From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: Help acme-client find its certificate store Date: Wed, 14 Dec 2016 16:44:27 +0100 Message-ID: <87inqma52c.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20161213221505.GA26365@jasmine> <20161214141944.GA7543@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38874) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cHBjP-0005Jz-QS for guix-devel@gnu.org; Wed, 14 Dec 2016 10:44:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cHBjL-0006XA-OY for guix-devel@gnu.org; Wed, 14 Dec 2016 10:44:35 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56987) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cHBjL-0006Vh-IM for guix-devel@gnu.org; Wed, 14 Dec 2016 10:44:31 -0500 In-Reply-To: <20161214141944.GA7543@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari , guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Tue, Dec 13, 2016 at 05:15:05PM -0500, Leo Famulari wrote: >> I'm successfully using this package with this change. >>=20 >> I don't know if this is the "right way" to solve this. Your thoughts? > > To clarify, here is what happens on Debian Jessie without this change: > > $ acme-client -nN example.com > acme-client: tls_config_set_ca_file: failed to open CA file '/etc/ssl/cer= t.pem': No such file or directory: No such file or directory > > And here are the upstream notes on this subject [0]: > > "You can also set DEFAULT_CA_FILE for the location of the certificate > file loaded by libtls." > > https://github.com/kristapsdz/acme-client-portable/blob/master/README.md#= configuration > >> + (let ((pem (string-append (assoc-ref inputs "libressl") >> + "/etc/ssl/cert.pem"))) >> + (substitute* "http.c" >> + (("/etc/ssl/cert.pem") pem)) > > The upstream maintainer recommends setting this value in 'config.h', but > it's only used in 'http.c', so I thought this solution would be a little > easier to read. LGTM. I did not know libressl maintains their own root trust. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlhRaNsACgkQoqBt8qM6 VPoB6Qf/bpEkXpvcYEklaQ/GRkHCxOCtDLPLcu++VY+Hx1yZOCdCiUkuWSGfu7yr w7NMtYpcCKn6VvCXm7MTSPft8ZklmZH33WrThR+ohICzVxJ60YnYgCI0in7GOVdO cEUjkitG2lEJOfmI3ydddEKx/KGsgDTSko2z+WrlUoAZOI+0HPZDkyYgytKn2PW/ tsPoLiqQZcO8CY5l8wf9pOqTPh5DEtSdI5IGYXftYRN9/GYNyTSvxM//5TC94LTH kgq9ekNNBYVZtqkbtykNzq3C+VM4pq42muR2dIpxkgaooRGecrZs99rWTNDGzTWu 5ENjlJonVWPUw6M8ukGYYkxumqG7zw== =6htf -----END PGP SIGNATURE----- --=-=-=--