unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 11:29:19 -0500	[thread overview]
Message-ID: <20170228162919.GA10253@jasmine> (raw)
In-Reply-To: <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>

[-- Attachment #1: Type: text/plain, Size: 3990 bytes --]

On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote:
> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
> for `guix download`, but having just the one file in SSL_CERT_DIR does.
> That's good enough for me! Could you make this into a Guix package? 

I plan to make a package once these issues are resolved:

1) Which "trust path" should we use? The one using ISRG (the "native"
Let's Encrypt root certificate authority), or the one that is
cross-signed by IdenTrust? Or should we keep it as-is, where both are
included? This is my first time creating a custom set of certificates,
so I don't know all the issues.

They recommend that server operators used the cross-signed trust chain
because the ISRG trust chain is not yet widely deployed in web browsers,
but that's not an issue for this use case.

2) I'd like at least two other Guix developers to try recreating the
repository "from scratch", and to send signed email to this thread
saying that they were able to successfully recreate this custom
certificate store.

> I wonder what happens if we simply switch %snapshot-url to HTTPS in
> `guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR
> configured? I think it would be sufficient to mention in the manual to
> install one of "nss-certs" or "le-certs" before running `guix pull` for
> the first time. How does that sound?

I think it's too much of a regression if users have to fiddle with
environment variables for `guix pull` to work reliably. People are
constantly asking for help with environment variables in the #guix chat
room.

I want to bundle a 'le-certs' package with GNU Guix, and change `guix
pull` to know to use the le-certs bundle when pulling from
%snapshot-url. For other URLs, users will have to take care of it
themselves. 

This should preserve the existing user experience of `guix pull`, which
is that the default invocation "just works", at least in terms of
downloading the source code. It could fail anyways if their clock is way
off... any other ideas about how it could fail?

> $ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://nrk.no > /dev/null
> * Rebuilt URL to: https://nrk.no/
> *   Trying 160.68.205.231...
> * TCP_NODELAY set
> * Connected to nrk.no (160.68.205.231) port 443 (#0)
> * found 10 certificates in /tmp/le-certs/le-certs.pem
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
> * server certificate verification failed. CAfile: /tmp/le-certs/le-certs.pem CRLfile: none
> * Closing connection 0
> 
> $ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://gnu.org > /dev/null
> * Rebuilt URL to: https://gnu.org/
> *   Trying 208.118.235.148...
> * TCP_NODELAY set
> * Connected to gnu.org (208.118.235.148) port 443 (#0)
> * found 10 certificates in /tmp/le-certs/le-certs.pem
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
> *        server certificate verification OK
> *        server certificate status verification SKIPPED
> *        common name: gnu.org (matched)
> *        server certificate expiration date OK
> *        server certificate activation date OK
> *        certificate public key: RSA
> *        certificate version: #3
> *        subject: CN=gnu.org
> *        start date: Wed, 15 Feb 2017 10:01:00 GMT
> *        expire date: Tue, 16 May 2017 10:01:00 GMT
> *        issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
> *        compression: NULL
> 
> $ GIT_SSL_CAINFO="" git clone --depth=1 https://git.savannah.gnu.org/git/guix.git
> Cloning into 'guix'...
> fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': Problem with the SSL CA cert(path? access rights?)
> 
> $ GIT_SSL_CAINFO=/tmp/le-certs/le-certs.pem git clone --depth=1 https://git.savannah.gnu.org/git/guix.git
> Cloning into 'guix'...
> remote: Counting objects: 1409, done.

Excellent :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2017-02-28 16:29 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-09 15:55 `guix pull` over HTTPS Leo Famulari
2017-02-10  0:30 ` Leo Famulari
2017-02-10 15:33   ` Ludovic Courtès
2017-02-10 16:22     ` Marius Bakke
2017-02-10 22:21       ` Ludovic Courtès
2017-02-10 22:43         ` Marius Bakke
2017-02-10 22:52           ` ng0
2017-02-11 14:28           ` Ludovic Courtès
2017-02-11 19:25             ` Leo Famulari
2017-02-11 19:48               ` Ricardo Wurmus
2017-02-12 13:36                 ` Ludovic Courtès
2017-02-28  5:46             ` Leo Famulari
2017-02-28 14:59               ` Marius Bakke
2017-02-28 16:29                 ` Leo Famulari [this message]
2017-02-28 16:45                   ` Marius Bakke
2017-02-28 20:44                     ` Marius Bakke
2017-02-28 21:44                       ` Marius Bakke
2017-02-28 21:54                         ` Marius Bakke
2017-03-01  2:36                           ` Marius Bakke
2017-03-01  5:14                             ` Leo Famulari
2017-03-01 21:20                               ` [PATCH v3] pull: Default to HTTPS Marius Bakke
2017-03-01 22:07                                 ` Leo Famulari
2017-03-01 21:21                               ` `guix pull` over HTTPS Marius Bakke
2017-03-06 10:04                               ` Ludovic Courtès
2017-03-06 10:06                         ` Ludovic Courtès
2017-03-06 12:27                           ` Marius Bakke
2017-02-28 23:05                   ` Marius Bakke
2017-03-01  0:19                     ` Leo Famulari
2017-02-28 16:39                 ` [PATCH] pull: Use HTTPS by default Marius Bakke
2017-03-01  1:01                   ` Leo Famulari
2017-02-10 18:55   ` `guix pull` over HTTPS Christopher Allan Webber
2017-02-10 15:29 ` Ludovic Courtès
2017-02-13 21:23 ` Bob Proulx

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170228162919.GA10253@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    --cc=mbakke@fastmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).