* root certificate @ 2018-06-11 13:24 Divan Santana 2018-06-11 16:59 ` Joshua Branson 2018-06-13 21:25 ` Mark H Weaver 0 siblings, 2 replies; 11+ messages in thread From: Divan Santana @ 2018-06-11 13:24 UTC (permalink / raw) To: help-guix Hi Guix :) How does one import a root certificate for GuixSD? I didn't see it in the manual. (Hopefully I didn't miss it. I need to read up on using info within Emacs better.) -- Divan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-11 13:24 root certificate Divan Santana @ 2018-06-11 16:59 ` Joshua Branson 2018-06-11 17:38 ` myglc2 2018-06-12 7:04 ` Divan Santana 2018-06-13 21:25 ` Mark H Weaver 1 sibling, 2 replies; 11+ messages in thread From: Joshua Branson @ 2018-06-11 16:59 UTC (permalink / raw) To: help-guix Divan Santana <divan@santanas.co.za> writes: > Hi Guix :) > > How does one import a root certificate for GuixSD? This probably isn't helpful, but what is a root certificate? > > I didn't see it in the manual. > > (Hopefully I didn't miss it. I need to read up on using info within Emacs > better.) > -- > Divan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-11 16:59 ` Joshua Branson @ 2018-06-11 17:38 ` myglc2 2018-06-12 7:10 ` Divan Santana 2018-06-12 7:04 ` Divan Santana 1 sibling, 1 reply; 11+ messages in thread From: myglc2 @ 2018-06-11 17:38 UTC (permalink / raw) To: Joshua Branson; +Cc: help-guix On 06/11/2018 at 12:59 Joshua Branson writes: > Divan Santana <divan@santanas.co.za> writes: > >> Hi Guix :) >> >> How does one import a root certificate for GuixSD? > > This probably isn't helpful, but what is a root certificate? > >> >> I didn't see it in the manual. >> >> (Hopefully I didn't miss it. I need to read up on using info within Emacs >> better.) >> -- >> Divan Hello Divan, If you want to a bundle of standard CA certificates install "nss-certs". It is probably already be installed as a system package since most of the example GuixSd configs include it. But I have encountered at least one situation where I needed to also install in as a user package, e.g. 'guix package -i nss-certs'. For details please see ... (guix) Application Setup ... or ... https://www.gnu.org/software/guix/manual/guix.html HTH - George ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-11 17:38 ` myglc2 @ 2018-06-12 7:10 ` Divan Santana 2018-06-12 9:29 ` Tonton 0 siblings, 1 reply; 11+ messages in thread From: Divan Santana @ 2018-06-12 7:10 UTC (permalink / raw) To: myglc2; +Cc: help-guix, Joshua Branson myglc2@gmail.com writes: > On 06/11/2018 at 12:59 Joshua Branson writes: > >> Divan Santana <divan@santanas.co.za> writes: >> >>> Hi Guix :) >>> >>> How does one import a root certificate for GuixSD? >> >> This probably isn't helpful, but what is a root certificate? >> >>> >>> I didn't see it in the manual. >>> >>> (Hopefully I didn't miss it. I need to read up on using info within Emacs >>> better.) >>> -- >>> Divan > > Hello Divan, > > If you want to a bundle of standard CA certificates install "nss-certs". > It is probably already be installed as a system package since most of > the example GuixSd configs include it. But I have encountered at least > one situation where I needed to also install in as a user package, > e.g. 'guix package -i nss-certs'. > > For details please see ... > > (guix) Application Setup > > ... or ... > > https://www.gnu.org/software/guix/manual/guix.html So in my case, I have a root CA certificate for our organisition and many internal sites have a certificate issued from this CA. I want to import this self signed root CA so all sites with certs issued by this org CA is trusted OS wide. To do this on Arch one can: #+begin_src sh wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem http://http://fqdn/pub/org-ca.crt trust extract-compat #+end_src Debian Family #+begin_src sh mkdir /usr/share/ca-certificates/extra wget -O /usr/share/ca-certificates/extra/fnb-ca.crt http://http://fqdn/pub/org-ca.crt dpkg-reconfigure ca-certificates #+end_src I was hoping one could do the above within the system manifest file config.scm ? Else perhaps we do: wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem http://http://fqdn/pub/org-ca.crt trust extract-compat Doing a command like this would make most of the apps(curl/wget/browser) on the system trust these sites. -- Divan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-12 7:10 ` Divan Santana @ 2018-06-12 9:29 ` Tonton 0 siblings, 0 replies; 11+ messages in thread From: Tonton @ 2018-06-12 9:29 UTC (permalink / raw) To: Divan Santana; +Cc: myglc2, help-guix, Joshua Branson [-- Attachment #1: Type: text/plain, Size: 916 bytes --] I would look at the nss-certs package and make a package definition using nss-certs as a template or even inheriting from it. I have now had a quick look at nss-certs and it is too complex for me to change without sitting down with it for a while. So I think I