* pypi import certs issues
@ 2018-03-19 13:24 ng0
2018-03-19 16:52 ` Ludovic Courtès
0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2018-03-19 13:24 UTC (permalink / raw)
To: guix-devel
Hi,
on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
user@abyayala ~$ guix package -l | grep "nss-certs"
user@abyayala ~$ env | grep "SSL_"
GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
user@abyayala ~$ guix import pypi readline
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;; newer than compiled /home/user/.config/guix/latest/guix/download.go
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;; newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;; newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
Backtrace:
11 (apply-smob/1 #<catch-closure 24703a0>)
In ice-9/boot-9.scm:
705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
In ice-9/eval.scm:
619:8 9 (_ #(#(#<directory (guile-user) 2526140>)))
In guix/ui.scm:
1501:12 8 (run-guix-command _ . _)
In guix/scripts/import.scm:
114:11 7 (guix-import . _)
In guix/scripts/import/pypi.scm:
84:19 6 (guix-import-pypi . _)
In guix/import/pypi.scm:
274:17 5 (pypi->guix-package _)
In ice-9/boot-9.scm:
829:9 4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
In guix/import/json.scm:
32:17 3 (_)
In guix/http-client.scm:
88:25 2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
In guix/build/download.scm:
398:4 1 (open-connection-for-uri _ #:timeout _ # _)
296:6 0 (tls-wrap #<closed: file 292ee00> _ # _)
guix/build/download.scm:296:6: In procedure tls-wrap:
X.509 certificate of 'pypi.python.org' could not be verified:
insecure-algorithm
signer-not-found
invalid
user@abyayala ~$ ^C
user@abyayala ~$ cat src/systems/old_systems/guixsd/workstations/abyayala/config.scm | grep "nss-certs"
"nss-certs" ;certs
--
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-19 13:24 pypi import certs issues ng0
@ 2018-03-19 16:52 ` Ludovic Courtès
2018-03-19 17:48 ` ng0
0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2018-03-19 16:52 UTC (permalink / raw)
To: guix-devel
Hello,
ng0 <ng0@n0.is> skribis:
> on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
>
> user@abyayala ~$ guix package -l | grep "nss-certs"
> user@abyayala ~$ env | grep "SSL_"
> GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> user@abyayala ~$ guix import pypi readline
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;; newer than compiled /home/user/.config/guix/latest/guix/download.go
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;; newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;; newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
> Backtrace:
> 11 (apply-smob/1 #<catch-closure 24703a0>)
> In ice-9/boot-9.scm:
> 705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
> In ice-9/eval.scm:
> 619:8 9 (_ #(#(#<directory (guile-user) 2526140>)))
> In guix/ui.scm:
> 1501:12 8 (run-guix-command _ . _)
> In guix/scripts/import.scm:
> 114:11 7 (guix-import . _)
> In guix/scripts/import/pypi.scm:
> 84:19 6 (guix-import-pypi . _)
> In guix/import/pypi.scm:
> 274:17 5 (pypi->guix-package _)
> In ice-9/boot-9.scm:
> 829:9 4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
> In guix/import/json.scm:
> 32:17 3 (_)
> In guix/http-client.scm:
> 88:25 2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
> In guix/build/download.scm:
> 398:4 1 (open-connection-for-uri _ #:timeout _ # _)
> 296:6 0 (tls-wrap #<closed: file 292ee00> _ # _)
>
> guix/build/download.scm:296:6: In procedure tls-wrap:
> X.509 certificate of 'pypi.python.org' could not be verified:
> insecure-algorithm
> signer-not-found
> invalid
I don’t see that. Could it be that the certs you have in /etc/ssl are
too old, or something along these lines?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-19 16:52 ` Ludovic Courtès
@ 2018-03-19 17:48 ` ng0
2018-03-20 16:33 ` Ludovic Courtès
0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2018-03-19 17:48 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Ludovic Courtès transcribed 2.7K bytes:
> Hello,
>
> ng0 <ng0@n0.is> skribis:
>
> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
> >
> > user@abyayala ~$ guix package -l | grep "nss-certs"
> > user@abyayala ~$ env | grep "SSL_"
> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> > user@abyayala ~$ guix import pypi readline
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;; newer than compiled /home/user/.config/guix/latest/guix/download.go
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;; newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;; newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
> > Backtrace:
> > 11 (apply-smob/1 #<catch-closure 24703a0>)
> > In ice-9/boot-9.scm:
> > 705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
> > In ice-9/eval.scm:
> > 619:8 9 (_ #(#(#<directory (guile-user) 2526140>)))
> > In guix/ui.scm:
> > 1501:12 8 (run-guix-command _ . _)
> > In guix/scripts/import.scm:
> > 114:11 7 (guix-import . _)
> > In guix/scripts/import/pypi.scm:
> > 84:19 6 (guix-import-pypi . _)
> > In guix/import/pypi.scm:
> > 274:17 5 (pypi->guix-package _)
> > In ice-9/boot-9.scm:
> > 829:9 4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
> > In guix/import/json.scm:
> > 32:17 3 (_)
> > In guix/http-client.scm:
> > 88:25 2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
> > In guix/build/download.scm:
> > 398:4 1 (open-connection-for-uri _ #:timeout _ # _)
> > 296:6 0 (tls-wrap #<closed: file 292ee00> _ # _)
> >
> > guix/build/download.scm:296:6: In procedure tls-wrap:
> > X.509 certificate of 'pypi.python.org' could not be verified:
> > insecure-algorithm
> > signer-not-found
> > invalid
>
> I don’t see that. Could it be that the certs you have in /etc/ssl are
> too old, or something along these lines?
