unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* pypi import certs issues
@ 2018-03-19 13:24 ng0
  2018-03-19 16:52 ` Ludovic Courtès
  0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2018-03-19 13:24 UTC (permalink / raw)
  To: guix-devel

Hi,

on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:

user@abyayala ~$ guix package -l | grep "nss-certs"
user@abyayala ~$ env | grep "SSL_"
GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
user@abyayala ~$ guix import pypi readline
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
Backtrace:
          11 (apply-smob/1 #<catch-closure 24703a0>)
          In ice-9/boot-9.scm:
              705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
              In ice-9/eval.scm:
                  619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
                  In guix/ui.scm:
                    1501:12  8 (run-guix-command _ . _)
                    In guix/scripts/import.scm:
                       114:11  7 (guix-import . _)
                       In guix/scripts/import/pypi.scm:
                           84:19  6 (guix-import-pypi . _)
                           In guix/import/pypi.scm:
                              274:17  5 (pypi->guix-package _)
                              In ice-9/boot-9.scm:
                                  829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
                                  In guix/import/json.scm:
                                      32:17  3 (_)
                                      In guix/http-client.scm:
                                          88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
                                          In guix/build/download.scm:
                                              398:4  1 (open-connection-for-uri _ #:timeout _ # _)
                                                  296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)

guix/build/download.scm:296:6: In procedure tls-wrap:
X.509 certificate of 'pypi.python.org' could not be verified:
  insecure-algorithm
    signer-not-found
      invalid

user@abyayala ~$ ^C
user@abyayala ~$ cat src/systems/old_systems/guixsd/workstations/abyayala/config.scm | grep "nss-certs"
                                                  "nss-certs" ;certs
                                                  

-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-19 13:24 pypi import certs issues ng0
@ 2018-03-19 16:52 ` Ludovic Courtès
  2018-03-19 17:48   ` ng0
  0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2018-03-19 16:52 UTC (permalink / raw)
  To: guix-devel

Hello,

ng0 <ng0@n0.is> skribis:

> on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
>
> user@abyayala ~$ guix package -l | grep "nss-certs"
> user@abyayala ~$ env | grep "SSL_"
> GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> user@abyayala ~$ guix import pypi readline
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
> Backtrace:
>           11 (apply-smob/1 #<catch-closure 24703a0>)
>           In ice-9/boot-9.scm:
>               705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
>               In ice-9/eval.scm:
>                   619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
>                   In guix/ui.scm:
>                     1501:12  8 (run-guix-command _ . _)
>                     In guix/scripts/import.scm:
>                        114:11  7 (guix-import . _)
>                        In guix/scripts/import/pypi.scm:
>                            84:19  6 (guix-import-pypi . _)
>                            In guix/import/pypi.scm:
>                               274:17  5 (pypi->guix-package _)
>                               In ice-9/boot-9.scm:
>                                   829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
>                                   In guix/import/json.scm:
>                                       32:17  3 (_)
>                                       In guix/http-client.scm:
>                                           88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
>                                           In guix/build/download.scm:
>                                               398:4  1 (open-connection-for-uri _ #:timeout _ # _)
>                                                   296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)
>
> guix/build/download.scm:296:6: In procedure tls-wrap:
> X.509 certificate of 'pypi.python.org' could not be verified:
>   insecure-algorithm
>     signer-not-found
>       invalid

I don’t see that.  Could it be that the certs you have in /etc/ssl are
too old, or something along these lines?

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-19 16:52 ` Ludovic Courtès
@ 2018-03-19 17:48   ` ng0
  2018-03-20 16:33     ` Ludovic Courtès
  0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2018-03-19 17:48 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

Ludovic Courtès transcribed 2.7K bytes:
> Hello,
> 
> ng0 <ng0@n0.is> skribis:
> 
> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
> >
> > user@abyayala ~$ guix package -l | grep "nss-certs"
> > user@abyayala ~$ env | grep "SSL_"
> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> > user@abyayala ~$ guix import pypi readline
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
> > Backtrace:
> >           11 (apply-smob/1 #<catch-closure 24703a0>)
> >           In ice-9/boot-9.scm:
> >               705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
> >               In ice-9/eval.scm:
> >                   619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
> >                   In guix/ui.scm:
> >                     1501:12  8 (run-guix-command _ . _)
> >                     In guix/scripts/import.scm:
> >                        114:11  7 (guix-import . _)
> >                        In guix/scripts/import/pypi.scm:
> >                            84:19  6 (guix-import-pypi . _)
> >                            In guix/import/pypi.scm:
> >                               274:17  5 (pypi->guix-package _)
> >                               In ice-9/boot-9.scm:
> >                                   829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
> >                                   In guix/import/json.scm:
> >                                       32:17  3 (_)
> >                                       In guix/http-client.scm:
> >                                           88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
> >                                           In guix/build/download.scm:
> >                                               398:4  1 (open-connection-for-uri _ #:timeout _ # _)
> >                                                   296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)
> >
> > guix/build/download.scm:296:6: In procedure tls-wrap:
> > X.509 certificate of 'pypi.python.org' could not be verified:
> >   insecure-algorithm
> >     signer-not-found
> >       invalid
> 
> I don’t see that.  Could it be that the certs you have in /etc/ssl are
> too old, or something along these lines?

