GNU bug report logs

#46829 Let's Encrypt certificate store (le-certs) expired

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #114 received at 46829@debbugs.gnu.org (full text, mbox, reply):

Received: (at 46829) by debbugs.gnu.org; 14 Apr 2021 10:50:49 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 14 06:50:49 2021
Received: from localhost ([127.0.0.1]:33687 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lWd6f-0001PL-08
	for submit@debbugs.gnu.org; Wed, 14 Apr 2021 06:50:49 -0400
Received: from eggs.gnu.org ([209.51.188.92]:46866)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1lWd6e-0001PA-2F
 for 46829@debbugs.gnu.org; Wed, 14 Apr 2021 06:50:48 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:40168)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1lWd6Y-0000bp-8p; Wed, 14 Apr 2021 06:50:42 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=34840 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1lWd6X-0005W2-1F; Wed, 14 Apr 2021 06:50:41 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#46829: `guix pull` uses incorrect certificate store
References: <871rd0ebd5.fsf@cbaines.net> <877dmrtbvn.fsf@gnu.org>
 <877dm54zk3.fsf@gnu.org> <YHNe5+taYSQI70dt@jasmine.lan>
 <YHOiXP0JJZZej+7H@jasmine.lan> <YHPrv2NdqqaLWh42@jasmine.lan>
 <87zgy2leg9.fsf_-_@gnu.org> <YHXYkTHmMk3FbxMu@jasmine.lan>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 25 Germinal an 229 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Wed, 14 Apr 2021 12:50:39 +0200
In-Reply-To: <YHXYkTHmMk3FbxMu@jasmine.lan> (Leo Famulari's message of "Tue,
 13 Apr 2021 13:44:49 -0400")
Message-ID: <87im4pf8cg.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46829
Cc: Christopher Baines <mail@cbaines.net>, 46829@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Hi,

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
>> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
>> pull’ uses the LE certs, but these certificates expire quite frequently,
>> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
>> authentication chain from the roots.
>
> No, that's incorrect. The certificates in le-certs expired after 5
> years, so it's not frequent.
>
> These are the root and intermediate certificates for the Let's Encrypt
> certificate authority — they are not the 90 day certificates used by a
> webserver.
>
> The problem is that we (I) failed to pay attention and let our le-certs
> package go stale.

OK.  5 years still looks kinda “frequent” to me.  I would think that old
software installations (including “appliances”) would live longer than
that, no?

You install Guix on a laptop, you leave it in a drawer, and you come a
few years later and you can neither access HTTPS web sites nor run ‘guix
pull’?

>> For those who do not have ‘nss-certs’ installed, a workaround is to do
>> avoid HTTPS:
>
> The original motivation of le-certs was that nss-certs would not be
> required, and that `guix pull` would always work. I think we should
> still try to achieve this.

OK.

>> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
>
> I think we should avoid adding "use insecure connection" options. Even
> if the code itself is signed.

“Insecure” is a strong word: it still prevents eavesdropping, which is
the only property that matters in the presence of authenticated
channels.

> I'm going to figure out how to subscribe to Let's Encrypt announcements
> and I'll report back with ideas about how to avoid a repeat of the
> problem.

Yes, that’s the better option.  Thank you!

Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 08:22:23 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.