bug#31303: substitute: guix substitute: error: TLS error in procedure 'handshake'

bug#31303: substitute: guix substitute: error: TLS error in procedure 'handshake'

[George myglc2 Clemmer]

I am attempting to supply substitutes from a GuixSD install (g1) to a
'guix system vm-image' (sysi17.local). I did this on g1 ...

g1@g1 ~$ sudo guix publish
guix publish: warning: server running as root; consider using the '--user' option!
publishing /gnu/store on 0.0.0.0, port 8080

... and I get this error on sysi17 ...

g1@sysi17 ~ [env]$ guix environment --substitute-urls=https://g1.local:8080
substitute: guix substitute: error: TLS error in procedure 'handshake': An unexpected TLS packet was received.
guix environment: error: corrupt input while restoring archive from #<closed: file 32da4d0>

... which looks like this on g1 ...

In ice-9/boot-9.scm:
    841:4  4 (with-throw-handler _ _ _)
In web/server/http.scm:
   127:28  3 (_)
In web/request.scm:
   205:31  2 (read-request #<closed: file 292dcb0> _)
In web/http.scm:
   1141:6  1 (read-request-line _)
In ice-9/boot-9.scm:
   752:25  0 (dispatch-exception _ _ _)
Bad request: Bad Request-Line:
    "\x16\x03\x01\x00ò\x01\x00\x00î\x03\x03Zäº\x17<À\x9aËù»ò\x8c\x12n8y:\x16¸q\x0fá\x87Gtéc´8¿±<\x00\x00rÀ,À\x87Ì©À\xadÀ"

The keys are setup this way ...

g1@g1 ~$ cat /etc/guix/signing-key.pub
(public-key
 (ecc
  (curve Ed25519)
  (q #C38DCF2B0EBE663B9450BEFB0E77DFAF6643E8E971318F7002721076ED9C9788#)
  )
 )

g1@sysi17 ~ [env]$ sudo cat /etc/guix/acl
Password:
(acl
 (entry
  (public-key
   (ecc
    (curve Ed25519)
    (q #C38DCF2B0EBE663B9450BEFB0E77DFAF6643E8E971318F7002721076ED9C9788#)
    )
   )
  (tag
   (guix import)
   )
  )
  [...]
 )

sysi17 has no trouble reaching hydra ...

g1@sysi17 ~ [env]$ guix environment
--substitute-urls=https://mirror.hydra.gnu.org --dry-run hello
substitute: updating list of substitutes from
'https://mirror.hydra.gnu.org'... 100.0%
[...]

or pinging g1...
g1@sysi17 ~ [env]$ ping g1.local
PING g1.local (192.168.1.7): 56 data bytes
64 bytes from 192.168.1.7: icmp_seq=0 ttl=64
[...]

Both systems were configured using ...

guix (GNU Guix) 0.14.0.4439-eb88e

... which was built from ...

5b862761f2a60af79b4c16851454a5e792ef4f56 gnu: guix: Update to ab85cf7.

... with 4.16.4 reverted ...

ba39d3280759fb20a4ff0092a5afac721a5fa769 "gnu: linux-libre: Update to 4.16.4."

TIA - George

bug#31303: substitute: guix substitute: error: TLS error in procedure 'handshake'

[George myglc2 Clemmer]

[-- Attachment #1: Type: text/plain, Size: 242 bytes --]

On 04/28/2018 at 15:16 George myglc2 Clemmer writes:

> I am attempting to supply substitutes from a GuixSD install (g1) to a
> 'guix system vm-image' (sysi17.local). I did this on g1 ...

Oops, here are configs (sys.scm was used for g1)...


[-- Attachment #2: sys.scm --]
[-- Type: application/octet-stream, Size: 2839 bytes --]