But how? The system I have is build from the same commit (+ my 4 irrelevant, not SSL touching
packages on top of it). So nss-certs is system-wide, as it has always been, and that's what
used for our /etc/ssl/certs/

> Thanks,
> Ludo’.
> 
> 

Thanks,
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-19 17:48   ` ng0
@ 2018-03-20 16:33     ` Ludovic Courtès
  2018-03-20 17:45       ` ng0
  0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2018-03-20 16:33 UTC (permalink / raw)
  To: guix-devel

ng0 <ng0@n0.is> skribis:

> Ludovic Courtès transcribed 2.7K bytes:
>> Hello,
>> 
>> ng0 <ng0@n0.is> skribis:
>> 
>> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
>> >
>> > user@abyayala ~$ guix package -l | grep "nss-certs"
>> > user@abyayala ~$ env | grep "SSL_"
>> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
>> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
>> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs

[...]

>> > guix/build/download.scm:296:6: In procedure tls-wrap:
>> > X.509 certificate of 'pypi.python.org' could not be verified:
>> >   insecure-algorithm
>> >     signer-not-found
>> >       invalid
>> 
>> I don’t see that.  Could it be that the certs you have in /etc/ssl are
>> too old, or something along these lines?

What if you do:

  export SSL_CERT_DIR=/etc/ssl/certs

?

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-20 16:33     ` Ludovic Courtès
@ 2018-03-20 17:45       ` ng0
  2018-03-21 23:03         ` Ricardo Wurmus
  0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2018-03-20 17:45 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

Ludovic Courtès transcribed 911 bytes:
> ng0 <ng0@n0.is> skribis:
> 
> > Ludovic Courtès transcribed 2.7K bytes:
> >> Hello,
> >> 
> >> ng0 <ng0@n0.is> skribis:
> >> 
> >> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
> >> >
> >> > user@abyayala ~$ guix package -l | grep "nss-certs"
> >> > user@abyayala ~$ env | grep "SSL_"
> >> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> >> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> >> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> 
> [...]
> 
> >> > guix/build/download.scm:296:6: In procedure tls-wrap:
> >> > X.509 certificate of 'pypi.python.org' could not be verified:
> >> >   insecure-algorithm
> >> >     signer-not-found
> >> >       invalid
> >> 
> >> I don’t see that.  Could it be that the certs you have in /etc/ssl are
> >> too old, or something along these lines?
> 
> What if you do:
> 
>   export SSL_CERT_DIR=/etc/ssl/certs
> 
> ?
> 
> Ludo’.

Okay, that worked. So why is the .guix-profile/etc/ssl/certs
not updated? I don't even have nss-certs in my user profile, it is
global. Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
empty? I assume it is just for user-space (space=profile in my
line of thought here) certificates which are not global?

Thanks
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-20 17:45       ` ng0
@ 2018-03-21 23:03         ` Ricardo Wurmus
  2018-03-22  1:14           ` Mark H Weaver
  2018-03-22  8:11           ` ng0
  0 siblings, 2 replies; 10+ messages in thread
From: Ricardo Wurmus @ 2018-03-21 23:03 UTC (permalink / raw)
  To: ng0; +Cc: guix-devel


ng0 <ng0@n0.is> writes:

> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> empty? I assume it is just for user-space (space=profile in my
> line of thought here) certificates which are not global?

Which of the packages in your profile provides this directory?  What
does “readlink” tell you?

-- 
Ricardo

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-21 23:03         ` Ricardo Wurmus
@ 2018-03-22  1:14           ` Mark H Weaver
  2018-03-22  1:27             ` Mark H Weaver
  2018-03-22  8:11           ` ng0
  1 sibling, 1 reply; 10+ messages in thread
From: Mark H Weaver @ 2018-03-22  1:14 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel, ng0

Ricardo Wurmus <rekado@elephly.net> writes:

> ng0 <ng0@n0.is> writes:
>
>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
>> empty? I assume it is just for user-space (space=profile in my
>> line of thought here) certificates which are not global?

Yes, that's right.

> Which of the packages in your profile provides this directory?  What
> does “readlink” tell you?

