From: ludo@gnu.org (Ludovic Courtès)
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: 26948@debbugs.gnu.org
Subject: bug#26948: gnutls errors on multiple guix commands
Date: Wed, 17 May 2017 14:56:15 +0200 [thread overview]
Message-ID: <87shk3y74g.fsf@gnu.org> (raw)
In-Reply-To: <8737c51e6r.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 15 May 2017 22:19:26 -0700")
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
> This problem has been ongoing for some time. It prevents me from using
> things such as "guix lint" or "guix import" (seems to be related to
> certs and gnutls). I thought a guix system reconfigure (I'm on GuixSD)
> would fix it but it hasn't, even after rebooting the system.
>
> It is reminiscent of bug#25200, but there doesn't appear to be any
> dangling symlinks this time around.
>
> The nss-certs package is present in my operating system declaration, and
> the /etc/ssl/certs directory is populated ('/etc/ssl' is a symbolic link
> pointing to /run/current-system/profile/etc/ssl).
>
> SSL_CERT_DIR is set to "/etc/ssl/certs"
> SSL_CERT_FILE is set to "/etc/ssl/certs/ca-certificates.crt"
>
>
> A couple examples of how things break:
>
> * guix lint
>
> guix lint emacs
> Backtrace:macs@25.2 [cve]...
> 9 (primitive-load "/gnu/store/80k8kz7qk9palbn0ccw7y3fgym8&")
> In guix/ui.scm:
> 1257:8 8 (run-guix-command _ . _)
> In srfi/srfi-1.scm:
> 640:9 7 (for-each #<procedure 183c060 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
> 982:4 6 (run-checkers _ _)
> In srfi/srfi-1.scm:
> 640:9 5 (for-each #<procedure 1f252a0 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
> 805:4 4 (check-vulnerabilities _)
> 800:9 3 (_ _)
> In unknown file:
> 2 (force #<promise #<procedure 7f1db4d41f88 at guix/scrip&>)
> In guix/scripts/lint.scm:
> 789:24 1 (_)
> In ice-9/boot-9.scm:
> 837:9 0 (catch srfi-34 #<procedure 7f1db4d4d3a8 at guix/script&> &)
>
> ice-9/boot-9.scm:837:9: In procedure catch:
> ice-9/boot-9.scm:837:9: Throw to key `gnutls-error' with args `(#<gnutls-error-enum Error while reading file.> set-certificate-credentials-x509-trust-file!)'.
So the problem here is that $SSL_CERT_DIR or $SSL_CERT_FILE is
unreadable for some reason. Could you ‘strace’ it to see exactly which
file cannot be opened and why?
However, I cannot reproduce it with current master:
--8<---------------cut here---------------start------------->8---
$ rm -rf ~/.cache/guix/cve
$ SSL_CERT_FILE=/sdfsfd SSL_CERT_DIR=/sdfs guix lint emacs
gnu/packages/emacs.scm:99:2: emacs@25.2: TLS certificate error: ERROR: X.509 certificate of 'www.gnu.org' could not be verified:
signer-not-found
invalid
guix lint: warning: TLS certificate error: ERROR: X.509 certificate of 'static.nvd.nist.gov' could not be verified:
signer-not-found
invalid
guix lint: warning: assuming no CVE vulnerabilities
--8<---------------cut here---------------end--------------->8---
This is the same story for the other ones.
Essentially, this code from (guix build download):
(define (make-credendials-with-ca-trust-files directory)
"Return certificate credentials with X.509 authority certificates read from
DIRECTORY. Those authority certificates are checked when
'peer-certificate-status' is later called."
(let ((cred (make-certificate-credentials))
(files (or (scandir directory
(lambda (file)
(string-suffix? ".pem" file)))
'())))
(for-each (lambda (file)
(let ((file (string-append directory "/" file)))
;; Protect against dangling symlinks.
(when (file-exists? file)
(set-certificate-credentials-x509-trust-file!
cred file
x509-certificate-format/pem))))
(or files '()))
cred))
seems to select a FILE that passes ‘file-exists?’ but that cannot be
read by ‘set-certificate-credentials-x509-trust-file!’. I think that
can happen with unreadable files (EPERM), though I can’t reproduce it.
The ‘strace’ output should help us figure out what’s going on.
Thanks,
Ludo’.
next prev parent reply other threads:[~2017-05-17 12:57 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-16 5:19 bug#26948: gnutls errors on multiple guix commands Maxim Cournoyer
2017-05-17 12:56 ` Ludovic Courtès [this message]
2017-05-25 7:26 ` Maxim Cournoyer
2017-05-26 8:56 ` Ludovic Courtès
2017-05-28 18:38 ` Mark H Weaver
2017-05-29 4:36 ` Maxim Cournoyer
2017-05-29 9:31 ` Ludovic Courtès
2017-05-29 21:26 ` Mark H Weaver
2017-05-30 11:25 ` Ludovic Courtès
2017-05-28 21:00 ` Maxim Cournoyer
2017-05-29 9:12 ` bug#26948: ‘write-file’ output should not be locale-dependent Ludovic Courtès
2017-05-29 20:15 ` Maxim Cournoyer
2017-05-30 11:57 ` Ludovic Courtès
2017-06-16 15:09 ` Ludovic Courtès
2017-07-27 12:55 ` Ludovic Courtès
2021-01-08 22:04 ` bug#26948: 'guix publish' file name decoding is locale-dependent Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87shk3y74g.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=26948@debbugs.gnu.org \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).