unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / Atom feed
* bug#36363: let's encrypt hash mismatch
@ 2019-06-24 17:23 Julien Lepiller
  2019-06-24 18:44 ` Tobias Geerinckx-Rice
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Julien Lepiller @ 2019-06-24 17:23 UTC (permalink / raw)
  To: 36363

Hi!

trying to run guix pull on the overdrive at my place to try and fix a
bug in openssh which doesn't start at boot, I get this error message:

building /gnu/store/qvrwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv...
building /gnu/store/3s8l6bg8gsfxrqallc5w02drl1m021ky-letsencryptauthorityx3.pem.drv...

Starting download
of /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem From
https://letsencrypt.org/certs/isrgrootx1.pem...

Starting download
of /gnu/store/bcq7sqhg18b7b1q87j8z60d5hybsdafm-letsencryptauthorityx3.pem
From https://letsencrypt.org/certs/letsencryptauthorityx3.pem...
downloading from https://letsencrypt.org/certs/isrgrootx1.pem...
downloading from
https://letsencrypt.org/certs/letsencryptauthorityx3.pem...

 letsencryptauthorityx3.pem  2KiB     385KiB/s 00:00
 [##################] 100.0% sha256 hash mismatch
 for /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem:
 expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
 actual hash:   0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
 hash mismatch for store item
 '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
 of /gnu/store/qvrwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv
 failed View build log at
 '/var/log/guix/drvs/qv/rwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv.bz2'.
 cannot build derivation
 `/gnu/store/03xigpq7w1ll67ydrwhjydmybdj5gd2i-le-certs-0.drv': 1
 dependencies couldn't be built guix pull: error: build failed: build
 of `/gnu/store/03xigpq7w1ll67ydrwhjydmybdj5gd2i-le-certs-0.drv' failed


Thanks!

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#36363: let's encrypt hash mismatch
  2019-06-24 17:23 bug#36363: let's encrypt hash mismatch Julien Lepiller
@ 2019-06-24 18:44 ` Tobias Geerinckx-Rice
  2019-06-24 20:09 ` Ludovic Courtès
  2020-10-09 12:04 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2 siblings, 0 replies; 6+ messages in thread
From: Tobias Geerinckx-Rice @ 2019-06-24 18:44 UTC (permalink / raw)
  To: julien lepiller; +Cc: 36363

[-- Attachment #1: Type: text/plain, Size: 836 bytes --]

Julien,

Julien Lepiller wrote:
> trying to run guix pull on the overdrive at my place to try and 
> fix a
> bug in openssh which doesn't start at boot, I get this error 
> message:

[…]

>  letsencryptauthorityx3.pem  2KiB     385KiB/s 00:00
>  [##################] 100.0% sha256 hash mismatch
>  for /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem:
>  expected hash: 
>  0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>  actual hash: 
>  0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac

This will keep happening until we find(/create) a versioned URL 
for these files.  Let's Encrypt like to change them in place.

The last time this happened they'd added CR/LF line endings for no 
reason at all, but this time I don't have the old version around 
anymore…

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#36363: let's encrypt hash mismatch
  2019-06-24 17:23 bug#36363: let's encrypt hash mismatch Julien Lepiller
  2019-06-24 18:44 ` Tobias Geerinckx-Rice
@ 2019-06-24 20:09 ` Ludovic Courtès
  2019-07-21 23:12   ` Chris Marusich
  2020-10-09 12:04 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2019-06-24 20:09 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: 36363

Hi Julien,

Julien Lepiller <julien@lepiller.eu> skribis:

>  expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>  actual hash:   0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>  hash mismatch for store item
>  '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build

I believe you’d be fine if substitutes were enabled, but they’re not.

In the meantime, you can fetch those files with something like:

  wget -O /tmp/isrgrootx1.pem \
    http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
  guix download file:///tmp/isrgrootx1.pem

But yeah, like Tobias writes, it’s a bit of a problem.  Should we mirror
them somewhere?  Does Let’s Encrypt have them under a versioned URL
elsewhere?

