* rust:cargo (libcurl) vs. CURL_CA_BUNDLE
@ 2019-08-15 23:14 David Loyall
2019-09-01 10:58 ` Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: David Loyall @ 2019-08-15 23:14 UTC (permalink / raw)
To: help-guix
Hello.
I think the way `cargo` uses `libcurl` is preventing it from looking
in the `CURL_CA_BUNDLE` environment variable to find where the
certificate authority file is.
Here we see what `cargo` I am using:
sebboh@geeks ~/projects$ cargo -V
cargo 1.36.0
Here we see the contents of one of my environment variables:
sebboh@geeks ~/projects$ echo $CURL_CA_BUNDLE
/home/sebboh/.guix-profile/etc/ssl/certs/ca-certificates.crt
Here we try to use `cargo` for a common task:
sebboh@geeks ~/projects$ cargo install rustfmt-nightly
Updating crates.io index
error: failed to download from
`https://crates.io/api/v1/crates/rustfmt-nightly/1.4.5/download`
Caused by:
[60] SSL peer certificate or SSH remote key was not OK (server
certificate verification failed. CAfile: none CRLfile: none)
Here we see that `curl` itself (from `guix install curl`) works fine
(some lines omitted for brevity).
sebboh@geeks ~/projects$ curl -v
https://crates.io/api/v1/crates/pkg-config/0.0.1/download
* Trying 34.202.125.55:443...
* TCP_NODELAY set
* Connected to crates.io (34.202.125.55) port 443 (#0)
* found 153 certificates in
/home/sebboh/.guix-profile/etc/ssl/certs/ca-certificates.crt
[...]
< HTTP/1.1 302 Found
[...]
* Connection #0 to host crates.io left intact
Now what? :)
Please note that I freshly installed `rust:cargo` and did not modify
anything, so maybe our guix package should be updated so it works out
of box. (Granted I think the TOFU principle for CA certs might be
better but, I guess that is not the topic today.)
Thanks, cheers,
--sebboh
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: rust:cargo (libcurl) vs. CURL_CA_BUNDLE
2019-08-15 23:14 rust:cargo (libcurl) vs. CURL_CA_BUNDLE David Loyall
@ 2019-09-01 10:58 ` Ludovic Courtès
2019-09-04 0:16 ` David Loyall
0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2019-09-01 10:58 UTC (permalink / raw)
To: David Loyall; +Cc: help-guix
Hello David,
David Loyall <david@the-good-guys.net> skribis:
> I think the way `cargo` uses `libcurl` is preventing it from looking
> in the `CURL_CA_BUNDLE` environment variable to find where the
> certificate authority file is.
>
> Here we see what `cargo` I am using:
>
> sebboh@geeks ~/projects$ cargo -V
> cargo 1.36.0
>
> Here we see the contents of one of my environment variables:
>
> sebboh@geeks ~/projects$ echo $CURL_CA_BUNDLE
> /home/sebboh/.guix-profile/etc/ssl/certs/ca-certificates.crt
>
> Here we try to use `cargo` for a common task:
>
> sebboh@geeks ~/projects$ cargo install rustfmt-nightly
> Updating crates.io index
> error: failed to download from
> `https://crates.io/api/v1/crates/rustfmt-nightly/1.4.5/download`
>
> Caused by:
> [60] SSL peer certificate or SSH remote key was not OK (server
> certificate verification failed. CAfile: none CRLfile: none)
This was discussed recently on IRC:
http://logs.guix.gnu.org/guix/2019-08-29.log#102010
Unfortunately we didn’t reach a conclusion.
My guess was that perhaps cargo honors a different environment
variable—i.e., not ‘SSL_CERT_FILE’, ‘SSL_CERT_DIR’, nor
‘CURL_CA_BUNDLE’. The ‘ltrace -e getenv’ trick I gave might give us
clues about relevant environment variables.
Could you give it a try?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: rust:cargo (libcurl) vs. CURL_CA_BUNDLE
2019-09-01 10:58 ` Ludovic Courtès
@ 2019-09-04 0:16 ` David Loyall
2019-09-24 22:22 ` Robin Heinemann
0 siblings, 1 reply; 4+ messages in thread
From: David Loyall @ 2019-09-04 0:16 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: help-guix
> This was discussed recently on IRC:
> http://logs.guix.gnu.org/guix/2019-08-29.log#102010
> Unfortunately we didn’t reach a conclusion.
