[GH-ISSUE #3376] steam: cannot connect to the internet (ca-certificates) #2120

New issue

Closed

opened 2026-05-05 08:47:58 -06:00 by gitea-mirror · 17 comments

gitea-mirror commented 2026-05-05 08:47:58 -06:00

Owner

Copy link

Originally created by @GreatBigWhiteWorld on GitHub (Apr 22, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3376

"firejail steam" gives me a popup saying I'm not connected to the internet.

I will not post the whole log but I think the key difference when using firejail is this line:

opensslconnection.cpp (1519) : Assertion Failed: unable to load trusted SSL root certificates

Second unrelated issue I need to solve is this line:

Could not create Vulkan instance : 
ERROR_EXTENSION_NOT_PRESENT

Originally created by @GreatBigWhiteWorld on GitHub (Apr 22, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3376 "firejail steam" gives me a popup saying I'm not connected to the internet. I will not post the whole log but I think the key difference when using firejail is this line: `opensslconnection.cpp (1519) : Assertion Failed: unable to load trusted SSL root certificates` Second unrelated issue I need to solve is this line: ``` Could not create Vulkan instance : ERROR_EXTENSION_NOT_PRESENT ```

gitea-mirror 2026-05-05 08:47:58 -06:00

• closed this issue
• added the
  networking
  label

gitea-mirror commented 2026-05-05 08:48:01 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 22, 2020):

Distro? firejail version? nVidia or AMD GPU? Any custom changes?

<!-- gh-comment-id:617615699 --> @rusty-snake commented on GitHub (Apr 22, 2020): Distro? firejail version? nVidia or AMD GPU? Any custom changes?

gitea-mirror commented 2026-05-05 08:48:02 -06:00

Author

Owner

Copy link

@GreatBigWhiteWorld commented on GitHub (Apr 22, 2020):

opensuse leap 15.1
version 0.9.62 from opensuse
nvidia latest version from opensuse
no custom change.

<!-- gh-comment-id:617777981 --> @GreatBigWhiteWorld commented on GitHub (Apr 22, 2020): opensuse leap 15.1 version 0.9.62 from opensuse nvidia latest version from opensuse no custom change.

gitea-mirror commented 2026-05-05 08:48:02 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 22, 2020):

opensslconnection.cpp (1519) : Assertion Failed: unable to load trusted SSL root certificates

The steam profile references both ca-certificates and ssl in private-etc (amongst others) because on most distros /etc/ssl/certs contains symlinks to pem files in /etc/ca-certificates/extracted. That should be enough to load the SSL root certs. Does opensuse have a different way of organizing these files? If so you might need additional entrees in private-etc. Easily tested by temporarily commenting private-etc and checking if that changes anything. On a side-note I noticed the private-etc line contains alternatives twice. I'll rectify that in git master but I don't think this is related to your SSL issue.

Could not create Vulkan instance

We have seen issues with noroot and Vulkan (e.g. #3012). Not sure why exactly, but you can try commenting that as well.
Edit: there's a comment for nvidia in the steam profile, suggesting to ignore nogroups/noroot. Have you tried that yet?

<!-- gh-comment-id:617975091 --> @ghost commented on GitHub (Apr 22, 2020): > opensslconnection.cpp (1519) : Assertion Failed: unable to load trusted SSL root certificates The steam profile references both `ca-certificates` and `ssl` in `private-etc` (amongst others) because on most distros /etc/ssl/certs contains symlinks to pem files in /etc/ca-certificates/extracted. That should be enough to load the SSL root certs. Does opensuse have a different way of organizing these files? If so you might need additional entrees in private-etc. Easily tested by temporarily commenting private-etc and checking if that changes anything. On a side-note I noticed the private-etc line contains _alternatives_ twice. I'll rectify that in git master but I don't think this is related to your SSL issue. > Could not create Vulkan instance We have seen issues with noroot and Vulkan (e.g. #3012). Not sure why exactly, but you can try commenting that as well. Edit: there's a comment for nvidia in the steam profile, suggesting to ignore nogroups/noroot. Have you tried that yet?

gitea-mirror commented 2026-05-05 08:48:03 -06:00

Author

Owner

Copy link

@GreatBigWhiteWorld commented on GitHub (Apr 23, 2020):

Vulkan issue can be solved by commenting out "noroot".
But commenting out "private-etc..." line does not solve the connection problem, and the error
opensslconnection.cpp (1519) : Assertion Failed: unable to load trusted SSL root certificates
still presents.