HTH,
Ludo’.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#36363: let's encrypt hash mismatch
  2019-06-24 20:09 ` Ludovic Courtès
@ 2019-07-21 23:12   ` Chris Marusich
  2019-07-22 10:34     ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: Chris Marusich @ 2019-07-21 23:12 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 36363

[-- Attachment #1: Type: text/plain, Size: 1301 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> Julien Lepiller <julien@lepiller.eu> skribis:
>
>>  expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>>  actual hash:   0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>>  hash mismatch for store item
>>  '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
>
> I believe you’d be fine if substitutes were enabled, but they’re not.
>
> In the meantime, you can fetch those files with something like:
>
>   wget -O /tmp/isrgrootx1.pem \
>     http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>   guix download file:///tmp/isrgrootx1.pem
>
> But yeah, like Tobias writes, it’s a bit of a problem.  Should we mirror
> them somewhere?  Does Let’s Encrypt have them under a versioned URL
> elsewhere?

What is Guix using these files for?  I realize it's got something to do
with TLS, but it isn't clear to me why Guix downloads these certs.

I don't have the full context, so please forgive me if my comments are
unhelpful, but before deciding to use stale versions, I think it's worth
asking, "Could using a stale version introduce any security risk?"
Maybe there's a reason why LE doesn't publish the old versions.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#36363: let's encrypt hash mismatch
  2019-07-21 23:12   ` Chris Marusich
@ 2019-07-22 10:34     ` Ludovic Courtès
  0 siblings, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2019-07-22 10:34 UTC (permalink / raw)
  To: Chris Marusich; +Cc: 36363

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Julien Lepiller <julien@lepiller.eu> skribis:
>>
>>>  expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>>>  actual hash:   0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>>>  hash mismatch for store item
>>>  '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
>>
>> I believe you’d be fine if substitutes were enabled, but they’re not.
>>
>> In the meantime, you can fetch those files with something like:
>>
>>   wget -O /tmp/isrgrootx1.pem \
>>     http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>>   guix download file:///tmp/isrgrootx1.pem
>>
>> But yeah, like Tobias writes, it’s a bit of a problem.  Should we mirror
>> them somewhere?  Does Let’s Encrypt have them under a versioned URL
>> elsewhere?
>
> What is Guix using these files for?  I realize it's got something to do
> with TLS, but it isn't clear to me why Guix downloads these certs.

This is used by (guix scripts pull) so we can always authenticate
git.savannah.gnu.org when we fetch from the Git repo.  It’s used if and
only if certificates aren’t available system-wide (see
‘honor-x509-certificates’.)

Ludo’.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* bug#36363: let's encrypt hash mismatch
  2019-06-24 17:23 bug#36363: let's encrypt hash mismatch Julien Lepiller
  2019-06-24 18:44 ` Tobias Geerinckx-Rice
  2019-06-24 20:09 ` Ludovic Courtès
@ 2020-10-09 12:04 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
  2 siblings, 0 replies; 6+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-10-09 12:04 UTC (permalink / raw)
  To: 36363-done

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Closing as this specific failure has passed and any wider 
discussion shouldn't happen here.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-10-09 12:05 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-24 17:23 bug#36363: let's encrypt hash mismatch Julien Lepiller
2019-06-24 18:44 ` Tobias Geerinckx-Rice
2019-06-24 20:09 ` Ludovic Courtès
2019-07-21 23:12   ` Chris Marusich
2019-07-22 10:34     ` Ludovic Courtès
2020-10-09 12:04 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix

unofficial mirror of bug-guix@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-bugs/0 guix-bugs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-bugs guix-bugs/ https://yhetil.org/guix-bugs \
		bug-guix@gnu.org
	public-inbox-index guix-bugs

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.bugs
	nntp://news.gmane.io/gmane.comp.gnu.guix.bugs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git