From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 46829@debbugs.gnu.org
Subject: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 04:30:04 -0400 [thread overview]
Message-ID: <YHQFDOGNyqVlmWm0@jasmine.lan> (raw)
In-Reply-To: <YHPrv2NdqqaLWh42@jasmine.lan>
[-- Attachment #1.1: Type: text/plain, Size: 554 bytes --]
On Mon, Apr 12, 2021 at 02:42:07AM -0400, Leo Famulari wrote:
> I checked wrong; le-certs needs to be updated. I'm testing the update
> now...
I couldn't figure out how to test an update of the Guix package, but
here is my patch updating le-certs.
`make update-guix-package` segfaults for me, sometime after it updates
the source tree but before adding the source checkout to the store.
I did `guix build guix --with-git-url=guix=$PWD`, which succeeded, but
using --with-git-url changes the derivation, so I couldn't test this in
a VM sans nss-certs.
[-- Attachment #1.2: 0001-gnu-le-certs-Update-to-new-Let-s-Encrypt-certificate.patch --]
[-- Type: text/plain, Size: 6372 bytes --]
From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 12 Apr 2021 02:19:33 -0400
Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.
* gnu/packages/certs.scm (le-certs): Update the certificate store.
[inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
letsencryptauthorityx4.pem.
[arguments]: Adjust the builder accordingly.
---
gnu/packages/certs.scm | 76 ++++++++++++++++++++++++++++++------------
1 file changed, 55 insertions(+), 21 deletions(-)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index b72d927c0d..9dcd733ffe 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -147,7 +147,7 @@ taken from the NSS package and thus ultimately from the Mozilla project.")
(define-public le-certs
(package
(name "le-certs")
- (version "0")
+ (version "1")
(source #f)
(build-system trivial-build-system)
(arguments
@@ -155,9 +155,12 @@ taken from the NSS package and thus ultimately from the Mozilla project.")
#:builder
(begin
(use-modules (guix build utils))
- (let ((root (assoc-ref %build-inputs "isrgrootx1.pem"))
- (intermediate (assoc-ref %build-inputs "letsencryptauthorityx3.pem"))
- (backup (assoc-ref %build-inputs "letsencryptauthorityx4.pem"))
+ (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
+ (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
+ (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
+ (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
+ (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
+ (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
(out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
(openssl (assoc-ref %build-inputs "openssl"))
(perl (assoc-ref %build-inputs "perl")))
@@ -166,7 +169,9 @@ taken from the NSS package and thus ultimately from the Mozilla project.")
(lambda (cert)
(copy-file cert (string-append out "/"
(strip-store-file-name cert))))
- (list root intermediate backup))
+ (list root-rsa root-ecdsa
+ intermediate-rsa intermediate-ecdsa
+ backup-rsa backup-ecdsa))
;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
;; similar.)
@@ -186,26 +191,55 @@ taken from the NSS package and thus ultimately from the Mozilla project.")
(sha256
(base32
"1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
- ;; "Let’s Encrypt Authority X3", the active Let's Encrypt intermediate
- ;; certificate.
- ("letsencryptauthorityx3.pem"
+ ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
+ ; Let's Encrypt describes it as "Active, limited availability"
+ ("isrgrootx2.pem"
,(origin
(method url-fetch)
- (uri "https://letsencrypt.org/certs/letsencryptauthorityx3.pem")
+ (uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
(sha256
(base32
- "100lxxvqv4fj563bm03zzk5r36hq5jx9nnrajzs38g825c5k0cg2"))))
- ;; "Let’s Encrypt Authority X4", the backup Let's Encrypt intermediate
- ;; certificate. This will be used for disaster recovery and will only be
- ;; used should Let's Encrypt lose the ability to issue with "Let’s
- ;; Encrypt Authority X3".