The directory is created by the 'ca-certificate-bundle' profile hook in
(guix profiles), whose purpose is to create a single-file certificate
bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
certs from all of the certificate packages included in the profile.

     Mark

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-22  1:14           ` Mark H Weaver
@ 2018-03-22  1:27             ` Mark H Weaver
  2018-03-22  8:14               ` ng0
  0 siblings, 1 reply; 10+ messages in thread
From: Mark H Weaver @ 2018-03-22  1:27 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel, ng0

Mark H Weaver <mhw@netris.org> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> ng0 <ng0@n0.is> writes:
>>
>>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
>>> empty? I assume it is just for user-space (space=profile in my
>>> line of thought here) certificates which are not global?
>
> Yes, that's right.
>
>> Which of the packages in your profile provides this directory?  What
>> does “readlink” tell you?
>
> The directory is created by the 'ca-certificate-bundle' profile hook in
> (guix profiles), whose purpose is to create a single-file certificate
> bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
> certs from all of the certificate packages included in the profile.

Hmm, although it looks like that profile hook shouldn't ever create the
etc/ssl/crts directory without also creating the ca-certificates.crt
file within it.  In this case I guess some other package must have
created that directory, so I'm also curious to see the output of the
following commands:

  readlink ~/.guix-profile/etc
  readlink ~/.guix-profile/etc/ssl
  readlink ~/.guix-profile/etc/ssl/certs

      Mark

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-21 23:03         ` Ricardo Wurmus
  2018-03-22  1:14           ` Mark H Weaver
@ 2018-03-22  8:11           ` ng0
  1 sibling, 0 replies; 10+ messages in thread
From: ng0 @ 2018-03-22  8:11 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel, ng0

Ricardo Wurmus transcribed 341 bytes:
> 
> ng0 <ng0@n0.is> writes:
> 
> > Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> > empty? I assume it is just for user-space (space=profile in my
> > line of thought here) certificates which are not global?
> 
> Which of the packages in your profile provides this directory?  What
> does “readlink” tell you?

Surprisingly it returns an empty result, which is why I asked :)
Even the files in the directory above (~/.guix-profile/etc/ssl/) are
empty results.

> 
> -- 
> Ricardo
> 
> 

-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: pypi import certs issues
  2018-03-22  1:27             ` Mark H Weaver
@ 2018-03-22  8:14               ` ng0
  0 siblings, 0 replies; 10+ messages in thread
From: ng0 @ 2018-03-22  8:14 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel, ng0

Mark H Weaver transcribed 1.1K bytes:
> Mark H Weaver <mhw@netris.org> writes:
> 
> > Ricardo Wurmus <rekado@elephly.net> writes:
> >
> >> ng0 <ng0@n0.is> writes:
> >>
> >>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> >>> empty? I assume it is just for user-space (space=profile in my
> >>> line of thought here) certificates which are not global?
> >
> > Yes, that's right.
> >
> >> Which of the packages in your profile provides this directory?  What
> >> does “readlink” tell you?
> >
> > The directory is created by the 'ca-certificate-bundle' profile hook in
> > (guix profiles), whose purpose is to create a single-file certificate
> > bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
> > certs from all of the certificate packages included in the profile.
> 
> Hmm, although it looks like that profile hook shouldn't ever create the
> etc/ssl/crts directory without also creating the ca-certificates.crt
> file within it.  In this case I guess some other package must have
> created that directory, so I'm also curious to see the output of the
> following commands:
> 
>   readlink ~/.guix-profile/etc
>   readlink ~/.guix-profile/etc/ssl
>   readlink ~/.guix-profile/etc/ssl/certs
> 
>       Mark

Ah, this is where my custom global profile seems to come in to blame:

user@abyayala ~$ readlink ~/.guix-profile/etc
user@abyayala ~$ readlink ~/.guix-profile/etc/ssl
/gnu/store/bfrpbapb440fkqb7n389xry596i73jml-libressl-2.6.4/etc/ssl
user@abyayala ~$ readlink ~/.guix-profile/etc/ssl/certs
user@abyayala ~$ 

Although you should be able to install libressl and use openssl generated data.
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2018-03-22  8:14 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-19 13:24 pypi import certs issues ng0
2018-03-19 16:52 ` Ludovic Courtès
2018-03-19 17:48   ` ng0
2018-03-20 16:33     ` Ludovic Courtès
2018-03-20 17:45       ` ng0
2018-03-21 23:03         ` Ricardo Wurmus
2018-03-22  1:14           ` Mark H Weaver
2018-03-22  1:27             ` Mark H Weaver
2018-03-22  8:14               ` ng0
2018-03-22  8:11           ` ng0

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).