unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: ludo@gnu.org (Ludovic Courtès)
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: 26948@debbugs.gnu.org
Subject: bug#26948: gnutls errors on multiple guix commands
Date: Wed, 17 May 2017 14:56:15 +0200	[thread overview]
Message-ID: <87shk3y74g.fsf@gnu.org> (raw)
In-Reply-To: <8737c51e6r.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 15 May 2017 22:19:26 -0700")

Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> This problem has been ongoing for some time. It prevents me from using
> things such as "guix lint" or "guix import" (seems to be related to
> certs and gnutls). I thought a guix system reconfigure (I'm on GuixSD)
> would fix it but it hasn't, even after rebooting the system.
>
> It is reminiscent of bug#25200, but there doesn't appear to be any
> dangling symlinks this time around.
>
> The nss-certs package is present in my operating system declaration, and
> the /etc/ssl/certs directory is populated ('/etc/ssl' is a symbolic link
> pointing to /run/current-system/profile/etc/ssl).
>
> SSL_CERT_DIR is set to "/etc/ssl/certs"
> SSL_CERT_FILE is set to "/etc/ssl/certs/ca-certificates.crt"
>
>
> A couple examples of how things break:
>
> * guix lint
>
> guix lint emacs
> Backtrace:macs@25.2 [cve]...
>            9 (primitive-load "/gnu/store/80k8kz7qk9palbn0ccw7y3fgym8&")
> In guix/ui.scm:
>    1257:8  8 (run-guix-command _ . _)
> In srfi/srfi-1.scm:
>     640:9  7 (for-each #<procedure 183c060 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
>     982:4  6 (run-checkers _ _)
> In srfi/srfi-1.scm:
>     640:9  5 (for-each #<procedure 1f252a0 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
>     805:4  4 (check-vulnerabilities _)
>     800:9  3 (_ _)
> In unknown file:
>            2 (force #<promise #<procedure 7f1db4d41f88 at guix/scrip&>)
> In guix/scripts/lint.scm:
>    789:24  1 (_)
> In ice-9/boot-9.scm:
>     837:9  0 (catch srfi-34 #<procedure 7f1db4d4d3a8 at guix/script&> &)
>
> ice-9/boot-9.scm:837:9: In procedure catch:
> ice-9/boot-9.scm:837:9: Throw to key `gnutls-error' with args `(#<gnutls-error-enum Error while reading file.> set-certificate-credentials-x509-trust-file!)'.

So the problem here is that $SSL_CERT_DIR or $SSL_CERT_FILE is
unreadable for some reason.  Could you ‘strace’ it to see exactly which
file cannot be opened and why?

However, I cannot reproduce it with current master:

--8<---------------cut here---------------start------------->8---
$ rm -rf ~/.cache/guix/cve
$ SSL_CERT_FILE=/sdfsfd SSL_CERT_DIR=/sdfs  guix lint emacs
gnu/packages/emacs.scm:99:2: emacs@25.2: TLS certificate error: ERROR: X.509 certificate of 'www.gnu.org' could not be verified:
  signer-not-found
  invalid


guix lint: warning: TLS certificate error: ERROR: X.509 certificate of 'static.nvd.nist.gov' could not be verified:
  signer-not-found
  invalid

guix lint: warning: assuming no CVE vulnerabilities
--8<---------------cut here---------------end--------------->8---

This is the same story for the other ones.

Essentially, this code from (guix build download):

  (define (make-credendials-with-ca-trust-files directory)
    "Return certificate credentials with X.509 authority certificates read from
  DIRECTORY.  Those authority certificates are checked when
  'peer-certificate-status' is later called."
    (let ((cred  (make-certificate-credentials))
          (files (or (scandir directory
                              (lambda (file)
                                (string-suffix? ".pem" file)))
                     '())))
      (for-each (lambda (file)
                  (let ((file (string-append directory "/" file)))
                    ;; Protect against dangling symlinks.
                    (when (file-exists? file)
                      (set-certificate-credentials-x509-trust-file!
                       cred file
                       x509-certificate-format/pem))))
                (or files '()))
      cred))

seems to select a FILE that passes ‘file-exists?’ but that cannot be
read by ‘set-certificate-credentials-x509-trust-file!’.  I think that
can happen with unreadable files (EPERM), though I can’t reproduce it.

The ‘strace’ output should help us figure out what’s going on.

Thanks,
Ludo’.

  reply	other threads:[~2017-05-17 12:57 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-16  5:19 bug#26948: gnutls errors on multiple guix commands Maxim Cournoyer
2017-05-17 12:56 ` Ludovic Courtès [this message]
2017-05-25  7:26   ` Maxim Cournoyer
2017-05-26  8:56     ` Ludovic Courtès
2017-05-28 18:38       ` Mark H Weaver
2017-05-29  4:36         ` Maxim Cournoyer
2017-05-29  9:31         ` Ludovic Courtès
2017-05-29 21:26           ` Mark H Weaver
2017-05-30 11:25             ` Ludovic Courtès
2017-05-28 21:00       ` Maxim Cournoyer
2017-05-29  9:12         ` bug#26948: ‘write-file’ output should not be locale-dependent Ludovic Courtès
2017-05-29 20:15           ` Maxim Cournoyer
2017-05-30 11:57             ` Ludovic Courtès
2017-06-16 15:09               ` Ludovic Courtès
2017-07-27 12:55           ` Ludovic Courtès
2021-01-08 22:04             ` bug#26948: 'guix publish' file name decoding is locale-dependent Maxim Cournoyer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87shk3y74g.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=26948@debbugs.gnu.org \
    --cc=maxim.cournoyer@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).