Outdated certificates for nuget with mono 6.12.0.147

[hhyyrylainen]

Just today when I tired to compile Godot 3.4.2 my builds with these containers started failing with this error:

/usr/lib/mono/msbuild/Current/bin/NuGet.targets(131,5): error : Failed to retrieve information about 'EnvDTE' from remote source 'https://api.nuget.org/v3-flatcontainer/envdte/index.json'. [/root/godot/modules/mono/editor/GodotTools/GodotTools.sln]
/usr/lib/mono/msbuild/Current/bin/NuGet.targets(131,5): error :   The SSL connection could not be established, see inner exception. [/root/godot/modules/mono/editor/GodotTools/GodotTools.sln]
/usr/lib/mono/msbuild/Current/bin/NuGet.targets(131,5): error :   Authentication failed, see inner exception. [/root/godot/modules/mono/editor/GodotTools/GodotTools.sln]
/usr/lib/mono/msbuild/Current/bin/NuGet.targets(131,5): error :   Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED [/root/godot/modules/mono/editor/GodotTools/GodotTools.sln]
/usr/lib/mono/msbuild/Current/bin/NuGet.targets(131,5): error :     at /root/mono-6.12.0.147/external/boringssl/ssl/handshake_client.c:1132 [/root/godot/modules/mono/editor/GodotTools/GodotTools.sln]

I remember hearing that nuget announced that they would move to some new Microsoft root certs at some point. Maybe they did? Should these images be updated for example to use Fedora 35 or a newer mono version, would that help?

I already tried pulling in the newest fedora:34 base image and re-running ./build.sh 3.x mono-6.12.0.147 but when compiling Godot 3.4.2 with those freshly made images, it still fails.

[hhyyrylainen]

Either nuget now uses a different cert (one that works again) or updating the containers to Fedora 35 solves this issue.

Basically the following those changes (to the template and the readme):

diff --git a/Dockerfile.base b/Dockerfile.base
index fa2d500..3c0bc1a 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,4 +1,4 @@
-FROM fedora:34
+FROM fedora:35
 
 WORKDIR /root
 
diff --git a/README.md b/README.md
index 6e4aed5..11dc71e 100644
--- a/README.md
+++ b/README.md
@@ -69,8 +69,8 @@ Note: The MSVC image (used for UWP builds) does not work currently.
 To be extra-sure that you are building with the same base container image as the official
 builds, you can use:
 
-    podman pull registry.fedoraproject.org/fedora@sha256:sha256:8b01cffca564ca914d5d3c8dc8c6eca12a755ee4d1d898e22e83ad7128fae256
-    podman image tag registry.fedoraproject.org/fedora@abec9a7a7dc6 fedora:34
+    podman pull registry.fedoraproject.org/fedora@sha256:sha256:3059bef432ebb91a6a51d8f5cf20b033041dbddb3cab79628c1eb3412cbde0ae
+    podman image tag registry.fedoraproject.org/fedora@3059bef432eb fedora:35
 
 ### Fedora 34 Host

Would be the solution to this issue.

Edit: I commented too early, a subsequent build failed, meaning that it was still the case that nuget still randomly gives the old certificate and the previous builds I did happened to succeed. I guess I'll try a newer mono tag version next.

[hhyyrylainen]

Second update: now I reverted my change from above and instead used a newer mono snapshot 6.12.0.165 and now I managed to compile all the Godot binaries without any certificate errors. So the solution is probably instead to update the mono version Godot is built with.

[akien-mga]

Current builds (3.4 and 3.5) are using Mono 6.12.0.158, and I didn't have that issue, so it was likely already fixed in those. Unless the certifcates expired in the past few weeks, last build I made was 3.5-beta1 on Jan 13.