pypi import certs issues

pypi import certs issues

[ng0]

Hi,

on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:

user@abyayala ~$ guix package -l | grep "nss-certs"
user@abyayala ~$ env | grep "SSL_"
GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
user@abyayala ~$ guix import pypi readline
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
Backtrace:
          11 (apply-smob/1 #<catch-closure 24703a0>)
          In ice-9/boot-9.scm:
              705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
              In ice-9/eval.scm:
                  619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
                  In guix/ui.scm:
                    1501:12  8 (run-guix-command _ . _)
                    In guix/scripts/import.scm:
                       114:11  7 (guix-import . _)
                       In guix/scripts/import/pypi.scm:
                           84:19  6 (guix-import-pypi . _)
                           In guix/import/pypi.scm:
                              274:17  5 (pypi->guix-package _)
                              In ice-9/boot-9.scm:
                                  829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
                                  In guix/import/json.scm:
                                      32:17  3 (_)
                                      In guix/http-client.scm:
                                          88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
                                          In guix/build/download.scm:
                                              398:4  1 (open-connection-for-uri _ #:timeout _ # _)
                                                  296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)

guix/build/download.scm:296:6: In procedure tls-wrap:
X.509 certificate of 'pypi.python.org' could not be verified:
  insecure-algorithm
    signer-not-found
      invalid

user@abyayala ~$ ^C
user@abyayala ~$ cat src/systems/old_systems/guixsd/workstations/abyayala/config.scm | grep "nss-certs"
                                                  "nss-certs" ;certs
                                                  

-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

Re: pypi import certs issues

[Ludovic Courtès]

Hello,

ng0 <ng0@n0.is> skribis:

> on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
>
> user@abyayala ~$ guix package -l | grep "nss-certs"
> user@abyayala ~$ env | grep "SSL_"
> GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> user@abyayala ~$ guix import pypi readline
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
> Backtrace:
>           11 (apply-smob/1 #<catch-closure 24703a0>)
>           In ice-9/boot-9.scm:
>               705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
>               In ice-9/eval.scm:
>                   619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
>                   In guix/ui.scm:
>                     1501:12  8 (run-guix-command _ . _)
>                     In guix/scripts/import.scm:
>                        114:11  7 (guix-import . _)
>                        In guix/scripts/import/pypi.scm:
>                            84:19  6 (guix-import-pypi . _)
>                            In guix/import/pypi.scm:
>                               274:17  5 (pypi->guix-package _)
>                               In ice-9/boot-9.scm:
>                                   829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
>                                   In guix/import/json.scm:
>                                       32:17  3 (_)
>                                       In guix/http-client.scm:
>                                           88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
>                                           In guix/build/download.scm:
>                                               398:4  1 (open-connection-for-uri _ #:timeout _ # _)
>                                                   296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)
>
> guix/build/download.scm:296:6: In procedure tls-wrap:
> X.509 certificate of 'pypi.python.org' could not be verified:
>   insecure-algorithm
>     signer-not-found
>       invalid

I don’t see that.  Could it be that the certs you have in /etc/ssl are
too old, or something along these lines?

Thanks,
Ludo’.

Re: pypi import certs issues

[ng0]

Ludovic Courtès transcribed 2.7K bytes:
> Hello,
> 
> ng0 <ng0@n0.is> skribis:
> 
> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
> >
> > user@abyayala ~$ guix package -l | grep "nss-certs"
> > user@abyayala ~$ env | grep "SSL_"
> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> > user@abyayala ~$ guix import pypi readline
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
> > Backtrace:
> >           11 (apply-smob/1 #<catch-closure 24703a0>)
> >           In ice-9/boot-9.scm:
> >               705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
> >               In ice-9/eval.scm:
> >                   619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
> >                   In guix/ui.scm:
> >                     1501:12  8 (run-guix-command _ . _)
> >                     In guix/scripts/import.scm:
> >                        114:11  7 (guix-import . _)
> >                        In guix/scripts/import/pypi.scm:
> >                            84:19  6 (guix-import-pypi . _)
> >                            In guix/import/pypi.scm:
> >                               274:17  5 (pypi->guix-package _)
> >                               In ice-9/boot-9.scm:
> >                                   829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
> >                                   In guix/import/json.scm:
> >                                       32:17  3 (_)
> >                                       In guix/http-client.scm:
> >                                           88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
> >                                           In guix/build/download.scm:
> >                                               398:4  1 (open-connection-for-uri _ #:timeout _ # _)
> >                                                   296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)
> >
> > guix/build/download.scm:296:6: In procedure tls-wrap:
> > X.509 certificate of 'pypi.python.org' could not be verified:
> >   insecure-algorithm
> >     signer-not-found
> >       invalid
> 
> I don’t see that.  Could it be that the certs you have in /etc/ssl are
> too old, or something along these lines?

But how? The system I have is build from the same commit (+ my 4 irrelevant, not SSL touching
packages on top of it). So nss-certs is system-wide, as it has always been, and that's what
used for our /etc/ssl/certs/

> Thanks,
> Ludo’.
> 
> 

Thanks,
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

Re: pypi import certs issues

[Ludovic Courtès]

ng0 <ng0@n0.is> skribis:

> Ludovic Courtès transcribed 2.7K bytes:
>> Hello,
>> 
>> ng0 <ng0@n0.is> skribis:
>> 
>> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
>> >
>> > user@abyayala ~$ guix package -l | grep "nss-certs"
>> > user@abyayala ~$ env | grep "SSL_"
>> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
>> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
>> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs

[...]

