From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: `guix pull` over HTTPS
Date: Tue, 28 Feb 2017 11:29:19 -0500
Message-ID: <20170228162919.GA10253@jasmine>
References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine>
	<87fujmcb6w.fsf@gnu.org>
	<87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<87inoh660r.fsf@gnu.org>
	<874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
	<871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine>
	<87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53026)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cikeU-000863-Ky
	for guix-devel@gnu.org; Tue, 28 Feb 2017 11:29:28 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cikeR-0008Qh-GJ
	for guix-devel@gnu.org; Tue, 28 Feb 2017 11:29:26 -0500
Content-Disposition: inline
In-Reply-To: <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org


--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote:
> For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work
> for `guix download`, but having just the one file in SSL_CERT_DIR does.
> That's good enough for me! Could you make this into a Guix package?=20

I plan to make a package once these issues are resolved:

1) Which "trust path" should we use? The one using ISRG (the "native"
Let's Encrypt root certificate authority), or the one that is
cross-signed by IdenTrust? Or should we keep it as-is, where both are
included? This is my first time creating a custom set of certificates,
so I don't know all the issues.

They recommend that server operators used the cross-signed trust chain
because the ISRG trust chain is not yet widely deployed in web browsers,
but that's not an issue for this use case.

2) I'd like at least two other Guix developers to try recreating the
repository "from scratch", and to send signed email to this thread
saying that they were able to successfully recreate this custom
certificate store.

> I wonder what happens if we simply switch %snapshot-url to HTTPS in
> `guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR
> configured? I think it would be sufficient to mention in the manual to
> install one of "nss-certs" or "le-certs" before running `guix pull` for
> the first time. How does that sound?

I think it's too much of a regression if users have to fiddle with
environment variables for `guix pull` to work reliably. People are
constantly asking for help with environment variables in the #guix chat
room.

I want to bundle a 'le-certs' package with GNU Guix, and change `guix
pull` to know to use the le-certs bundle when pulling from
%snapshot-url. For other URLs, users will have to take care of it
themselves.=20

This should preserve the existing user experience of `guix pull`, which
is that the default invocation "just works", at least in terms of
downloading the source code. It could fail anyways if their clock is way
off... any other ideas about how it could fail?

> $ CURL_CA_BUNDLE=3D/tmp/le-certs/le-certs.pem curl -sv https://nrk.no > /=
dev/null
> * Rebuilt URL to: https://nrk.no/
> *   Trying 160.68.205.231...
> * TCP_NODELAY set
> * Connected to nrk.no (160.68.205.231) port 443 (#0)
> * found 10 certificates in /tmp/le-certs/le-certs.pem
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
> * server certificate verification failed. CAfile: /tmp/le-certs/le-certs.=
pem CRLfile: none
> * Closing connection 0
>=20
> $ CURL_CA_BUNDLE=3D/tmp/le-certs/le-certs.pem curl -sv https://gnu.org > =
/dev/null
> * Rebuilt URL to: https://gnu.org/
> *   Trying 208.118.235.148...
> * TCP_NODELAY set
> * Connected to gnu.org (208.118.235.148) port 443 (#0)
> * found 10 certificates in /tmp/le-certs/le-certs.pem
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
> *        server certificate verification OK
> *        server certificate status verification SKIPPED
> *        common name: gnu.org (matched)
> *        server certificate expiration date OK
> *        server certificate activation date OK
> *        certificate public key: RSA
> *        certificate version: #3
> *        subject: CN=3Dgnu.org
> *        start date: Wed, 15 Feb 2017 10:01:00 GMT
> *        expire date: Tue, 16 May 2017 10:01:00 GMT
> *        issuer: C=3DUS,O=3DLet's Encrypt,CN=3DLet's Encrypt Authority X3
> *        compression: NULL
>=20
> $ GIT_SSL_CAINFO=3D"" git clone --depth=3D1 https://git.savannah.gnu.org/=
git/guix.git
> Cloning into 'guix'...
> fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': Pro=
blem with the SSL CA cert(path? access rights?)
>=20
> $ GIT_SSL_CAINFO=3D/tmp/le-certs/le-certs.pem git clone --depth=3D1 https=
://git.savannah.gnu.org/git/guix.git
> Cloning into 'guix'...
> remote: Counting objects: 1409, done.

Excellent :)

--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli1pVsACgkQJkb6MLrK
fwhbrQ//Ysqptc3KtsKmQzo7O+PHbZBWsOZPTFcSPum1fhivnyK3drtu+JGCKBWR
BRx6eVlsnmNBBBaOHnmOlUBLi78WyfHsYCaMCTz0bGUInpymL14Udb/zFk1A3Y95
Yi55wOxxtjbBUB2fRyQ+xmk2POfF7ot54XK8ZwyfS9u2yy3+6W7Y+pr43S+Z1HQr
LnQWV6MvJs7AaxxIMkcPDkBmO7ymaTBryofK3e8rh+KkI3xuT9JB/wjGFV+4rc2X
zFIjY+EAEeGMGNVlLBIZgjk5C3h6TUtdnWiErUSKLLpqhD7bF/cCc9sRVC86mbcJ
XFzoyOzs9jswpV0cqTQ9Du3ZUUWy6VQUZZH6q7p/TimNSltPdFvhqUgIkMIGZiRK
prCUj/K3xLLkCTXNS1aoytnqJcHdI7gil8tp9VZGwgfc/HaZx7dlMmNdCKgWJPzZ
giPhEocgUG7vjtWcfHLiPj5pGBRy9A4QzEJy8Xi92+eWrIyI3cmWs6Hk6Rps2q7H
vjvuk/+jDGd0hQblYn4l8TCZGSJgaiSPLrHs1ftVYLEYyUHEQMqw0OnMB3YGvQ1A
Uc81cBliYi6bwPRcDfOT3QIqI/ffRCnCmeVcTZ7dZyRkWTENqAqxkriB8190h0aC
/3Bp5nfdyWqDFI++McOo0RKxFTYG2XWgkkkSr3q7qRQ3vh/Bwwk=
=jXkS
-----END PGP SIGNATURE-----

--tKW2IUtsqtDRztdT--