unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#39615: LetsEncrypt root certificate hash changed
@ 2020-02-15 15:33 Christopher Baines
  2020-02-15 16:22 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  0 siblings, 1 reply; 6+ messages in thread
From: Christopher Baines @ 2020-02-15 15:33 UTC (permalink / raw)
  To: 39615

[-- Attachment #1: Type: text/plain, Size: 947 bytes --]


~$ guix pull
building /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv...
building /gnu/store/dhlb62lpf1ggcrax62hm7l7rlcf5c4fi-letsencryptauthorityx3.pem.drv...
downloading from https://letsencrypt.org/certs/isrgrootx1.pem...
-sha256 hash mismatch for /gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem:
  expected hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
  actual hash:   1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92
hash mismatch for store item '/gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem'
build of /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv failed
View build log at '/var/log/guix/drvs/1r/2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv.bz2'.
cannot build derivation `/gnu/store/lv78345x77bv6103l9ssqkx4l3v7z0xj-le-certs-0.drv': 1 dependencies couldn't be built
guix pull: error: build of `/gnu/store/lv78345x77bv6103l9ssqkx4l3v7z0xj-le-certs-0.drv' failed

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 962 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#39615: LetsEncrypt root certificate hash changed
  2020-02-15 15:33 bug#39615: LetsEncrypt root certificate hash changed Christopher Baines
@ 2020-02-15 16:22 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2020-02-16  8:26   ` Christopher Baines
  0 siblings, 1 reply; 6+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-02-15 16:22 UTC (permalink / raw)
  To: 39615-done


[-- Attachment #1.1: Type: text/plain, Size: 811 bytes --]

Chris,

Christopher Baines 写道:
> ~$ guix pull
> building 
> /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv...
> building 
> /gnu/store/dhlb62lpf1ggcrax62hm7l7rlcf5c4fi-letsencryptauthorityx3.pem.drv...
> downloading from https://letsencrypt.org/certs/isrgrootx1.pem...
> -sha256 hash mismatch for 
> /gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem:
>   expected hash: 
>   0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>   actual hash: 
>   1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92

Thanks!  I ran into this issue myself and updated the hashes in 
505b2631a9c35bbaa5ba6771ad4f646086f23cad.

One'd assume this to be caused by a tweaked expiry date somewhere, 
but the ‘contents’ of both old and new PEM files is actually the 
same:


[-- Attachment #1.2: Type: text/plain, Size: 7055 bytes --]

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = 
        ISRG Root X1
        Validity
            Not Before: Jun  4 11:04:38 2015 GMT
            Not After : Jun  4 11:04:38 2035 GMT
        Subject: C = US, O = Internet Security Research Group, CN 
        = ISRG Root X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
                    33:43:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
    Signature Algorithm: sha256WithRSAEncryption
         55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08:
         ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73:
         10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea:
         17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86:
         9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95:
         d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae:
         fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e:
         8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33:
         89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7:
         4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33:
         23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2:
         6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d:
         8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72:
         ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac:
         28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
         37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae:
         4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d:
         e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7:
         07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15:
         b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2:
         84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3:
         1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b:
         cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75:
         d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67:
         24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7:
         ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f:
         c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77:
         bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40:
         9d:7e:62:22:da:de:18:27
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

[-- Attachment #1.3: Type: text/plain, Size: 58 bytes --]


I don't know what to make of that.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#39615: LetsEncrypt root certificate hash changed
  2020-02-15 16:22 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2020-02-16  8:26   ` Christopher Baines
  2020-02-16  9:52     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  0 siblings, 1 reply; 6+ messages in thread
From: Christopher Baines @ 2020-02-16  8:26 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: 39615

[-- Attachment #1: Type: text/plain, Size: 1246 bytes --]


Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

> Chris,
>
> Christopher Baines 写道:
>> ~$ guix pull
>> building
>> /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv...
>> building
>> /gnu/store/dhlb62lpf1ggcrax62hm7l7rlcf5c4fi-letsencryptauthorityx3.pem.drv...
>> downloading from https://letsencrypt.org/certs/isrgrootx1.pem...
>> -sha256 hash mismatch for
>> /gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem:
>>   expected hash:
>> 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>>   actual hash:
>> 1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92
>
> Thanks!  I ran into this issue myself and updated the hashes in
> 505b2631a9c35bbaa5ba6771ad4f646086f23cad.