>> > guix/build/download.scm:296:6: In procedure tls-wrap:
>> > X.509 certificate of 'pypi.python.org' could not be verified:
>> >   insecure-algorithm
>> >     signer-not-found
>> >       invalid
>> 
>> I don’t see that.  Could it be that the certs you have in /etc/ssl are
>> too old, or something along these lines?

What if you do:

  export SSL_CERT_DIR=/etc/ssl/certs

?

Ludo’.

Re: pypi import certs issues

[ng0]

Ludovic Courtès transcribed 911 bytes:
> ng0 <ng0@n0.is> skribis:
> 
> > Ludovic Courtès transcribed 2.7K bytes:
> >> Hello,
> >> 
> >> ng0 <ng0@n0.is> skribis:
> >> 
> >> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
> >> >
> >> > user@abyayala ~$ guix package -l | grep "nss-certs"
> >> > user@abyayala ~$ env | grep "SSL_"
> >> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> >> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> >> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> 
> [...]
> 
> >> > guix/build/download.scm:296:6: In procedure tls-wrap:
> >> > X.509 certificate of 'pypi.python.org' could not be verified:
> >> >   insecure-algorithm
> >> >     signer-not-found
> >> >       invalid
> >> 
> >> I don’t see that.  Could it be that the certs you have in /etc/ssl are
> >> too old, or something along these lines?
> 
> What if you do:
> 
>   export SSL_CERT_DIR=/etc/ssl/certs
> 
> ?
> 
> Ludo’.

Okay, that worked. So why is the .guix-profile/etc/ssl/certs
not updated? I don't even have nss-certs in my user profile, it is
global. Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
empty? I assume it is just for user-space (space=profile in my
line of thought here) certificates which are not global?

Thanks
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

Re: pypi import certs issues

[Ricardo Wurmus]

ng0 <ng0@n0.is> writes:

> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> empty? I assume it is just for user-space (space=profile in my
> line of thought here) certificates which are not global?

Which of the packages in your profile provides this directory?  What
does “readlink” tell you?

-- 
Ricardo

Re: pypi import certs issues

[Mark H Weaver]

Ricardo Wurmus <rekado@elephly.net> writes:

> ng0 <ng0@n0.is> writes:
>
>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
>> empty? I assume it is just for user-space (space=profile in my
>> line of thought here) certificates which are not global?

Yes, that's right.

> Which of the packages in your profile provides this directory?  What
> does “readlink” tell you?

The directory is created by the 'ca-certificate-bundle' profile hook in
(guix profiles), whose purpose is to create a single-file certificate
bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
certs from all of the certificate packages included in the profile.

     Mark

Re: pypi import certs issues

[Mark H Weaver]

Mark H Weaver <mhw@netris.org> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> ng0 <ng0@n0.is> writes:
>>
>>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
>>> empty? I assume it is just for user-space (space=profile in my
>>> line of thought here) certificates which are not global?
>
> Yes, that's right.
>
>> Which of the packages in your profile provides this directory?  What
>> does “readlink” tell you?
>
> The directory is created by the 'ca-certificate-bundle' profile hook in
> (guix profiles), whose purpose is to create a single-file certificate
> bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
> certs from all of the certificate packages included in the profile.

Hmm, although it looks like that profile hook shouldn't ever create the
etc/ssl/crts directory without also creating the ca-certificates.crt
file within it.  In this case I guess some other package must have
created that directory, so I'm also curious to see the output of the
following commands:

  readlink ~/.guix-profile/etc
  readlink ~/.guix-profile/etc/ssl
  readlink ~/.guix-profile/etc/ssl/certs

      Mark

Re: pypi import certs issues

[ng0]

Ricardo Wurmus transcribed 341 bytes:
> 
> ng0 <ng0@n0.is> writes:
> 
> > Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> > empty? I assume it is just for user-space (space=profile in my
> > line of thought here) certificates which are not global?
> 
> Which of the packages in your profile provides this directory?  What
> does “readlink” tell you?

Surprisingly it returns an empty result, which is why I asked :)
Even the files in the directory above (~/.guix-profile/etc/ssl/) are
empty results.

> 
> -- 
> Ricardo
> 
> 

-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

Re: pypi import certs issues

[ng0]

Mark H Weaver transcribed 1.1K bytes:
> Mark H Weaver <mhw@netris.org> writes:
> 
> > Ricardo Wurmus <rekado@elephly.net> writes:
> >
> >> ng0 <ng0@n0.is> writes:
> >>
> >>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> >>> empty? I assume it is just for user-space (space=profile in my
> >>> line of thought here) certificates which are not global?
> >
> > Yes, that's right.
> >
> >> Which of the packages in your profile provides this directory?  What
> >> does “readlink” tell you?
> >
> > The directory is created by the 'ca-certificate-bundle' profile hook in
> > (guix profiles), whose purpose is to create a single-file certificate
> > bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
> > certs from all of the certificate packages included in the profile.
> 
> Hmm, although it looks like that profile hook shouldn't ever create the
> etc/ssl/crts directory without also creating the ca-certificates.crt
> file within it.  In this case I guess some other package must have
> created that directory, so I'm also curious to see the output of the
> following commands:
> 
>   readlink ~/.guix-profile/etc
>   readlink ~/.guix-profile/etc/ssl
>   readlink ~/.guix-profile/etc/ssl/certs
> 
>       Mark

Ah, this is where my custom global profile seems to come in to blame:

user@abyayala ~$ readlink ~/.guix-profile/etc
user@abyayala ~$ readlink ~/.guix-profile/etc/ssl
/gnu/store/bfrpbapb440fkqb7n389xry596i73jml-libressl-2.6.4/etc/ssl
user@abyayala ~$ readlink ~/.guix-profile/etc/ssl/certs
user@abyayala ~$ 

Although you should be able to install libressl and use openssl generated data.
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is