Re: `guix pull` over HTTPS

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Marius Bakke <mbakke@fastmail.com>
To: "Leo Famulari" <leo@famulari.name>, "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 15:59:42 +0100	[thread overview]
Message-ID: <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (raw)
In-Reply-To: <20170228054616.GA28504@jasmine>

[-- Attachment #1: Type: text/plain, Size: 4187 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote:
>> Marius Bakke <mbakke@fastmail.com> skribis:
>> > I think having a separate 'le-certs' package that can verify the Lets
>> > Encrypt chain sounds like the easiest option. Presumably new
>> > intermediates etc will be known well in advance.
>> 
>> That sounds more reasonable to me.  Do you know what it would take to
>> get the whole LE chain in such a package?  Would you like to give it a
>> try?
>
> I tried it. The next intermediate (also called the "backup") is already
> known.
>
> I've made it available here:
>
> https://github.com/lfam/le-certs
>
> You can try it out:
>
> $ echo | openssl s_client -CAfile /tmp/le-certs/le-certs.pem -CApath /tmp/le-certs -connect git.savannah.gnu.org:443
>
> Your feedback is requested!

Wow, this is cool!

$ SSL_CERT_FILE="" SSL_CERT_DIR=""  guix pull --url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz                                                        
Starting download of /tmp/guix-file.7U65Ts
From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz...
ERROR: X.509 certificate of 'git.savannah.gnu.org' could not be verified:
  signer-not-found
  invalid

SSL_CERT_FILE="" SSL_CERT_DIR="/tmp/le-certs/"  guix pull --url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz
Starting download of /tmp/guix-file.wOblWP
From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz...
 ….tar.gz                                   1.0MiB/s 00:11 | 11.1MiB transferred
unpacking '/gnu/store/p0gbr83a4g9qlk59vvxkw8gvrv1z8cnw-guix-latest.tar.gz'...

For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
for `guix download`, but having just the one file in SSL_CERT_DIR does.
That's good enough for me! Could you make this into a Guix package? 

I wonder what happens if we simply switch %snapshot-url to HTTPS in
`guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR
configured? I think it would be sufficient to mention in the manual to
install one of "nss-certs" or "le-certs" before running `guix pull` for
the first time. How does that sound?

These certs are valid until at least 2020, so using a Guix release
snapshot of this package should work for a long time.

Some other tests:

$ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://nrk.no > /dev/null
* Rebuilt URL to: https://nrk.no/
*   Trying 160.68.205.231...
* TCP_NODELAY set
* Connected to nrk.no (160.68.205.231) port 443 (#0)
* found 10 certificates in /tmp/le-certs/le-certs.pem
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: /tmp/le-certs/le-certs.pem CRLfile: none
* Closing connection 0

$ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://gnu.org > /dev/null
* Rebuilt URL to: https://gnu.org/
*   Trying 208.118.235.148...
* TCP_NODELAY set
* Connected to gnu.org (208.118.235.148) port 443 (#0)
* found 10 certificates in /tmp/le-certs/le-certs.pem
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: gnu.org (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=gnu.org
*        start date: Wed, 15 Feb 2017 10:01:00 GMT
*        expire date: Tue, 16 May 2017 10:01:00 GMT
*        issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
*        compression: NULL

$ GIT_SSL_CAINFO="" git clone --depth=1 https://git.savannah.gnu.org/git/guix.git
Cloning into 'guix'...
fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': Problem with the SSL CA cert(path? access rights?)

$ GIT_SSL_CAINFO=/tmp/le-certs/le-certs.pem git clone --depth=1 https://git.savannah.gnu.org/git/guix.git
Cloning into 'guix'...
remote: Counting objects: 1409, done.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

next prev parent reply	other threads:[~2017-02-28 14:59 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-09 15:55 `guix pull` over HTTPS Leo Famulari
2017-02-10  0:30 ` Leo Famulari
2017-02-10 15:33   ` Ludovic Courtès
2017-02-10 16:22     ` Marius Bakke
2017-02-10 22:21       ` Ludovic Courtès
2017-02-10 22:43         ` Marius Bakke
2017-02-10 22:52           ` ng0
2017-02-11 14:28           ` Ludovic Courtès
2017-02-11 19:25             ` Leo Famulari
2017-02-11 19:48               ` Ricardo Wurmus
2017-02-12 13:36                 ` Ludovic Courtès
2017-02-28  5:46             ` Leo Famulari
2017-02-28 14:59               ` Marius Bakke [this message]
2017-02-28 16:29                 ` Leo Famulari
2017-02-28 16:45                   ` Marius Bakke
2017-02-28 20:44                     ` Marius Bakke
2017-02-28 21:44                       ` Marius Bakke
2017-02-28 21:54                         ` Marius Bakke
2017-03-01  2:36                           ` Marius Bakke
2017-03-01  5:14                             ` Leo Famulari
2017-03-01 21:20                               ` [PATCH v3] pull: Default to HTTPS Marius Bakke
2017-03-01 22:07                                 ` Leo Famulari
2017-03-01 21:21                               ` `guix pull` over HTTPS Marius Bakke
2017-03-06 10:04                               ` Ludovic Courtès
2017-03-06 10:06                         ` Ludovic Courtès
2017-03-06 12:27                           ` Marius Bakke
2017-02-28 23:05                   ` Marius Bakke
2017-03-01  0:19                     ` Leo Famulari
2017-02-28 16:39                 ` [PATCH] pull: Use HTTPS by default Marius Bakke
2017-03-01  1:01                   ` Leo Famulari
2017-02-10 18:55   ` `guix pull` over HTTPS Christopher Allan Webber
2017-02-10 15:29 ` Ludovic Courtès
2017-02-13 21:23 ` Bob Proulx

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me \
    --to=mbakke@fastmail.com \
    --cc=guix-devel@gnu.org \
    --cc=leo@famulari.name \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).