From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 11:29:19 -0500 [thread overview]
Message-ID: <20170228162919.GA10253@jasmine> (raw)
In-Reply-To: <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
[-- Attachment #1: Type: text/plain, Size: 3990 bytes --]
On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote:
> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
> for `guix download`, but having just the one file in SSL_CERT_DIR does.
> That's good enough for me! Could you make this into a Guix package?
I plan to make a package once these issues are resolved:
1) Which "trust path" should we use? The one using ISRG (the "native"
Let's Encrypt root certificate authority), or the one that is
cross-signed by IdenTrust? Or should we keep it as-is, where both are
included? This is my first time creating a custom set of certificates,
so I don't know all the issues.
They recommend that server operators used the cross-signed trust chain
because the ISRG trust chain is not yet widely deployed in web browsers,
but that's not an issue for this use case.
2) I'd like at least two other Guix developers to try recreating the
repository "from scratch", and to send signed email to this thread
saying that they were able to successfully recreate this custom
certificate store.
> I wonder what happens if we simply switch %snapshot-url to HTTPS in
> `guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR
> configured? I think it would be sufficient to mention in the manual to
> install one of "nss-certs" or "le-certs" before running `guix pull` for
> the first time. How does that sound?
I think it's too much of a regression if users have to fiddle with
environment variables for `guix pull` to work reliably. People are
constantly asking for help with environment variables in the #guix chat
room.
I want to bundle a 'le-certs' package with GNU Guix, and change `guix
pull` to know to use the le-certs bundle when pulling from
%snapshot-url. For other URLs, users will have to take care of it
themselves.
This should preserve the existing user experience of `guix pull`, which
is that the default invocation "just works", at least in terms of
downloading the source code. It could fail anyways if their clock is way
off... any other ideas about how it could fail?
> $ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://nrk.no > /dev/null
> * Rebuilt URL to: https://nrk.no/
> * Trying 160.68.205.231...
> * TCP_NODELAY set
> * Connected to nrk.no (160.68.205.231) port 443 (#0)
> * found 10 certificates in /tmp/le-certs/le-certs.pem
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
> * server certificate verification failed. CAfile: /tmp/le-certs/le-certs.pem CRLfile: none
> * Closing connection 0
>
> $ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://gnu.org > /dev/null
> * Rebuilt URL to: https://gnu.org/
> * Trying 208.118.235.148...
> * TCP_NODELAY set
> * Connected to gnu.org (208.118.235.148) port 443 (#0)
> * found 10 certificates in /tmp/le-certs/le-certs.pem
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
> * server certificate verification OK
> * server certificate status verification SKIPPED
> * common name: gnu.org (matched)
> * server certificate expiration date OK
> * server certificate activation date OK
> * certificate public key: RSA
> * certificate version: #3
> * subject: CN=gnu.org
> * start date: Wed, 15 Feb 2017 10:01:00 GMT
> * expire date: Tue, 16 May 2017 10:01:00 GMT
> * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
> * compression: NULL
>
> $ GIT_SSL_CAINFO="" git clone --depth=1 https://git.savannah.gnu.org/git/guix.git
> Cloning into 'guix'...
> fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': Problem with the SSL CA cert(path? access rights?)
>
> $ GIT_SSL_CAINFO=/tmp/le-certs/le-certs.pem git clone --depth=1 https://git.savannah.gnu.org/git/guix.git
> Cloning into 'guix'...
> remote: Counting objects: 1409, done.
Excellent :)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-02-28 16:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-09 15:55 `guix pull` over HTTPS Leo Famulari
2017-02-10 0:30 ` Leo Famulari
2017-02-10 15:33 ` Ludovic Courtès
2017-02-10 16:22 ` Marius Bakke
2017-02-10 22:21 ` Ludovic Courtès
2017-02-10 22:43 ` Marius Bakke
2017-02-10 22:52 ` ng0
2017-02-11 14:28 ` Ludovic Courtès
2017-02-11 19:25 ` Leo Famulari
2017-02-11 19:48 ` Ricardo Wurmus
2017-02-12 13:36 ` Ludovic Courtès
2017-02-28 5:46 ` Leo Famulari
2017-02-28 14:59 ` Marius Bakke
2017-02-28 16:29 ` Leo Famulari [this message]
2017-02-28 16:45 ` Marius Bakke
2017-02-28 20:44 ` Marius Bakke
2017-02-28 21:44 ` Marius Bakke
2017-02-28 21:54 ` Marius Bakke
2017-03-01 2:36 ` Marius Bakke
2017-03-01 5:14 ` Leo Famulari
2017-03-01 21:20 ` [PATCH v3] pull: Default to HTTPS Marius Bakke
2017-03-01 22:07 ` Leo Famulari
2017-03-01 21:21 ` `guix pull` over HTTPS Marius Bakke
2017-03-06 10:04 ` Ludovic Courtès
2017-03-06 10:06 ` Ludovic Courtès
2017-03-06 12:27 ` Marius Bakke
2017-02-28 23:05 ` Marius Bakke
2017-03-01 0:19 ` Leo Famulari
2017-02-28 16:39 ` [PATCH] pull: Use HTTPS by default Marius Bakke
2017-03-01 1:01 ` Leo Famulari
2017-02-10 18:55 ` `guix pull` over HTTPS Christopher Allan Webber
2017-02-10 15:29 ` Ludovic Courtès
2017-02-13 21:23 ` Bob Proulx
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170228162919.GA10253@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=mbakke@fastmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.