Great, thanks.

However, while this change might avoid the problem with guix pull in the
future, I still a bit stuck. I got this from a fresh install of Guix on
the Overdrive machine I have (aarch64-linux).

I'm hoping that I'll be able to install git and the Guix dependencies,
download the repository, and then get a newer version of Guix that way,
but I'm guessing this will still be a problem for other aarch64-linux
machines unless there's a substitute out there somewhere.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 962 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#39615: LetsEncrypt root certificate hash changed
  2020-02-16  8:26   ` Christopher Baines
@ 2020-02-16  9:52     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2020-02-16 10:11       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2020-02-16 10:46       ` Christopher Baines
  0 siblings, 2 replies; 6+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-02-16  9:52 UTC (permalink / raw)
  To: Christopher Baines; +Cc: 39615

[-- Attachment #1: Type: text/plain, Size: 852 bytes --]

Chris,

Christopher Baines 写道:
> However, while this change might avoid the problem with guix 
> pull in the
> future, I still a bit stuck. I got this from a fresh install of 
> Guix on
> the Overdrive machine I have (aarch64-linux).

I guess I've found my purpose this week and it's ‘mirroring old 
shit’.

This is not at all a solution, but you can ‘guix download’ the old 
.pem files here[0] and hopefully be on your merry way.

> I'm hoping that I'll be able to install git and the Guix 
> dependencies,
> download the repository, and then get a newer version of Guix 
> that way,
> but I'm guessing this will still be a problem for other 
> aarch64-linux
> machines unless there's a substitute out there somewhere.

Indeed, and not just aarch64…

Kind regards,

T G-R

[0]: https://www.tobias.gr/guix

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#39615: LetsEncrypt root certificate hash changed
  2020-02-16  9:52     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2020-02-16 10:11       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2020-02-16 10:46       ` Christopher Baines
  1 sibling, 0 replies; 6+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-02-16 10:11 UTC (permalink / raw)
  To: Christopher Baines, 39615

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

Chris, Guix,

Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道:
> This is not at all a solution, but you can ‘guix download’ the 
> old
> .pem files here[0] and hopefully be on your merry way.

Actually: this shouldn't be necessary now, since I've copied these 
files to berlin (and created gcroots) which ought to serve them as 
substitutes.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#39615: LetsEncrypt root certificate hash changed
  2020-02-16  9:52     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2020-02-16 10:11       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2020-02-16 10:46       ` Christopher Baines
  1 sibling, 0 replies; 6+ messages in thread
From: Christopher Baines @ 2020-02-16 10:46 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: 39615

[-- Attachment #1: Type: text/plain, Size: 616 bytes --]


Tobias Geerinckx-Rice <me@tobias.gr> writes:

> Christopher Baines 写道:
>> However, while this change might avoid the problem with guix pull in
>> the
>> future, I still a bit stuck. I got this from a fresh install of Guix
>> on
>> the Overdrive machine I have (aarch64-linux).
>
> I guess I've found my purpose this week and it's ‘mirroring old shit’.
>
> This is not at all a solution, but you can ‘guix download’ the old
> .pem files here[0] and hopefully be on your merry way.

Awesome, I've managed to download them and guix pull no longer fails
with that error which is great :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 962 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-02-16 10:47 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-15 15:33 bug#39615: LetsEncrypt root certificate hash changed Christopher Baines
2020-02-15 16:22 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-02-16  8:26   ` Christopher Baines
2020-02-16  9:52     ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-02-16 10:11       ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-02-16 10:46       ` Christopher Baines

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).