<!-- gh-comment-id:618134512 --> @GreatBigWhiteWorld commented on GitHub (Apr 23, 2020): Vulkan issue can be solved by commenting out "noroot". But commenting out "private-etc..." line does not solve the connection problem, and the error `opensslconnection.cpp (1519) : Assertion Failed: unable to load trusted SSL root certificates` still presents.

gitea-mirror commented 2026-05-05 08:48:04 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 23, 2020):

Vulkan issue can be solved by commenting out "noroot".

Thanks for confirming that. We can add a note to the steam profile to inform users.

... commenting out "private-etc..." line does not solve the connection problem

A bit stumped on this one. Please inform us if it works when running firejail --noprofile steam. If that works there is something in our profile that needs fixing. If you get the same popup/error with that command the problem lies elsewhere. At the moment I can't think of anything besides seccomp that might be causing this, so it would be nice to know if commenting the seccomp line does anything to improve your steam connection troubles.

<!-- gh-comment-id:618199753 --> @ghost commented on GitHub (Apr 23, 2020): > Vulkan issue can be solved by commenting out "noroot". Thanks for confirming that. We can add a note to the steam profile to inform users. > ... commenting out "private-etc..." line does not solve the connection problem A bit stumped on this one. Please inform us if it works when running `firejail --noprofile steam`. If that works there is something in our profile that needs fixing. If you get the same popup/error with that command the problem lies elsewhere. At the moment I can't think of anything besides `seccomp` that might be causing this, so it would be nice to know if commenting the seccomp line does anything to improve your steam connection troubles.

gitea-mirror commented 2026-05-05 08:48:04 -06:00

Author

Owner

Copy link

@GreatBigWhiteWorld commented on GitHub (Apr 23, 2020):

commenting seccomp alone does not work.
--noprofile is the only way steam can launch without problem.

<!-- gh-comment-id:618232183 --> @GreatBigWhiteWorld commented on GitHub (Apr 23, 2020): commenting seccomp alone does not work. --noprofile is the only way steam can launch without problem.

gitea-mirror commented 2026-05-05 08:48:04 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 23, 2020):

I would tend to include disable-*. @GreatBigWhiteWorld is anything in the syslog? Can you start it with --tracelog and watch the syslog.

<!-- gh-comment-id:618255375 --> @rusty-snake commented on GitHub (Apr 23, 2020): I would tend to `include disable-*`. @GreatBigWhiteWorld is anything in the syslog? Can you start it with `--tracelog` and watch the syslog.

gitea-mirror commented 2026-05-05 08:48:06 -06:00

Author

Owner

Copy link

@GreatBigWhiteWorld commented on GitHub (Apr 23, 2020):

Tried tracelog with or without --noprofile. I don't see any difference in the system log.
You mean add a line "include disable-*" in the steam.profile?

<!-- gh-comment-id:618323534 --> @GreatBigWhiteWorld commented on GitHub (Apr 23, 2020): Tried tracelog with or without --noprofile. I don't see any difference in the system log. You mean add a line "include disable-*" in the steam.profile?

gitea-mirror commented 2026-05-05 08:48:06 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 23, 2020):

You mean add a line "include disable-*" in the steam.profile?

No, one (or more) of the disable-… includes disable something that is needed by steam. Try commenting all of them.

<!-- gh-comment-id:618325933 --> @rusty-snake commented on GitHub (Apr 23, 2020): > You mean add a line "include disable-*" in the steam.profile? No, one (or more) of the disable-… includes disable something that is needed by steam. Try commenting all of them.

gitea-mirror commented 2026-05-05 08:48:07 -06:00

Author

Owner

Copy link

@GreatBigWhiteWorld commented on GitHub (Apr 23, 2020):

Tried disabling them two by two, still no connection.

<!-- gh-comment-id:618382326 --> @GreatBigWhiteWorld commented on GitHub (Apr 23, 2020): Tried disabling them two by two, still no connection.

gitea-mirror commented 2026-05-05 08:48:07 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 23, 2020):

No future idea what it could be. Looks like you need to comment option to find it.

<!-- gh-comment-id:618624364 --> @rusty-snake commented on GitHub (Apr 23, 2020): No future idea what it could be. Looks like you need to comment option to find it.

gitea-mirror commented 2026-05-05 08:48:07 -06:00

Author

Owner

Copy link

@GreatBigWhiteWorld commented on GitHub (Apr 24, 2020):

No future idea what it could be. Looks like you need to comment option to find it.

