GNU bug report logs

#46829 Let's Encrypt certificate store (le-certs) expired

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #31 received at 46829@debbugs.gnu.org (full text, mbox, reply):

Received: (at 46829) by debbugs.gnu.org; 17 Mar 2021 14:37:02 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 17 10:37:02 2021
Received: from localhost ([127.0.0.1]:43797 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lMXI8-0000gA-J9
	for submit@debbugs.gnu.org; Wed, 17 Mar 2021 10:37:02 -0400
Received: from eggs.gnu.org ([209.51.188.92]:41762)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1lMXI5-0000fu-5M
 for 46829@debbugs.gnu.org; Wed, 17 Mar 2021 10:36:55 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:37287)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1lMXHy-0007Bj-NG; Wed, 17 Mar 2021 10:36:47 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=48554 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1lMXHy-0006ey-Ag; Wed, 17 Mar 2021 10:36:46 -0400
From: Ludovic Courtès <ludo@gnu.org>
To: Christopher Baines <mail@cbaines.net>
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
References: <871rd0ebd5.fsf@cbaines.net> <877dmrtbvn.fsf@gnu.org>
Date: Wed, 17 Mar 2021 15:36:44 +0100
In-Reply-To: <877dmrtbvn.fsf@gnu.org> ("Ludovic Courtès"'s message of "Mon, 01 Mar 2021 11:19:08 +0100")
Message-ID: <877dm54zk3.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46829
Cc: 46829@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)
Hi,

Ludovic Courtès <ludo@gnu.org> skribis:

> Christopher Baines <mail@cbaines.net> skribis:
>
>> I believe there's TLS issues with pulling for the current 1.2.0 release.
>>
>> root@horna ~# guix pull
>> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
>> 0.0 MB will be downloaded
>> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%
>>
>> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>> guix pull: error: Git error: the SSL certificate is invalid
>
> That’s on an installation without ‘nss-certs’ in the system profile,
> right?

Looking at (guix scripts pull), I think that is the case:

  (define (honor-x509-certificates store)
    "Use the right X.509 certificates for Git checkouts over HTTPS."
    (unless (honor-system-x509-certificates!)
      (honor-lets-encrypt-certificates! store)))

By default, 1.2.0 installs ‘nss-certs’, so I would assume such
installations are unaffected, right?

> I suppose we need to update the ‘le-certs’ package, or maybe skip X.509
> certification verification altogether for the ‘guix’ channel?

In hindsight, it seems preferable to keep X.509 authentication for now,
because there are still unauthenticated channels out there and because
it’s a bit tedious to work around it in (guix channels) and (guix git).

I checked the ‘le-certs’ package like so:

--8<---------------cut here---------------start------------->8---
$ guix gc --references $(guix build -d le-certs) |grep pem
/gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv
/gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv
/gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv
$ guix build --check -v1 $(guix gc --references $(guix build -d le-certs) |grep pem)
La jenaj derivoj estos konstruataj:
   /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv
   /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv
   /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv

building /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv...
downloading from https://letsencrypt.org/certs/isrgrootx1.pem ...
|warning: rewriting hashes in `/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem'; cross fingers
building /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv...
downloading from https://letsencrypt.org/certs/letsencryptauthorityx3.pem ...
\warning: rewriting hashes in `/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem'; cross fingers
building /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv...
downloading from https://letsencrypt.org/certs/letsencryptauthorityx4.pem ...
|warning: rewriting hashes in `/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem'; cross fingers
/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem
/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem
/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem
--8<---------------cut here---------------end--------------->8---

AFAICS, everything is up-to-date here.  So I don’t get where the ‘guix
pull’ error above comes from.

Ideas?

Ludo’.




Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 08:24:31 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.