From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#26948: gnutls errors on multiple guix commands Date: Wed, 17 May 2017 14:56:15 +0200 Message-ID: <87shk3y74g.fsf@gnu.org> References: <8737c51e6r.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49222) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dAyVl-0000rL-9N for bug-guix@gnu.org; Wed, 17 May 2017 08:57:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dAyVi-0007jl-4V for bug-guix@gnu.org; Wed, 17 May 2017 08:57:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47028) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dAyVi-0007je-0M for bug-guix@gnu.org; Wed, 17 May 2017 08:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dAyVh-0004Iq-O8 for bug-guix@gnu.org; Wed, 17 May 2017 08:57:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <8737c51e6r.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 15 May 2017 22:19:26 -0700") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Maxim Cournoyer Cc: 26948@debbugs.gnu.org Hi Maxim, Maxim Cournoyer skribis: > This problem has been ongoing for some time. It prevents me from using > things such as "guix lint" or "guix import" (seems to be related to > certs and gnutls). I thought a guix system reconfigure (I'm on GuixSD) > would fix it but it hasn't, even after rebooting the system. > > It is reminiscent of bug#25200, but there doesn't appear to be any > dangling symlinks this time around. > > The nss-certs package is present in my operating system declaration, and > the /etc/ssl/certs directory is populated ('/etc/ssl' is a symbolic link > pointing to /run/current-system/profile/etc/ssl). > > SSL_CERT_DIR is set to "/etc/ssl/certs" > SSL_CERT_FILE is set to "/etc/ssl/certs/ca-certificates.crt" > > > A couple examples of how things break: > > * guix lint > > guix lint emacs > Backtrace:macs@25.2 [cve]... > 9 (primitive-load "/gnu/store/80k8kz7qk9palbn0ccw7y3fgym8&") > In guix/ui.scm: > 1257:8 8 (run-guix-command _ . _) > In srfi/srfi-1.scm: > 640:9 7 (for-each # &) > In guix/scripts/lint.scm: > 982:4 6 (run-checkers _ _) > In srfi/srfi-1.scm: > 640:9 5 (for-each # &) > In guix/scripts/lint.scm: > 805:4 4 (check-vulnerabilities _) > 800:9 3 (_ _) > In unknown file: > 2 (force #) > In guix/scripts/lint.scm: > 789:24 1 (_) > In ice-9/boot-9.scm: > 837:9 0 (catch srfi-34 # &) > > ice-9/boot-9.scm:837:9: In procedure catch: > ice-9/boot-9.scm:837:9: Throw to key `gnutls-error' with args `(# set-certificate-credentials-x509-trus= t-file!)'. So the problem here is that $SSL_CERT_DIR or $SSL_CERT_FILE is unreadable for some reason. Could you =E2=80=98strace=E2=80=99 it to see e= xactly which file cannot be opened and why? However, I cannot reproduce it with current master: --8<---------------cut here---------------start------------->8--- $ rm -rf ~/.cache/guix/cve $ SSL_CERT_FILE=3D/sdfsfd SSL_CERT_DIR=3D/sdfs guix lint emacs gnu/packages/emacs.scm:99:2: emacs@25.2: TLS certificate error: ERROR: X.50= 9 certificate of 'www.gnu.org' could not be verified: signer-not-found invalid guix lint: warning: TLS certificate error: ERROR: X.509 certificate of 'sta= tic.nvd.nist.gov' could not be verified: signer-not-found invalid guix lint: warning: assuming no CVE vulnerabilities --8<---------------cut here---------------end--------------->8--- This is the same story for the other ones. Essentially, this code from (guix build download): (define (make-credendials-with-ca-trust-files directory) "Return certificate credentials with X.509 authority certificates read = from DIRECTORY. Those authority certificates are checked when 'peer-certificate-status' is later called." (let ((cred (make-certificate-credentials)) (files (or (scandir directory (lambda (file) (string-suffix? ".pem" file))) '()))) (for-each (lambda (file) (let ((file (string-append directory "/" file))) ;; Protect against dangling symlinks. (when (file-exists? file) (set-certificate-credentials-x509-trust-file! cred file x509-certificate-format/pem)))) (or files '())) cred)) seems to select a FILE that passes =E2=80=98file-exists?=E2=80=99 but that = cannot be read by =E2=80=98set-certificate-credentials-x509-trust-file!=E2=80=99. I = think that can happen with unreadable files (EPERM), though I can=E2=80=99t reproduce = it. The =E2=80=98strace=E2=80=99 output should help us figure out what=E2=80=99= s going on. Thanks, Ludo=E2=80=99.