But how? The system I have is build from the same commit (+ my 4 irrelevant, not SSL touching
packages on top of it). So nss-certs is system-wide, as it has always been, and that's what
used for our /etc/ssl/certs/
> Thanks,
> Ludo’.
>
>
Thanks,
--
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-19 17:48 ` ng0
@ 2018-03-20 16:33 ` Ludovic Courtès
2018-03-20 17:45 ` ng0
0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2018-03-20 16:33 UTC (permalink / raw)
To: guix-devel
ng0 <ng0@n0.is> skribis:
> Ludovic Courtès transcribed 2.7K bytes:
>> Hello,
>>
>> ng0 <ng0@n0.is> skribis:
>>
>> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
>> >
>> > user@abyayala ~$ guix package -l | grep "nss-certs"
>> > user@abyayala ~$ env | grep "SSL_"
>> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
>> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
>> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
[...]
>> > guix/build/download.scm:296:6: In procedure tls-wrap:
>> > X.509 certificate of 'pypi.python.org' could not be verified:
>> > insecure-algorithm
>> > signer-not-found
>> > invalid
>>
>> I don’t see that. Could it be that the certs you have in /etc/ssl are
>> too old, or something along these lines?
What if you do:
export SSL_CERT_DIR=/etc/ssl/certs
?
Ludo’.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-20 16:33 ` Ludovic Courtès
@ 2018-03-20 17:45 ` ng0
2018-03-21 23:03 ` Ricardo Wurmus
0 siblings, 1 reply; 10+ messages in thread
From: ng0 @ 2018-03-20 17:45 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Ludovic Courtès transcribed 911 bytes:
> ng0 <ng0@n0.is> skribis:
>
> > Ludovic Courtès transcribed 2.7K bytes:
> >> Hello,
> >>
> >> ng0 <ng0@n0.is> skribis:
> >>
> >> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
> >> >
> >> > user@abyayala ~$ guix package -l | grep "nss-certs"
> >> > user@abyayala ~$ env | grep "SSL_"
> >> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> >> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> >> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
>
> [...]
>
> >> > guix/build/download.scm:296:6: In procedure tls-wrap:
> >> > X.509 certificate of 'pypi.python.org' could not be verified:
> >> > insecure-algorithm
> >> > signer-not-found
> >> > invalid
> >>
> >> I don’t see that. Could it be that the certs you have in /etc/ssl are
> >> too old, or something along these lines?
>
> What if you do:
>
> export SSL_CERT_DIR=/etc/ssl/certs
>
> ?
>
> Ludo’.
Okay, that worked. So why is the .guix-profile/etc/ssl/certs
not updated? I don't even have nss-certs in my user profile, it is
global. Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
empty? I assume it is just for user-space (space=profile in my
line of thought here) certificates which are not global?
Thanks
--
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-20 17:45 ` ng0
@ 2018-03-21 23:03 ` Ricardo Wurmus
2018-03-22 1:14 ` Mark H Weaver
2018-03-22 8:11 ` ng0
0 siblings, 2 replies; 10+ messages in thread
From: Ricardo Wurmus @ 2018-03-21 23:03 UTC (permalink / raw)
To: ng0; +Cc: guix-devel
ng0 <ng0@n0.is> writes:
> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> empty? I assume it is just for user-space (space=profile in my
> line of thought here) certificates which are not global?
Which of the packages in your profile provides this directory? What
does “readlink” tell you?
--
Ricardo
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-21 23:03 ` Ricardo Wurmus
@ 2018-03-22 1:14 ` Mark H Weaver
2018-03-22 1:27 ` Mark H Weaver
2018-03-22 8:11 ` ng0
1 sibling, 1 reply; 10+ messages in thread
From: Mark H Weaver @ 2018-03-22 1:14 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel, ng0
Ricardo Wurmus <rekado@elephly.net> writes:
> ng0 <ng0@n0.is> writes:
>
>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
>> empty? I assume it is just for user-space (space=profile in my
>> line of thought here) certificates which are not global?
