From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: `guix pull` over HTTPS Date: Wed, 01 Mar 2017 00:05:57 +0100 Message-ID: <87bmtl29wq.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org> <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87inoh660r.fsf@gnu.org> <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine> <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170228162919.GA10253@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43798) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ciqqL-0005Hu-MW for guix-devel@gnu.org; Tue, 28 Feb 2017 18:06:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ciqqI-0007V0-C1 for guix-devel@gnu.org; Tue, 28 Feb 2017 18:06:05 -0500 In-Reply-To: <20170228162919.GA10253@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote: >> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work >> for `guix download`, but having just the one file in SSL_CERT_DIR does. >> That's good enough for me! Could you make this into a Guix package?=20 > > I plan to make a package once these issues are resolved: > > 1) Which "trust path" should we use? The one using ISRG (the "native" > Let's Encrypt root certificate authority), or the one that is > cross-signed by IdenTrust? Or should we keep it as-is, where both are > included? This is my first time creating a custom set of certificates, > so I don't know all the issues. > > They recommend that server operators used the cross-signed trust chain > because the ISRG trust chain is not yet widely deployed in web browsers, > but that's not an issue for this use case. The ISRG trust chain is supported by NSS since 3.26[0] and Firefox 50. [0] https://bugzilla.mozilla.org/show_bug.cgi?id=3D1204656 As long as the ISRG chain works with all software in Guix, I don't see a reason to include the IdenTrust root and intermediates. I think we should not include the retired intermediate certificates however. This tiny chain works for all cases I've tried: cat isrgrootx1.pem letsencryptauthorityx3.pem letsencryptauthorityx4.pem > = le-certs.pem > 2) I'd like at least two other Guix developers to try recreating the > repository "from scratch", and to send signed email to this thread > saying that they were able to successfully recreate this custom > certificate store. I downloaded each certificate independently and ran the provided 'sed' command and ended up with the same SHA256 hashes, which are: 139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99 dstrootx3= .pem 3e6cf961c196c63a39bd99e5e34ff42c83669e3d7bcc2e4a0f9c7c7df40d0d7e isrgrootx= 1.pem 3acb088b1372351a29c23ba51d28442a22e810224f8d009d8e026c470f463d74 le-certs.= pem f8a8316dcc1f813774e7d7e2f85d7069d8b387c98a81b6073ef9f415be62410e letsencry= ptauthorityx1.pem 3f67c48667781f7a7221320ee5b76c353aa4e0f4b2ed24a8a41113e6638f9724 letsencry= ptauthorityx2.pem 735a28bd5d93161769dd3a5d1d6337f24d1f2662cfe355930c1cffc38cac6a7d letsencry= ptauthorityx3.pem 04f703429322d699af9e4d47e558cb696378fa20073700c9309263c448626d00 letsencry= ptauthorityx4.pem 6c0a324bb803e9d66b8986ea2085bb9d6bdfe33f5c04a03a3f7024f4aa8e7a2d lets-encr= ypt-x1-cross-signed.pem b5791649cc21518a9757d7e1809bc47c5e60edc45c9dddaaf6c060cbe03bcb1d lets-encr= ypt-x2-cross-signed.pem e446c5e9dbef9d09ac9f7027c034602492437a05ff6c40011d7235fca639c79a lets-encr= ypt-x3-cross-signed.pem f524491d9c2966c01ecec75c7803c7169ff46bc5cfd44c396d418cd7053d8015 lets-encr= ypt-x4-cross-signed.pem --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli2AlYACgkQoqBt8qM6 VPoOfQf9HfoJaIjWHOHucJPMcOOfZrZTOp6gGt3Di27GvcG/QTpBTjduhdldbPBv DiuCD4Uvceb5yAkQlSrBqNHK6mstEVN/nE8rJochJ8cXqzO+bO4eNA1Buf7Vzghm n+Sa9ltcXDAJOypnAHAs3Q6ArDqvWlGd9pQG98+Or/yAk4I4iZg1ekWp4WVzCCGb yQmDKAlcPQQQJBIBpUJBnj857+1xOxdqhZJEEkYHGF4aPvdSWBjgnPo3N/LkqqMH t47IHIcF2nAJ8q0AqYVKHabGb9k/g3+0X18KG1qFxKb3uVLTxqU9spE5lnLigjhm Ug2PC6+2nl5LU3hYtU3pSJf4+KDAYA== =sje6 -----END PGP SIGNATURE----- --=-=-=--