;; g1: GuixSD headless server w/ NVMe M.2 SSD root drive
(define sys-packages
      '(
	"cups"
	"emacs-ag"
	"emacs-no-x"
	"emacs-guix"
	"emacs-paredit"
	"freeipmi"
	"git"
	"glibc-utf8-locales"
	"magit"
	"mdadm"
	"nss-certs"
	"openssh"
	"qemu"
	"screen"
	"smartmontools"
	"virt-viewer"       ;; remote-viewer > spice > VM
	))
(use-modules (gnu))
(use-modules (gnu packages))
(use-modules (gnu system nss)) ; name service switch
(use-service-modules
 admin                ; rottlog
 avahi
 networking           ; static, ntp
 ssh                  ; openssh-service-type
 mcron
 )
(define updatedb-job
  ;; Run 'updatedb' at 3AM every day.
  #~(job '(next-hour '(3))
	 (lambda ()
	   (execl (string-append #$findutils "/bin/updatedb")
		  "updatedb"
		  "--prunepaths=/tmp /var/tmp /gnu/store"))))
(define garbage-collector-job
  ;; Collect garbage 45 minutes after midnight every day.
  #~(job "45 0 * * *"            ;Vixie cron syntax
	 "guix gc -F 1G"))
(define backup-job
  ;; backup ssd 5 minutes after midnight every day.
  #~(job "5 0 * * *"            ;Vixie cron syntax
	 "/root/bin/bussd"))
(define %my-services
  (modify-services %base-services
		   (agetty-service-type config =>
					(agetty-configuration
					 (tty "ttyS1")
					 (baud-rate "115200")
					 (term "xterm-256color")
					 ))))
(operating-system
 (host-name "g1")
 (timezone "America/New_York")
 (locale "en_US.utf8")
 (kernel-arguments '("console=ttyS1,115200"))
 ;; NVMe M.2 SSD root drive
 (bootloader (grub-configuration (target "/dev/nvme0n1")
				 (terminal-outputs '(console))
				 (terminal-inputs '(serial console))
				 (serial-speed 115200)
				 ))
 (initrd-modules (append (list "shpchp") ;; for /dev/nvme0n1
			 %base-initrd-modules))
 (file-systems (cons (file-system
		      (title 'label)
		      (device "g1NVMe")
		      (mount-point "/")
		      (type "ext4"))
		     %base-file-systems))
 (swap-devices '("/dev/nvme0n1p2" ))
 (users (cons* (user-account (name "g1")
			     (group "users")
			     (supplementary-groups '("wheel" "kvm"))
			     (home-directory (string-append "/home/" name)))
	       %base-user-accounts))
 (packages (append (map specification->package
			sys-packages)
		   %base-packages))
 (services (cons* (static-networking-service
		   "enp3s0" "192.168.1.7"
		   #:gateway "192.168.1.1"
		   #:name-servers '("192.168.1.1" "46.17.102.24"))
		  (service openssh-service-type
			   (openssh-configuration
			    (x11-forwarding? #t)
			    (permit-root-login #t)
			    (authorized-keys
			     `(
			       ("g1" ,(local-file "glc.pub"))
			       ("root" ,(local-file "glc.pub"))))))
		  (service rottlog-service-type)
		  (mcron-service (list garbage-collector-job
				       updatedb-job
				       backup-job))
		  (avahi-service)
		  (ntp-service)
		  %my-services))
 (name-service-switch %mdns-host-lookup-nss))

[-- Attachment #3: sysi17.scm --]
[-- Type: application/octet-stream, Size: 1501 bytes --]

;; -*-Scheme-*-
;;; minimal 'guix system vm-image' config ~ sys.scm
(define sys-packages
  '(
    "cups"
    "git"
    "glibc-utf8-locales"
    "nss-certs"
    "openssh"
    "screen"
    ))
(use-modules (gnu))
(use-modules (gnu packages))
(use-modules (gnu system nss))
(use-service-modules
 avahi
 networking ; dhcp-client-service
 ssh ; openssh-service-type
 )
(operating-system
  (host-name "sysi17")
  (timezone "America/New_York")
  (locale "en_US.utf8")
  (bootloader (grub-configuration (target "/dev/sda")))
  (file-systems (cons (file-system
			(device "g1sd")
			(title 'label)
			(mount-point "/")
			(type "ext4"))
		      %base-file-systems))
  (users (cons*
	  (user-account
	   (name "g1")
	   (group "users")
	   (supplementary-groups '("wheel"))
	   (home-directory "/home/g1"))
	  (user-account
	   (name "al")
	   (group "users")
	   (supplementary-groups '("wheel"))
	   (home-directory "/home/al"))
	  %base-user-accounts))
  (packages (append (map specification->package sys-packages)
		    %base-packages))
  (services (cons*
	     (dhcp-client-service)
	     (service openssh-service-type
		      (openssh-configuration
		       (x11-forwarding? #t)
		       (permit-root-login #t)
		       (allow-empty-passwords? #t)
		       (authorized-keys
			`(
			  ("g1" ,(local-file "glc.pub"))
			  ("al" ,(local-file "glc.pub"))
			  ("root" ,(local-file "glc.pub"))))))
	     (avahi-service)
	     (ntp-service)
	     %base-services))
  (name-service-switch %mdns-host-lookup-nss))

bug#31303: substitute: guix substitute: error: TLS error in procedure 'handshake'

[Carlo Zancanaro]

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

Hey George,

On Sat, Apr 28 2018, George myglc2 Clemmer wrote:
> g1@sysi17 ~ [env]$ guix environment 
> --substitute-urls=https://g1.local:8080

The guix substitute command only runs a normal http server, so you 
have to use http://, not https://. I think the other servers you 
mention are behind proxies which handle the SSL part and forward 
the requests on to the substitute process.

Does it work if you run this instead?

  guix environment --substitute-urls=http://g1.local:8080

Carlo

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

bug#31303: substitute: guix substitute: error: TLS error in procedure 'handshake'

[myglc2]

On 04/29/2018 at 10:19 Carlo Zancanaro writes:

> Hey George,
>
> On Sat, Apr 28 2018, George myglc2 Clemmer wrote:
>> g1@sysi17 ~ [env]$ guix environment
>> --substitute-urls=https://g1.local:8080
>
> The guix substitute command only runs a normal http server, so you
> have to use http://, not https://. I think the other servers you
> mention are behind proxies which handle the SSL part and forward the
> requests on to the substitute process.
>
> Does it work if you run this instead?
>
>  guix environment --substitute-urls=http://g1.local:8080
>
> Carlo

LOL, yes it does!

Duh, I guess I was so impressed by all the HTTPS's in "3.3.3 Substitute
Authentication" that I couldn't see the HTTP's in "5.11 Invoking ‘guix
publish’" ;-)

Many thanks - George

bug#31303: Acknowledgement (substitute: guix substitute: error: TLS error in procedure 'handshake')

[George myglc2 Clemmer]