Commenting on each line in the steam.profile to try?

<!-- gh-comment-id:618770182 --> @GreatBigWhiteWorld commented on GitHub (Apr 24, 2020): > No future idea what it could be. Looks like you need to comment option to find it. Commenting on each line in the steam.profile to try?

gitea-mirror commented 2026-05-05 08:48:08 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 24, 2020):

Yes, comment line for line and try after every comment to find the problematic line.

<!-- gh-comment-id:618856305 --> @rusty-snake commented on GitHub (Apr 24, 2020): Yes, comment line for line and try after every comment to find the problematic line.

gitea-mirror commented 2026-05-05 08:48:08 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 16, 2020):

I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

<!-- gh-comment-id:659229152 --> @rusty-snake commented on GitHub (Jul 16, 2020): I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

gitea-mirror commented 2026-05-05 08:48:08 -06:00

Author

Owner

Copy link

@kevinlekiller commented on GitHub (Nov 8, 2020):

OpenSuse Tumbleweed.

The issue is the files are not available under the steam.profile:

Without firejail:

$ readlink -f /etc/ssl/certs
/var/lib/ca-certificates/pem
$ readlink -f /etc/ssl/ca-bundle.pem
/var/lib/ca-certificates/ca-bundle.pem

With firejail, the links resolve to nothing ( overriding /usr/bin/steam with ~/.local/bin/steam that runs a terminal and running firejail steam):

$ ls /var/lib/
dbus

I haven't been able to figure out what in steam.profile prevents the files from showing up in /var/lib I'm guessing it's in one of the includes?

<!-- gh-comment-id:723526988 --> @kevinlekiller commented on GitHub (Nov 8, 2020): OpenSuse Tumbleweed. The issue is the files are not available under the `steam.profile`: Without firejail: $ readlink -f /etc/ssl/certs /var/lib/ca-certificates/pem $ readlink -f /etc/ssl/ca-bundle.pem /var/lib/ca-certificates/ca-bundle.pem With firejail, the links resolve to nothing ( overriding /usr/bin/steam with ~/.local/bin/steam that runs a terminal and running `firejail steam`): $ ls /var/lib/ dbus I haven't been able to figure out what in steam.profile prevents the files from showing up in /var/lib I'm guessing it's in one of the includes?

gitea-mirror commented 2026-05-05 08:48:09 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 8, 2020):

overriding /usr/bin/steam with ~/.local/bin/steam that runs a terminal and running firejail steam

simpler: firejail --profile=steam bash

I haven't been able to figure out what in steam.profile prevents the files from showing up in /var/lib I'm guessing it's in one of the includes?

Hmm private-etc contains ssl and include whitelist-var-common.inc contains whitelist /var/lib/ca-certificates. Do firejail --debug steam shows anything related?

<!-- gh-comment-id:723543456 --> @rusty-snake commented on GitHub (Nov 8, 2020): > overriding /usr/bin/steam with ~/.local/bin/steam that runs a terminal and running firejail steam simpler: `firejail --profile=steam bash` > I haven't been able to figure out what in steam.profile prevents the files from showing up in /var/lib I'm guessing it's in one of the includes? Hmm `private-etc` contains `ssl` and `include whitelist-var-common.inc` contains `whitelist /var/lib/ca-certificates`. Do `firejail --debug steam` shows anything related?

gitea-mirror commented 2026-05-05 08:48:09 -06:00

Author

Owner

Copy link

@kevinlekiller commented on GitHub (Nov 8, 2020):

Hmm private-etc contains ssl and include whitelist-var-common.inc contains whitelist /var/lib/ca-certificates.

That commit indeed fixes the issue, the package on OpenSuse is not using the latest version so doesn't include that fix yet (it should come soon, it's in review), I've added it to steam.local for now.

Thanks.

<!-- gh-comment-id:723568372 --> @kevinlekiller commented on GitHub (Nov 8, 2020): > Hmm private-etc contains ssl and include whitelist-var-common.inc contains whitelist /var/lib/ca-certificates. [That commit](https://github.com/netblue30/firejail/commit/90a4ca2b1c8785518b37062efa29270514a244fe) indeed fixes the issue, the package on OpenSuse is not using the latest version so doesn't include that fix yet ([it should come soon, it's in review](https://build.opensuse.org/request/show/846925)), I've added it to steam.local for now. Thanks.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2120

No description provided.