tls woes with importers

tls woes with importers

[Jelle Licht]

Hi all,

Recently, I have been running into some gnutls-issues again.  The
biggest issue for me right now is the lack of a working importer, as
follows:

--8<---------------cut here---------------start------------->8---
$ guix import elpa org
Backtrace:
          13 (primitive-load "/home/jelle/.config/guix/current/bin/g…")
In guix/ui.scm:
  1579:12 12 (run-guix-command _ . _)
In guix/scripts/import.scm:
   115:11 11 (guix-import . _)
In guix/scripts/import/elpa.scm:
   108:23 10 (guix-import-elpa . _)
In guix/import/elpa.scm:
    249:2  9 (elpa->guix-package "org" _)
   182:13  8 (fetch-elpa-package "org" _)
   113:18  7 (elpa-package-info "org" _)
    85:21  6 (elpa-fetch-archive _)
In ice-9/boot-9.scm:
    829:9  5 (catch system-error #<procedure 10fb300 at guix/http-c…> …)
    829:9  4 (catch srfi-34 #<procedure 10e6f50 at guix/http-client…> …)
In guix/http-client.scm:
   182:20  3 (_)
    88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
In guix/build/download.scm:
    398:4  1 (open-connection-for-uri _ #:timeout _ # _)
    296:6  0 (tls-wrap #<closed: file 101f0e0> _ # _)

guix/build/download.scm:296:6: In procedure tls-wrap:
X.509 certificate of 'elpa.gnu.org' could not be verified:
  signer-not-found
  invalid
--8<---------------cut here---------------end--------------->8---

I am running GuixSD, with

--8<---------------cut here---------------start------------->8---
$ guix --version
guix (GNU Guix) 19f2a52644ffabf4902d0506329aa29d835dda4f
Copyright (C) 2018 the Guix authors
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
--8<---------------cut here---------------end--------------->8---

I have verified that I have nss-certs installed in my system profile.
Other programs using TLS connections seem to not have this issue
(e.g. Emacs and Icecat).

I have already tried:
- installing nss-certs to my user profile as well.
- installing gnutls to my user profile.

... but none of this changed anything for me sadly. Does anyone know
what I can do to remedy this situation?

Regards,
Jelle

Re: tls woes with importers

[Ludovic Courtès]

Hello Jelle,

Jelle Licht <jlicht@fsfe.org> skribis:

> $ guix import elpa org
> Backtrace:
>           13 (primitive-load "/home/jelle/.config/guix/current/bin/g…")
> In guix/ui.scm:
>   1579:12 12 (run-guix-command _ . _)
> In guix/scripts/import.scm:
>    115:11 11 (guix-import . _)
> In guix/scripts/import/elpa.scm:
>    108:23 10 (guix-import-elpa . _)
> In guix/import/elpa.scm:
>     249:2  9 (elpa->guix-package "org" _)
>    182:13  8 (fetch-elpa-package "org" _)
>    113:18  7 (elpa-package-info "org" _)
>     85:21  6 (elpa-fetch-archive _)
> In ice-9/boot-9.scm:
>     829:9  5 (catch system-error #<procedure 10fb300 at guix/http-c…> …)
>     829:9  4 (catch srfi-34 #<procedure 10e6f50 at guix/http-client…> …)
> In guix/http-client.scm:
>    182:20  3 (_)
>     88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
> In guix/build/download.scm:
>     398:4  1 (open-connection-for-uri _ #:timeout _ # _)
>     296:6  0 (tls-wrap #<closed: file 101f0e0> _ # _)
>
> guix/build/download.scm:296:6: In procedure tls-wrap:
> X.509 certificate of 'elpa.gnu.org' could not be verified:
>   signer-not-found
>   invalid

This means that the certificate could not be validated, probably due to
missing certificates.

Could you make sure to install ‘nss-cert’ and to define ‘SSL_CERT_DIR’
accordingly?  See
<https://www.gnu.org/software/guix/manual/en/html_node/X_002e509-Certificates.html>.

HTH,
Ludo’.

Re: tls woes with importers

[Jelle Licht]

[-- Attachment #1: Type: text/plain, Size: 2101 bytes --]

As you said, my $SSL_CERT_DIR was messed up:
"/home/jelle/.guix-profile/etc/ssl/certs:/etc/ssl/certs".

It seems that several tools dislike having :-delimited directories in
SSL_CERT_DIR, I guess?
Either way, uninstalling nss-certs from my user profile, and leaving it in
my system definition as before, fixed the issue.
Kind of a bummer actually, as I really like sharing my user manifest files
between Guix and GuixSD machines.

Thanks Ludo!


2018-07-27 1:23 GMT+02:00 Ludovic Courtès <ludo@gnu.org>:

> Hello Jelle,
>
> Jelle Licht <jlicht@fsfe.org> skribis:
>
> > $ guix import elpa org
> > Backtrace:
> >           13 (primitive-load "/home/jelle/.config/guix/current/bin/g…")
> > In guix/ui.scm:
> >   1579:12 12 (run-guix-command _ . _)
> > In guix/scripts/import.scm:
> >    115:11 11 (guix-import . _)
> > In guix/scripts/import/elpa.scm:
> >    108:23 10 (guix-import-elpa . _)
> > In guix/import/elpa.scm:
> >     249:2  9 (elpa->guix-package "org" _)
> >    182:13  8 (fetch-elpa-package "org" _)
> >    113:18  7 (elpa-package-info "org" _)
> >     85:21  6 (elpa-fetch-archive _)
> > In ice-9/boot-9.scm:
> >     829:9  5 (catch system-error #<procedure 10fb300 at guix/http-c…> …)
> >     829:9  4 (catch srfi-34 #<procedure 10e6f50 at guix/http-client…> …)
> > In guix/http-client.scm:
> >    182:20  3 (_)
> >     88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
> > In guix/build/download.scm:
> >     398:4  1 (open-connection-for-uri _ #:timeout _ # _)
> >     296:6  0 (tls-wrap #<closed: file 101f0e0> _ # _)
> >
> > guix/build/download.scm:296:6: In procedure tls-wrap:
> > X.509 certificate of 'elpa.gnu.org' could not be verified:
> >   signer-not-found
> >   invalid
>
> This means that the certificate could not be validated, probably due to
> missing certificates.
>
> Could you make sure to install ‘nss-cert’ and to define ‘SSL_CERT_DIR’
> accordingly?  See
> <https://www.gnu.org/software/guix/manual/en/html_node/X_
> 002e509-Certificates.html>.
>
> HTH,
> Ludo’.
>

[-- Attachment #2: Type: text/html, Size: 3071 bytes --]