would then go on to use the simple build system or what it is called. Because what you need is basically copy a file to somewhere your browsers can see it? To learn those paths I'd still look at nss-certs. I see (let ((certsdir (string-append %output "/etc/ssl/certs/")) in there. That's probably your path. To use this definition with guix: put it in for example /home/username/guix-modules/certs.scm and then add this directory to your $GUIX_PACKAGE_PATH. I do the following in my .profile export GUIX_PACKAGE_PATH="$HOME/guix-modules:$GUIX_PACKAGE_PATH" I'm traveling and so might not respond quickly. HTH Tonton [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-11 16:59 ` Joshua Branson 2018-06-11 17:38 ` myglc2 @ 2018-06-12 7:04 ` Divan Santana 2018-06-13 4:52 ` Chris Marusich 1 sibling, 1 reply; 11+ messages in thread From: Divan Santana @ 2018-06-12 7:04 UTC (permalink / raw) To: Joshua Branson; +Cc: help-guix Joshua Branson <jbranso@fastmail.com> writes: > Divan Santana <divan@santanas.co.za> writes: > >> Hi Guix :) >> >> How does one import a root certificate for GuixSD? > > This probably isn't helpful, but what is a root certificate? https://en.wikipedia.org/wiki/Root_certificate In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA).[1] Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI). So in my case, I have a root CA certificate for our organisition and many internal sites have a certificate issued from this CA. >> I didn't see it in the manual. >> >> (Hopefully I didn't miss it. I need to read up on using info within Emacs >> better.) >> -- >> Divan -- Divan ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-12 7:04 ` Divan Santana @ 2018-06-13 4:52 ` Chris Marusich 0 siblings, 0 replies; 11+ messages in thread From: Chris Marusich @ 2018-06-13 4:52 UTC (permalink / raw) To: Divan Santana; +Cc: help-guix, Joshua Branson [-- Attachment #1: Type: text/plain, Size: 7020 bytes --] Hi Divan, Divan Santana <divan@santanas.co.za> writes: > Joshua Branson <jbranso@fastmail.com> writes: > >> Divan Santana <divan@santanas.co.za> writes: >> >>> Hi Guix :) >>> >>> How does one import a root certificate for GuixSD? >> >> This probably isn't helpful, but what is a root certificate? > > https://en.wikipedia.org/wiki/Root_certificate > > In cryptography and computer security, a root certificate is a public > key certificate that identifies a root certificate authority (CA).[1] > Root certificates are self-signed and form the basis of an X.509-based > public key infrastructure (PKI). > > So in my case, I have a root CA certificate for our organisition and > many internal sites have a certificate issued from this CA. I intended to write a blog post about this very subject for the Guix blog, but I haven't gotten around to it yet. In short, to do what you want, you can create package definitions like the following, and then add them to the "packages" field of your operating system declaration: --8<---------------cut here---------------start------------->8--- (define-module (my packages) #:use-module (guix packages) #:use-module (guix licenses) #:use-module (guix build-system trivial) #:use-module (guix gexp)) ;; This example aggregates many certificates from a local directory, but ;; the same principle could be used to aggregate certificates from, say, ;; a remote Git repository that your company maintains. (define-public my-ca-certificates (package (name "my-ca-certificates") (version "1") (source (local-file "/path/to/directory/containing/my/certs" #:recursive? #t)) (home-page "https://www.example.com") (license agpl3+) (build-system trivial-build-system) (arguments `(#:modules ((guix build utils)) #:builder (begin (use-modules (guix build utils) (srfi srfi-1) (srfi srfi-26) (ice-9 ftw)) (let* ((ca-certificates (assoc-ref %build-inputs "source")) (crt-suffix ".crt") (is-certificate? (cut string-suffix? crt-suffix <>)) (certificates (filter is-certificate? (scandir ca-certificates))) (out (assoc-ref %outputs "out")) (certificate-directory (string-append out "/etc/ssl/certs")) (openssl (string-append (assoc-ref %build-inputs "openssl") "/bin/openssl"))) (mkdir-p certificate-directory) ;; When this package is installed into a profile, any files in the ;; package output's etc/ssl/certs directory ending in ".pem" will ;; also be put into a ca-certificates.crt bundle. In the case of a ;; system profile, this bundle will be made available to the system ;; at activation time. See the profile hooks defined in (guix ;; profiles) and the etc-service-type define in (gnu services) for ;; details. (for-each ;; Ensure the certificate is in an appropriate format. (lambda (certificate) (invoke openssl "x509" "-in" (string-append ca-certificates "/" certificate) "-outform" "PEM" "-out" (string-append certificate-directory "/" (basename certificate crt-suffix) ".pem"))) certificates) #t)))) (inputs `(("openssl" ,openssl))) (synopsis "My certificate authority certificates") (description synopsis))) (define-public my-ca-certificate (package (name "my-ca-certificate") (version "1") ;; You might also be able to set the source to #f and just embed the ;; certificate directly into the builder below. (source (plain-file (string-append name ".pem") "\ -----BEGIN CERTIFICATE----- Put your cert here. -----END CERTIFICATE----- ")) (home-page "https://www.example.com") (license agpl3+) (build-system trivial-build-system) (arguments `(#:modules ((guix build utils)) #:builder (begin (use-modules (guix build utils)) (let* ((my-certificate (assoc-ref %build-inputs "source")) (out (assoc-ref %outputs "out")) (cert-dir (string-append out "/etc/ssl/certs"))) (mkdir-p cert-dir) (copy-file my-certificate (string-append cert-dir "/" ,name ".pem")) #t)))) (synopsis "My certificate authority certificate") (description synopsis))) --8<---------------cut here---------------end--------------->8--- When you add a package like the above to your operating system declaration's "packages" field and reconfigure your system, you will install the certificates system-wide. In GuixSD, when you build a new system generation, there is a profile hook that essentially collects all the certificates that you would find in the $PROFILE/etc/ssl/certs directory and bundles them up into the single $PROFILE/etc/ssl/certs/ca-certificates.crt file (here, $PROFILE refers to the system profile, i.e. the one that the /run/current-system/profile symlink points to). When it's done, you will have a copy of your certificate in an individual file at $PROFILE/etc/ssl/certs/your-cert.pem, and also in the bundle at $PROFILE/etc/ssl/certs/ca-certificates.crt. This is necessary because some software needs the bundle: https://lists.gnu.org/archive/html/guix-devel/2015-02/msg00429.html Anyway, to install your certificates system-wide, you "just" have to write a package definition that deposits your certificates in the $OUT/etc/ssl/certs directory (where $OUT is the output path of the package). I think the files containing the certificates also need to end in the suffix ".pem" in order for this specific profile hook to work. See the profile hook source code for details (in guix/profiles.scm). So, you can add your certificates. But it relies on the behavior of a profile hook that (I think) isn't yet discussed in the manual. It works, which is great, but I think it would be better if we provided a first-class way to configure this in the operating system declaration. Perhaps we need an "x509-certificates" service which one can extend with certificates, origins, or packages that build certificates. Finally, keep in mind that even if you add your certificate to the system like this, not all software will use it. For example, IceCat ignores the system certificates (because that's what Firefox does, and IceCat is a derivative of Firefox); instead, it maintains its own trust database. Java is similar. For many programs, though, adding certificates as above is sufficient. -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-11 13:24 root certificate Divan Santana 2018-06-11 16:59 ` Joshua Branson @ 2018-06-13 21:25 ` Mark H Weaver 2018-06-13 21:28 ` Mark H Weaver 2018-06-14 6:15 ` Chris Marusich 1 sibling, 2 replies; 11+ messages in thread From: Mark H Weaver @ 2018-06-13 21:25 UTC (permalink / raw) To: Divan Santana; +Cc: help-guix Hi Divan, Divan Santana <divan@santanas.co.za> writes: > How does one import a root certificate for GuixSD? > > I didn't see it in the manual. You didn't see it because we don't yet have a polished way to do this, unfortunately. The good news is that we've already laid the groundwork for supporting local certificate stores. Our 'le-certs' package in gnu/packages/certs.scm is a good template for making custom certificate packages, and can be easily adapted to your needs. For now, you could simply make a copy of the 'le-certs' package, but with a different package name and different certificate inputs. Something like this (untested): --8<---------------cut here---------------start------------->8--- (define-public my-root-cert (package (name "my-root-cert") (version "0") (source #f) (build-system trivial-build-system) (arguments '(#:modules ((guix build utils)) #:builder (begin (use-modules (guix build utils)) (let ((root (assoc-ref %build-inputs "my-root-cert.pem")) (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs")) (openssl (assoc-ref %build-inputs "openssl")) (perl (assoc-ref %build-inputs "perl"))) (mkdir-p out) (copy-file cert (string-append out "/" (strip-store-file-name cert))) ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and ;; similar.) (chdir (string-append %output "/etc/ssl/certs")) (invoke (string-append perl "/bin/perl") (string-append openssl "/bin/c_rehash") "."))))) (native-inputs `(("openssl" ,openssl) ("perl" ,perl))) ;for 