GNU bug report logs

#46829 Let's Encrypt certificate store (le-certs) expired

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #98 received at 46829@debbugs.gnu.org (full text, mbox, reply):

Received: (at 46829) by debbugs.gnu.org; 13 Apr 2021 17:44:59 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 13 13:44:59 2021
Received: from localhost ([127.0.0.1]:60700 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lWN5v-0004Td-Dz
	for submit@debbugs.gnu.org; Tue, 13 Apr 2021 13:44:59 -0400
Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:54827)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lWN5t-0004TQ-Om
 for 46829@debbugs.gnu.org; Tue, 13 Apr 2021 13:44:58 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id AA75AFA6;
 Tue, 13 Apr 2021 13:44:51 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Tue, 13 Apr 2021 13:44:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=W3bPkx24WoQsk25ENwejZhWz
 eANzvsHIX3pLeilwSy8=; b=ElKQE7uSgdSWoPqv0AdTo33UEexant+hpy+ck/Rb
 tOJijdb9zUw0nfUD2ULyNpomR1zsGzpU5bvPXQVQPvxs0Q0FZBYgGfMBicM+KyyJ
 P4PNWRPkVbUanJWkDYbHroA+jnRw98/DlV4hAxiZyK+IRYlUTe0p1w6EHEO6FPMP
 qWM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=W3bPkx
 24WoQsk25ENwejZhWzeANzvsHIX3pLeilwSy8=; b=uqzwPQ/3Jvi975+SLnIVI7
 2uxK6xwMaCBO6ngaRW5jIt305XIwKtuusc/OJAYD2hqJTyX0HCiFWbud0XiYnX6r
 gGeExjAC09mP2WgDvZK06gj8iyJajdYDuUcovqv3HjQyIrTL2am4bsoqwnkGN41w
 tLd1x3Nr9Mgl575lqrjhjEb5wUiVgL+jt9UYCQBx/6fSnpHTcCHdRtYcze/rcLNo
 uH9h9lrSK/XG8h83xR60xzLL/A3+nNTxR4DJzaxbd0In+6AHauk3ZBVYghSXTlYl
 JwUOckm4s9ZkYOu2pNpwYiFt9KrFkcONN77mkyAmuG7fADr0lMfiPF+B3A8nmE3w
 ==
X-ME-Sender: <xms:kth1YCGY1uldHBh--NAikqmBIlc1L98Rf2UX0X2vbG26JDHbBcN8OA>
 <xme:kth1YDWIboGCX5j32YyR23edD5N8gRFYpLzhG3oiH1pZCZs_9axrta0v-mqopj1Cz
 Vlc42WTnLm2BxDmsQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekledgudduiecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtjeenucfhrhhomhepnfgvohcu
 hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth
 htvghrnhephfekvdduieehfedttdduledvgfehleevleejheettddvffevgeejgeetueff
 keetnecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppedutddtrdduuddrudeiledrud
 dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl
 vghosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:kth1YML0q-gihaV7fouZ-aUC2VBDdOFSMFQ4wBfz-FPaWd8jsc5Mpw>
 <xmx:kth1YMHu2LKb-tBiPWEj0BimYmVWzzLFbDoXbXYfknlg8MwOx20_Yw>
 <xmx:kth1YIXSDsEEHVtHTrdyTj6TZNzLkhUUgmbkL_G1KlR4bdMkmrhZRw>
 <xmx:k9h1YBcohtGLSWXj5ZBnMOdTJn0tJY4UYSqG6uAt9juLRaBFd1SfBw>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id DF513108005F;
 Tue, 13 Apr 2021 13:44:50 -0400 (EDT)
Date: Tue, 13 Apr 2021 13:44:49 -0400
From: Leo Famulari <leo@famulari.name>
To: Ludovic Courtès <ludo@gnu.org>
Subject: Re: bug#46829: `guix pull` uses incorrect certificate store
Message-ID: <YHXYkTHmMk3FbxMu@jasmine.lan>
References: <871rd0ebd5.fsf@cbaines.net> <877dmrtbvn.fsf@gnu.org>
 <877dm54zk3.fsf@gnu.org> <YHNe5+taYSQI70dt@jasmine.lan>
 <YHOiXP0JJZZej+7H@jasmine.lan> <YHPrv2NdqqaLWh42@jasmine.lan>
 <87zgy2leg9.fsf_-_@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="CSoFWXpCLyzlrnCo"
Content-Disposition: inline
In-Reply-To: <87zgy2leg9.fsf_-_@gnu.org>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46829
Cc: Christopher Baines <mail@cbaines.net>, 46829@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
> pull’ uses the LE certs, but these certificates expire quite frequently,
> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
> authentication chain from the roots.

No, that's incorrect. The certificates in le-certs expired after 5
years, so it's not frequent.

These are the root and intermediate certificates for the Let's Encrypt
certificate authority — they are not the 90 day certificates used by a
webserver.

The problem is that we (I) failed to pay attention and let our le-certs
package go stale.

> For those who do not have ‘nss-certs’ installed, a workaround is to do
> avoid HTTPS:

The original motivation of le-certs was that nss-certs would not be
required, and that `guix pull` would always work. I think we should
still try to achieve this.

>   guix pull --url=http://git.savannah.gnu.org/git/guix.git
> 
> This is fine because the ‘guix’ channel is authenticated anyway.

Yes, that works and is pretty safe. Although Guix will complain because
it can't tell that this is the same repo.

> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.

I think we should avoid adding "use insecure connection" options. Even
if the code itself is signed.

I'm going to figure out how to subscribe to Let's Encrypt announcements
and I'll report back with ideas about how to avoid a repeat of the
problem.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 08:03:29 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.