Yes, that's right.
> Which of the packages in your profile provides this directory? What
> does “readlink” tell you?
The directory is created by the 'ca-certificate-bundle' profile hook in
(guix profiles), whose purpose is to create a single-file certificate
bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
certs from all of the certificate packages included in the profile.
Mark
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-22 1:14 ` Mark H Weaver
@ 2018-03-22 1:27 ` Mark H Weaver
2018-03-22 8:14 ` ng0
0 siblings, 1 reply; 10+ messages in thread
From: Mark H Weaver @ 2018-03-22 1:27 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel, ng0
Mark H Weaver <mhw@netris.org> writes:
> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> ng0 <ng0@n0.is> writes:
>>
>>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
>>> empty? I assume it is just for user-space (space=profile in my
>>> line of thought here) certificates which are not global?
>
> Yes, that's right.
>
>> Which of the packages in your profile provides this directory? What
>> does “readlink” tell you?
>
> The directory is created by the 'ca-certificate-bundle' profile hook in
> (guix profiles), whose purpose is to create a single-file certificate
> bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
> certs from all of the certificate packages included in the profile.
Hmm, although it looks like that profile hook shouldn't ever create the
etc/ssl/crts directory without also creating the ca-certificates.crt
file within it. In this case I guess some other package must have
created that directory, so I'm also curious to see the output of the
following commands:
readlink ~/.guix-profile/etc
readlink ~/.guix-profile/etc/ssl
readlink ~/.guix-profile/etc/ssl/certs
Mark
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-21 23:03 ` Ricardo Wurmus
2018-03-22 1:14 ` Mark H Weaver
@ 2018-03-22 8:11 ` ng0
1 sibling, 0 replies; 10+ messages in thread
From: ng0 @ 2018-03-22 8:11 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: guix-devel, ng0
Ricardo Wurmus transcribed 341 bytes:
>
> ng0 <ng0@n0.is> writes:
>
> > Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> > empty? I assume it is just for user-space (space=profile in my
> > line of thought here) certificates which are not global?
>
> Which of the packages in your profile provides this directory? What
> does “readlink” tell you?
Surprisingly it returns an empty result, which is why I asked :)
Even the files in the directory above (~/.guix-profile/etc/ssl/) are
empty results.
>
> --
> Ricardo
>
>
--
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: pypi import certs issues
2018-03-22 1:27 ` Mark H Weaver
@ 2018-03-22 8:14 ` ng0
0 siblings, 0 replies; 10+ messages in thread
From: ng0 @ 2018-03-22 8:14 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel, ng0
Mark H Weaver transcribed 1.1K bytes:
> Mark H Weaver <mhw@netris.org> writes:
>
> > Ricardo Wurmus <rekado@elephly.net> writes:
> >
> >> ng0 <ng0@n0.is> writes:
> >>
> >>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> >>> empty? I assume it is just for user-space (space=profile in my
> >>> line of thought here) certificates which are not global?
> >
> > Yes, that's right.
> >
> >> Which of the packages in your profile provides this directory? What
> >> does “readlink” tell you?
> >
> > The directory is created by the 'ca-certificate-bundle' profile hook in
> > (guix profiles), whose purpose is to create a single-file certificate
> > bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
> > certs from all of the certificate packages included in the profile.
>
> Hmm, although it looks like that profile hook shouldn't ever create the
> etc/ssl/crts directory without also creating the ca-certificates.crt
> file within it. In this case I guess some other package must have
> created that directory, so I'm also curious to see the output of the
> following commands:
>
> readlink ~/.guix-profile/etc
> readlink ~/.guix-profile/etc/ssl
> readlink ~/.guix-profile/etc/ssl/certs
>
> Mark
Ah, this is where my custom global profile seems to come in to blame:
user@abyayala ~$ readlink ~/.guix-profile/etc
user@abyayala ~$ readlink ~/.guix-profile/etc/ssl
/gnu/store/bfrpbapb440fkqb7n389xry596i73jml-libressl-2.6.4/etc/ssl
user@abyayala ~$ readlink ~/.guix-profile/etc/ssl/certs
user@abyayala ~$
Although you should be able to install libressl and use openssl generated data.
--
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-03-22 8:14 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-19 13:24 pypi import certs issues ng0
2018-03-19 16:52 ` Ludovic Courtès
2018-03-19 17:48 ` ng0
2018-03-20 16:33 ` Ludovic Courtès
2018-03-20 17:45 ` ng0
2018-03-21 23:03 ` Ricardo Wurmus
2018-03-22 1:14 ` Mark H Weaver
2018-03-22 1:27 ` Mark H Weaver
2018-03-22 8:14 ` ng0
2018-03-22 8:11 ` ng0
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).