanks for the updates Tobias!

I’ve a friend who’s using your snap just as a singular display in a lab. I’ve no real experience with the Core ecosystem so he’s currently trialing running on a Raspberry Pi 4, where he has one setup armhf and the other arm64. I’m wondering if the arm64 for wpe-webkit-mir-kiosk build is still supported / is the armhf otherwise preferred? Just by coincidence he’s been impacted by the arm64 version being a few releases older and the web page being hosted becoming incompatible as a result.

(Generally with other unrelated snaps I’m getting the impression armhf is the defacto even for modern Pi’s, since it doesn’t appear there’s any way to install armhf on arm64 Ubuntu Core and armhf favours broader compatibility).