'c_rehash' (inputs `(("my-root-cert.pem" ,(origin (method url-fetch) (uri "https://example.com/certs/my-root-cert.pem") (sha256 (base32 "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee")))))) (home-page "https://example.com/certs/my-root-cert.pem") (synopsis "My self-signed root certificate") (description "This package provides my self-signed root certificate.") (license license:public-domain))) --8<---------------cut here---------------end--------------->8--- and then you would need to add this package to the 'packages' field of your OS configuration, and reconfigure your system. However, it would be good to provide a way to more easily create custom certificate packages from a set of .pem files, perhaps by changing the above package definition into a procedure that accepts a list of root certificates and dynamically creates a certificate package. If you'd like to work on this, I'd be glad to discuss it further. Regards, Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-13 21:25 ` Mark H Weaver @ 2018-06-13 21:28 ` Mark H Weaver 2018-06-14 6:15 ` Chris Marusich 1 sibling, 0 replies; 11+ messages in thread From: Mark H Weaver @ 2018-06-13 21:28 UTC (permalink / raw) To: Divan Santana; +Cc: help-guix Mark H Weaver <mhw@netris.org> writes: > Something like this (untested): > > (define-public my-root-cert > (package > (name "my-root-cert") > (version "0") > (source #f) > (build-system trivial-build-system) > (arguments > '(#:modules ((guix build utils)) > #:builder > (begin > (use-modules (guix build utils)) > (let ((root (assoc-ref %build-inputs "my-root-cert.pem")) Sorry, that 'root' in the line above should be 'cert'. Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-13 21:25 ` Mark H Weaver 2018-06-13 21:28 ` Mark H Weaver @ 2018-06-14 6:15 ` Chris Marusich 2018-06-14 17:49 ` Mark H Weaver 1 sibling, 1 reply; 11+ messages in thread From: Chris Marusich @ 2018-06-14 6:15 UTC (permalink / raw) To: Mark H Weaver; +Cc: help-guix [-- Attachment #1: Type: text/plain, Size: 862 bytes --] Mark H Weaver <mhw@netris.org> writes: > ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and > ;; similar.) > (chdir (string-append %output "/etc/ssl/certs")) > (invoke (string-append perl "/bin/perl") > (string-append openssl "/bin/c_rehash") > "."))))) I didn't know about c_rehash until now. Interesting! In the past, I've defined my own certificate packages as described in my own separate replies to this thread, and they worked even though I didn't invoke c_rehash. Could this simply have been because the software I use happens to work even when the symlinks created by c_rehash don't exist? It looks like the ca-certificate-bundle profile hook (defined in guix/profiles.scm) doesn't currently invoke c_rehash. Should it? -- Chris [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: root certificate 2018-06-14 6:15 ` Chris Marusich @ 2018-06-14 17:49 ` Mark H Weaver 0 siblings, 0 replies; 11+ messages in thread From: Mark H Weaver @ 2018-06-14 17:49 UTC (permalink / raw) To: Chris Marusich; +Cc: help-guix Hi Chris, Chris Marusich <cmmarusich@gmail.com> writes: > Mark H Weaver <mhw@netris.org> writes: > >> ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and >> ;; similar.) >> (chdir (string-append %output "/etc/ssl/certs")) >> (invoke (string-append perl "/bin/perl") >> (string-append openssl "/bin/c_rehash") >> "."))))) > > I didn't know about c_rehash until now. Interesting! In the past, I've > defined my own certificate packages as described in my own separate > replies to this thread, and they worked even though I didn't invoke > c_rehash. Could this simply have been because the software I use > happens to work even when the symlinks created by c_rehash don't exist? According to the c_rehash man page, "many programs that use OpenSSL require directories to be set up like this in order to find certificates." I'm not sure, but I guess that programs based on GnuTLS do not need the symlinks. > It looks like the ca-certificate-bundle profile hook (defined in > guix/profiles.scm) doesn't currently invoke c_rehash. Should it? If I understand correctly, as long as each certificate package runs 'c_rehash' individually, then running 'c_rehash' during the profile hook should have no effect, because all of the certificates will already have their associated hash symlinks installed. Regards, Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2018-06-14 17:50 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-06-11 13:24 root certificate Divan Santana 2018-06-11 16:59 ` Joshua Branson 2018-06-11 17:38 ` myglc2 2018-06-12 7:10 ` Divan Santana 2018-06-12 9:29 ` Tonton 2018-06-12 7:04 ` Divan Santana 2018-06-13 4:52 ` Chris Marusich 2018-06-13 21:25 ` Mark H Weaver 2018-06-13 21:28 ` Mark H Weaver 2018-06-14 6:15 ` Chris Marusich 2018-06-14 17:49 ` Mark H Weaver
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).