Ok, thank you. Unfortunately that user's pastebins expired so I was
not able to compare with my own `ltrace` output.
> The ‘ltrace -e getenv’ trick I gave might give us
> clues about relevant environment variables.
Ok, let's see:
sebboh@geeks ~$ ltrace -e getenv cargo -vv install rustfmt-nightly
libcrypto.so.1.0.0->getenv("SSL_CERT_FILE")
=
"/home/sebboh/.guix-profile/etc/s"...
libcrypto.so.1.0.0->getenv("SSL_CERT_DIR")
=
"/home/sebboh/.guix-profile/etc/s"...
Updating crates.io index
libcurl.so.4->getenv("no_proxy")
= nil
libcurl.so.4->getenv("NO_PROXY")
= nil
libcurl.so.4->getenv("https_proxy")
= nil
libcurl.so.4->getenv("HTTPS_PROXY")
= nil
libcurl.so.4->getenv("all_proxy")
= nil
libcurl.so.4->getenv("ALL_PROXY")
= nil
libcurl.so.4->getenv("no_proxy")
= nil
libcurl.so.4->getenv("NO_PROXY")
= nil
libcurl.so.4->getenv("http_proxy")
= nil
libcurl.so.4->getenv("all_proxy")
= nil
libcurl.so.4->getenv("ALL_PROXY")
= nil
libcrypto.so.1.0.0->getenv("OPENSSL_ALLOW_PROXY_CERTS")
= nil
libcurl.so.4->getenv("no_proxy")
= nil
libcurl.so.4->getenv("NO_PROXY")
= nil
libcurl.so.4->getenv("http_proxy")
= nil
libcurl.so.4->getenv("all_proxy")
= nil
libcurl.so.4->getenv("ALL_PROXY")
= nil
libcrypto.so.1.0.0->getenv("OPENSSL_ALLOW_PROXY_CERTS")
= nil
libcurl.so.4->getenv("no_proxy")
= nil
libcurl.so.4->getenv("NO_PROXY")
= nil
libcurl.so.4->getenv("http_proxy")
= nil
libcurl.so.4->getenv("all_proxy")
= nil
libcurl.so.4->getenv("ALL_PROXY")
= nil
libcrypto.so.1.0.0->getenv("OPENSSL_ALLOW_PROXY_CERTS")
= nil
libcurl.so.4->getenv("no_proxy")
= nil
libcurl.so.4->getenv("NO_PROXY")
= nil
libcurl.so.4->getenv("https_proxy")
= nil
libcurl.so.4->getenv("HTTPS_PROXY")
= nil
libcurl.so.4->getenv("all_proxy")
= nil
libcurl.so.4->getenv("ALL_PROXY")
= nil
error: failed to download from
`https://crates.io/api/v1/crates/rustfmt-nightly/1.4.6/download`
Caused by:
[60] SSL peer certificate or SSH remote key was not OK (server
certificate verification failed. CAfile: none CRLfile: none)
+++ exited (status 101) +++
I investigated this `OPENSSL_ALLOW_PROXY_CERTS` variable and I
concluded that I am not using any such cert--I believe in this case
libcurl checks an environment variable but would not act on the
result? Anyway, I don't use a proxy. (I just confirmed crates.io is
not on the blacklist at work.)
Well, I'm not sure what to check next. I can tell you that the values
of SSL_CERT_FILE and SSL_CERT_DIR seem to be correct (even though the
ltrace output truncates them).
Cheers, thanks,
--sebboh
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: rust:cargo (libcurl) vs. CURL_CA_BUNDLE
2019-09-04 0:16 ` David Loyall
@ 2019-09-24 22:22 ` Robin Heinemann
0 siblings, 0 replies; 4+ messages in thread
From: Robin Heinemann @ 2019-09-24 22:22 UTC (permalink / raw)
To: David Loyall, Ludovic Courtès; +Cc: help-guix
Hi,
following nix (https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/compilers/rust/cargo.nix)
the right environment variable seems to be CARGO_HTTP_CAINFO
setting that to $SSL_CERT_FILE makes cargo work for me.