- ("letsencryptauthorityx4.pem"
- ,(origin
- (method url-fetch)
- (uri "https://letsencrypt.org/certs/letsencryptauthorityx4.pem")
- (sha256
- (base32
- "0d5256gwf73drq6q6jala28rfzhrgbk5pjfq27vc40ly91pdyh8m"))))))
+ "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
+ ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
+ ;; RSA certificate.
+ ("letsencryptauthorityr3.pem"
+ ,(origin
+ (method url-fetch)
+ (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
+ (sha256
+ (base32
+ "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
+ ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
+ ;; ECDSA certificate.
+ ("letsencryptauthoritye1.pem"
+ ,(origin
+ (method url-fetch)
+ (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
+ (sha256
+ (base32
+ "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
+ ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
+ ;; RSA certificate. This will be used for disaster recovery and will only be
+ ;; used should Let's Encrypt lose the ability to issue with "Let’s
+ ;; Encrypt Authority R3".
+ ("letsencryptauthorityr4.pem"
+ ,(origin
+ (method url-fetch)
+ (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
+ (sha256
+ (base32
+ "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
+ ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
+ ;; ECDSA certificate. This will be used for disaster recovery and will
+ ;; only be used should Let's Encrypt lose the ability to issue with "Let’s
+ ;; Encrypt Authority E1".
+ ("letsencryptauthoritye2.pem"
+ ,(origin
+ (method url-fetch)
+ (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
+ (sha256
+ (base32
+ "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
(home-page "https://letsencrypt.org/certificates/")
(synopsis "Let's Encrypt root and intermediate certificates")
(description "This package provides a certificate store containing only the
--
2.31.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-04-12 8:34 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-28 10:27 bug#46829: Fresh install of 1.2.0 can't guix pull Christopher Baines
2021-02-28 11:06 ` Andreas Enge
2021-02-28 11:10 ` Andreas Enge
2021-03-01 10:15 ` Ludovic Courtès
2021-03-01 9:49 ` zimoun
2021-03-05 10:49 ` Christopher Baines
2021-03-01 10:19 ` Ludovic Courtès
2021-03-01 12:03 ` Andreas Enge
2021-03-17 14:36 ` Ludovic Courtès
2021-04-11 20:41 ` Leo Famulari
2021-04-12 1:29 ` Leo Famulari
2021-04-12 6:42 ` Leo Famulari
2021-04-12 8:30 ` Leo Famulari [this message]
2021-04-12 12:25 ` Ludovic Courtès
2021-04-12 17:15 ` Leo Famulari
2021-04-12 17:32 ` Leo Famulari
2021-04-13 8:12 ` Ludovic Courtès
2021-04-13 18:09 ` Leo Famulari
2021-04-21 13:14 ` Ludovic Courtès
2021-04-12 12:25 ` Ludovic Courtès
2021-04-12 17:02 ` Leo Famulari
2021-04-12 18:26 ` Leo Famulari
2021-04-13 17:47 ` Leo Famulari
2021-04-13 9:29 ` bug#46829: `guix pull` uses incorrect certificate store Ludovic Courtès
2021-04-13 17:44 ` Leo Famulari
2021-04-14 10:50 ` Ludovic Courtès
2021-04-14 19:57 ` Maxime Devos
2021-05-31 19:17 ` Leo Famulari
2021-04-10 19:02 ` bug#46829: Fresh install of 1.2.0 can't guix pull Leo Famulari
2021-04-10 19:45 ` Christopher Baines
2021-04-10 20:30 ` Leo Famulari
2021-04-10 21:09 ` Leo Famulari
2021-04-10 21:21 ` Christopher Baines
2021-04-10 22:54 ` Leo Famulari
2021-04-10 23:04 ` Leo Famulari
2021-04-10 23:13 ` Leo Famulari
2021-04-14 1:08 ` Leo Famulari
2021-04-14 9:44 ` François
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YHQFDOGNyqVlmWm0@jasmine.lan \
--to=leo@famulari.name \
--cc=46829@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).