Dictionary plugin started failing due to certificate issues

[NotWearingPants]

This started to happen only a couple of days ago.
The dictionary worked fine, but now it shows the following for every query:

And in the debug log I'm getting error: certificate has expired.

I tried accessing the dictionary API myself with axios and it works fine.
Their certificate is from 2021-09-10, seems to be by LetsEncrypt which swaps certificates every 3 months.

This also happens with the weather plugin, but not the currency or translation plugins.

Is there some sort of certificate caching going on in Electron/Node/Axios?
Is this happening to you too?

Running "clear caches" didn't help, wiping ueli's entire data folder (%APPDATA%\ueli) didn't help either.

[fedegblack]

Yes, same issue on my end.

[dansroot]

The same seems to happen when using the wather plugin (wea?).

[Karan-Munjani]

@NotWearingPants How can I debug the app, where I can see the log? I've never worked on electron but happy to help if I can solve the issue!

[tkohlmeier]

Seems to be the same issue as here: https://stackoverflow.com/questions/69403020/axios-certificate-has-expired-on-valid-certificate

Probably because Let's Encrypt switched to a new root certificate: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

I don't know which package or component actually causes this, but we'll probably have to wait for an update.

[tkohlmeier]

It's already fixed in Electron. But only for the supported versions (12-15). Ueli uses Electron 11, so we need to update to get the fix.

Update: Just tried updating to Electron 12. It works when BrowserWindows are created with webPreferences.contextIsolation: false. And the certificate error is gone then. But we probably should make some changes so that contextIsolation can remain enabled.

[NotWearingPants]

TL;DR: Let's Encrypt is a big certificate supplier, announced a significant change six months ago. OpenSSL prepared for it but boringssl were like: *surprised pikachu face*. Sadly Electron uses boringssl. We need to update Electron.

---

I've just spent an hour debugging it and found the core issue only to come back and see you've figured it out, whoops.

The full story:
Let's Encrypt announced in April 2021 that it's going to switch up some of its certificate chain on September 30. Ironically I heard about this in April, but I thought people were fixing it.

But only after it happened people started noticing, and an issue was opened in boringssl, Google's SSL library. and it was fixed the next day.

Electron noticed this earlier and fixed it in main by patching boringssl instead of waiting for them.
They backported the fix to 12.2.1, 13.5.1, 14.1.0, 15.1.0, and 16 beta, but not 11 unfortunately as it is already unsupported.

Electron versions reach end-of-life 10 months after their initial release, and 11 was released in 2020-11-17. When 16 is released in 2021-11-16 Electron 12 will also stop getting updates.

This was a real Y2K situation. lol.

---

I'm not sure whether to close this and open a new issue for updating Electron, but I'm going to leave this for now.

[NotWearingPants]

Update: Just tried updating to Electron 12. It works when BrowserWindows are created with webPreferences.contextIsolation: false. And the certificate error is gone then. But we probably should make some changes so that contextIsolation can remain enabled.

I think the best course of action is to update ASAP to fix the dictionary & weather issues, and worry about contextIsolation later.

I've gone over all of Electron's breaking changes up to version 15, and the only ones affecting ueli are contextIsolation which defaults to true since v12, and the remote module which is deprecated since v12 and removed in v14.

ueli specifies enableRemoteModule: true but never uses the remote module anywhere, yet I've tried removing this option and it breaks the renderers entirely. Not sure why, need to debug this later.

So I recommend upgrading to Electron 13 since 14 doesn't work, and add contextIsolation: false and worry about security later since this doesn't change anything currently.

Regarding security ueli also has nodeIntegration enabled, which is considered unsafe. Although these safety issues aren't really a concern for ueli IMO, it never executes any code that comes from outside of the app.

[oliverschwendener]

This should be fixed with the latest release.