Cheers,
Robin
David Loyall <david@the-good-guys.net> writes:
>> This was discussed recently on IRC:
>> http://logs.guix.gnu.org/guix/2019-08-29.log#102010
>> Unfortunately we didn’t reach a conclusion.
>
> Ok, thank you. Unfortunately that user's pastebins expired so I was
> not able to compare with my own `ltrace` output.
>
>> The ‘ltrace -e getenv’ trick I gave might give us
>> clues about relevant environment variables.
>
> Ok, let's see:
>
> sebboh@geeks ~$ ltrace -e getenv cargo -vv install rustfmt-nightly
> libcrypto.so.1.0.0->getenv("SSL_CERT_FILE")
> =
> "/home/sebboh/.guix-profile/etc/s"...
> libcrypto.so.1.0.0->getenv("SSL_CERT_DIR")
> =
> "/home/sebboh/.guix-profile/etc/s"...
> Updating crates.io index
> libcurl.so.4->getenv("no_proxy")
> = nil
> libcurl.so.4->getenv("NO_PROXY")
> = nil
> libcurl.so.4->getenv("https_proxy")
> = nil
> libcurl.so.4->getenv("HTTPS_PROXY")
> = nil
> libcurl.so.4->getenv("all_proxy")
> = nil
> libcurl.so.4->getenv("ALL_PROXY")
> = nil
> libcurl.so.4->getenv("no_proxy")
> = nil
> libcurl.so.4->getenv("NO_PROXY")
> = nil
> libcurl.so.4->getenv("http_proxy")
> = nil
> libcurl.so.4->getenv("all_proxy")
> = nil
> libcurl.so.4->getenv("ALL_PROXY")
> = nil
> libcrypto.so.1.0.0->getenv("OPENSSL_ALLOW_PROXY_CERTS")
> = nil
> libcurl.so.4->getenv("no_proxy")
> = nil
> libcurl.so.4->getenv("NO_PROXY")
> = nil
> libcurl.so.4->getenv("http_proxy")
> = nil
> libcurl.so.4->getenv("all_proxy")
> = nil
> libcurl.so.4->getenv("ALL_PROXY")
> = nil
> libcrypto.so.1.0.0->getenv("OPENSSL_ALLOW_PROXY_CERTS")
> = nil
> libcurl.so.4->getenv("no_proxy")
> = nil
> libcurl.so.4->getenv("NO_PROXY")
> = nil
> libcurl.so.4->getenv("http_proxy")
> = nil
> libcurl.so.4->getenv("all_proxy")
> = nil
> libcurl.so.4->getenv("ALL_PROXY")
> = nil
> libcrypto.so.1.0.0->getenv("OPENSSL_ALLOW_PROXY_CERTS")
> = nil
> libcurl.so.4->getenv("no_proxy")
> = nil
> libcurl.so.4->getenv("NO_PROXY")
> = nil
> libcurl.so.4->getenv("https_proxy")
> = nil
> libcurl.so.4->getenv("HTTPS_PROXY")
> = nil
> libcurl.so.4->getenv("all_proxy")
> = nil
> libcurl.so.4->getenv("ALL_PROXY")
> = nil
> error: failed to download from
> `https://crates.io/api/v1/crates/rustfmt-nightly/1.4.6/download`
>
> Caused by:
> [60] SSL peer certificate or SSH remote key was not OK (server
> certificate verification failed. CAfile: none CRLfile: none)
> +++ exited (status 101) +++
>
> I investigated this `OPENSSL_ALLOW_PROXY_CERTS` variable and I
> concluded that I am not using any such cert--I believe in this case
> libcurl checks an environment variable but would not act on the
> result? Anyway, I don't use a proxy. (I just confirmed crates.io is
> not on the blacklist at work.)
>
> Well, I'm not sure what to check next. I can tell you that the values
> of SSL_CERT_FILE and SSL_CERT_DIR seem to be correct (even though the
> ltrace output truncates them).
>
> Cheers, thanks,
> --sebboh
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-24 22:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-08-15 23:14 rust:cargo (libcurl) vs. CURL_CA_BUNDLE David Loyall
2019-09-01 10:58 ` Ludovic Courtès
2019-09-04 0:16 ` David Loyall
2019-09-24 22:22 ` Robin Heinemann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).