From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 4GfDEglTZGHYSwAAgWs5BA (envelope-from ) for ; Mon, 11 Oct 2021 17:06:49 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id UDWgDAlTZGFdCgAAbx9fmQ (envelope-from ) for ; Mon, 11 Oct 2021 15:06:49 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 85E601A89F for ; Mon, 11 Oct 2021 17:06:48 +0200 (CEST) Received: from localhost ([::1]:40312 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZwt4-00056r-G4 for larch@yhetil.org; Mon, 11 Oct 2021 11:06:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52310) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZwrs-0004sg-EW for help-guix@gnu.org; Mon, 11 Oct 2021 11:05:32 -0400 Received: from mail-qk1-x736.google.com ([2607:f8b0:4864:20::736]:39541) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZwrq-0003Zj-3k for help-guix@gnu.org; Mon, 11 Oct 2021 11:05:32 -0400 Received: by mail-qk1-x736.google.com with SMTP id 77so15477508qkh.6 for ; Mon, 11 Oct 2021 08:05:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=zRVpW6bITofEZIqDrm66KX1iXTeMG1/zhgWh3qvwwEY=; b=qQ4BWvf1qbWVhvhRdU7w99vYbFc0v5b/SIEnbMbkjOLR7dDynqwq3ZqQbhulQ9h8Ew N7bTEVnDykg6c3QgEKp3N9PM18rDgNerpgRb6lWM+gM86bvqaRvULv5PgCWaXxAqmCqQ 5fuMGaqKsAjcXADsFRP81wVqUdtbFBQGibfK4muFzWx4mK5GVZabTMuGExwaIk3gnMZk PKHKr3eaiFkwruusXhWhO37salN+VB0nA10a4sMy3UcIW5SKyaegI0uwIhyT5lSgect3 1QjXz5OeputXgGFUGG+UZQJeO98cGxWbXNfGuwY/WQATwUOI+QMX4qqRDhgsov/8KKtA ttiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=zRVpW6bITofEZIqDrm66KX1iXTeMG1/zhgWh3qvwwEY=; b=E0xf77TiQtvCOJoIGraA8JfyjufUtzwrIj0v0Sm/kb6vRCmTrY2RniMjPDGO4T8kN0 9A6bk3p+5bIeXh+jTIXL768Odtr5mtHodchYedCQZDODKAadrDAC5AbQQ5Yto/PNe0Rz 4mn1hsqir10kYsd+vXti/d2BJiIErF11WtOjvCbcAVOpm9kkWL4+leAsr94TCwo1hGZT k0Xfc9aCzgvEvrcFkXVstp8cm8/9vIkVUXxUQS8TTMgvfrDaQ9FD4jEv8fRZGiA5psEH wjQImUMxqqxlGDfM/DYYovunSj53P9C0UpTEAyWfJbDtMDR2q/BOgMbjN0m6+C5kachN axRQ== X-Gm-Message-State: AOAM531eCUJOszwuUBQL++UOhj8y2HAvsbgf0+MvKHGbp47zDZ0O/qtw HvM1us2scBgNgu/26XAYxVjTY1zbYTA= X-Google-Smtp-Source: ABdhPJxMuPuFdvXSqY9Ihb0fBwJXR06yeRZAp1TbYiFOoTwFgYgGIMBgj3csJKfCIP5v/xpHp65JTw== X-Received: by 2002:a37:b842:: with SMTP id i63mr14965500qkf.262.1633964726309; Mon, 11 Oct 2021 08:05:26 -0700 (PDT) Received: from hurd ([207.35.95.251]) by smtp.gmail.com with ESMTPSA id u16sm2114697qki.47.2021.10.11.08.05.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Oct 2021 08:05:25 -0700 (PDT) From: Maxim Cournoyer To: Konrad Hinsen Subject: Re: Certificates in pure and containerized environments References: <20211003164510.ebwlm6u24a2bgao4@wzguix> <87ilyb4bcn.fsf@gmail.com> Date: Mon, 11 Oct 2021 11:05:24 -0400 In-Reply-To: (Konrad Hinsen's message of "Fri, 08 Oct 2021 10:47:33 +0200") Message-ID: <871r4r1u17.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::736; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qk1-x736.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1633964808; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=zRVpW6bITofEZIqDrm66KX1iXTeMG1/zhgWh3qvwwEY=; b=dfGH3cNaWyH0MMpzq4V54i3HPS7AqCsqU6t/bLqO/FFizEyYBpf4+InUPYgVSSOZVqhwIy SnvK8TDfRZx0dSKqSr81LMC5+ALS/u8a6nLfvf9WjFMMdlQFhGrH3WfkO6iVh+0xtK3NDG lw4wYBoS0zVrGKIODTxxsigaruHktNaDtkBtbE3skGE/u/IxMXpSnN9SUaR8QngIbfjMIf pPTsXHFTdq9+smZ0Eg7IhJSm4YLJVXQxHQlXEkAVYpUy3AkCDfZXcfjbFD063RGl+0zqaY ZLEEHqyaJ1FQm4Zwjd5R4Chq0DX5jkQoTHH49d0Pi59Ju64KpTTiHjnXA2T3Qg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1633964808; a=rsa-sha256; cv=none; b=A+trEbVk41nJcIuOvIz6GqlY1qissI7vb9GvdAL39HpPjNln1KMD/0TQAfSq/dOQkW8lWX 1IiDCGrRs78DrLJSNk4+bkt/3NJOGNLP+7P2WfxToZuOwvIwVvM+Siuiipr/a5JxK+Mt2D tadVBbZ5AomfGQSrkNr+puBka1aVSjL28STEiVpQr6zS900/r2M5wb8kRNAXRxudKjs/7I Qnt8x20oqXU5fSXILGRb8wq55HGoC7Te05bTaKJJXR9YjYK6pzxtETHGfNuPsG5KVQ+LnS 6G7hl8AUq9BA/LH7L80iqu6WmlE9DinIC99kNaIpRbsATAf7MN23eTU3x6cewQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=qQ4BWvf1; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.11 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=qQ4BWvf1; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: 85E601A89F X-Spam-Score: -3.11 X-Migadu-Scanner: scn0.migadu.com X-TUID: 3uTMLHA5i0Vy Hello Konrad, Konrad Hinsen writes: > Hi Maxim, > >> The key thing here is whether the certs are required by OpenSSL vs >> GnuTLS. The former honors SSL_CERT_DIR, while the later does not (I > ... > >> I hope that helps! > > Thanks, that certainly helps to understand the issues. > > My preferred approach would be to manage all certificates as Guix > packages, and not have any environment variables. That would be the > opposite of your proposal to make GnuTLS honor SSL_CERT_DIRS. It's > always a mess to have multiple uncoordinated environment managers. I agree that managing certs with Guix has many benefits, and having GnuTLS honor an SSL_CERTS_DIRS environment variable would enable that. Remember that installing nss-certs or your certs of choice package to a profile is not enough to have them discovered; something such as en environment variable and a search path specification is also necessary. Currently, even if you package you certs with Guix, if you install them to a profile GnuTLS wouldn't know to use them unless you make them available from /etc/ssl/certs/. I hope that clarifies things. Thanks, Maxim