From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: `guix pull` over HTTPS Date: Tue, 28 Feb 2017 15:59:42 +0100 Message-ID: <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org> <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87inoh660r.fsf@gnu.org> <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48960) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cijFm-0005LX-OY for guix-devel@gnu.org; Tue, 28 Feb 2017 09:59:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cijFi-0007D6-Pr for guix-devel@gnu.org; Tue, 28 Feb 2017 09:59:50 -0500 In-Reply-To: <20170228054616.GA28504@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari , Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Court=C3=A8s wrote: >> Marius Bakke skribis: >> > I think having a separate 'le-certs' package that can verify the Lets >> > Encrypt chain sounds like the easiest option. Presumably new >> > intermediates etc will be known well in advance. >>=20 >> That sounds more reasonable to me. Do you know what it would take to >> get the whole LE chain in such a package? Would you like to give it a >> try? > > I tried it. The next intermediate (also called the "backup") is already > known. > > I've made it available here: > > https://github.com/lfam/le-certs > > You can try it out: > > $ echo | openssl s_client -CAfile /tmp/le-certs/le-certs.pem -CApath /tmp= /le-certs -connect git.savannah.gnu.org:443 > > Your feedback is requested! Wow, this is cool! $ SSL_CERT_FILE=3D"" SSL_CERT_DIR=3D"" guix pull --url=3Dhttps://git.savan= nah.gnu.org/cgit/guix.git/snapshot/master.tar.gz=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 Starting download of /tmp/guix-file.7U65Ts From=20https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz... ERROR: X.509 certificate of 'git.savannah.gnu.org' could not be verified: signer-not-found invalid SSL_CERT_FILE=3D"" SSL_CERT_DIR=3D"/tmp/le-certs/" guix pull --url=3Dhttps= ://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz Starting download of /tmp/guix-file.wOblWP From=20https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz... =E2=80=A6.tar.gz 1.0MiB/s 00:11 | 11.1Mi= B transferred unpacking '/gnu/store/p0gbr83a4g9qlk59vvxkw8gvrv1z8cnw-guix-latest.tar.gz'.= .. For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work for `guix download`, but having just the one file in SSL_CERT_DIR does. That's good enough for me! Could you make this into a Guix package?=20 I wonder what happens if we simply switch %snapshot-url to HTTPS in `guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR configured? I think it would be sufficient to mention in the manual to install one of "nss-certs" or "le-certs" before running `guix pull` for the first time. How does that sound? These certs are valid until at least 2020, so using a Guix release snapshot of this package should work for a long time. Some other tests: $ CURL_CA_BUNDLE=3D/tmp/le-certs/le-certs.pem curl -sv https://nrk.no > /de= v/null * Rebuilt URL to: https://nrk.no/ * Trying 160.68.205.231... * TCP_NODELAY set * Connected to nrk.no (160.68.205.231) port 443 (#0) * found 10 certificates in /tmp/le-certs/le-certs.pem * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification failed. CAfile: /tmp/le-certs/le-certs.pe= m CRLfile: none * Closing connection 0 $ CURL_CA_BUNDLE=3D/tmp/le-certs/le-certs.pem curl -sv https://gnu.org > /d= ev/null * Rebuilt URL to: https://gnu.org/ * Trying 208.118.235.148... * TCP_NODELAY set * Connected to gnu.org (208.118.235.148) port 443 (#0) * found 10 certificates in /tmp/le-certs/le-certs.pem * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: gnu.org (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=3Dgnu.org * start date: Wed, 15 Feb 2017 10:01:00 GMT * expire date: Tue, 16 May 2017 10:01:00 GMT * issuer: C=3DUS,O=3DLet's Encrypt,CN=3DLet's Encrypt Authority X3 * compression: NULL $ GIT_SSL_CAINFO=3D"" git clone --depth=3D1 https://git.savannah.gnu.org/gi= t/guix.git Cloning into 'guix'... fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': Probl= em with the SSL CA cert(path? access rights?) $ GIT_SSL_CAINFO=3D/tmp/le-certs/le-certs.pem git clone --depth=3D1 https:/= /git.savannah.gnu.org/git/guix.git Cloning into 'guix'... remote: Counting objects: 1409, done. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAli1kF4ACgkQoqBt8qM6 VPoUXQf+PUQ7wTewiu+M2Bhf1uzgdwjx6cnTHGj13wgWLqGo80kMxdOjP2V+2Fcw 0OAelbglNiPqDBRiOeJrHJ17T40MSIt5EHfMU2vswIG/irZV003ekjg5ihRul/Eh W6Nt9vP8cRyhBbjcxMjAS1lulyAs8+2bmZbxBkLHpKXvgvDVP6ZSZfCx0wQ/mDcA zAPfSYs9PQECIzZRafEFC6nbc/xoq3YzkpU8KpB0tINMqDXxN/PJo4hX9vX0TnlP FbpOtZJa/UORDXaojifc+wB2iQdSQ0Fqb2z1CBUKxdgpG6Z3ilb1bITw0VvnsIpr rSPxcdH3gRZLnkWV5WIYhsqRMjuBvA== =XNJl -----END PGP SIGNATURE----- --=-=-=--