From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: `guix pull` over HTTPS Date: Tue, 28 Feb 2017 11:29:19 -0500 Message-ID: <20170228162919.GA10253@jasmine> References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org> <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87inoh660r.fsf@gnu.org> <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine> <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53026) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cikeU-000863-Ky for guix-devel@gnu.org; Tue, 28 Feb 2017 11:29:28 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cikeR-0008Qh-GJ for guix-devel@gnu.org; Tue, 28 Feb 2017 11:29:26 -0500 Content-Disposition: inline In-Reply-To: <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 28, 2017 at 03:59:42PM +0100, Marius Bakke wrote: > For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work > for `guix download`, but having just the one file in SSL_CERT_DIR does. > That's good enough for me! Could you make this into a Guix package?=20 I plan to make a package once these issues are resolved: 1) Which "trust path" should we use? The one using ISRG (the "native" Let's Encrypt root certificate authority), or the one that is cross-signed by IdenTrust? Or should we keep it as-is, where both are included? This is my first time creating a custom set of certificates, so I don't know all the issues. They recommend that server operators used the cross-signed trust chain because the ISRG trust chain is not yet widely deployed in web browsers, but that's not an issue for this use case. 2) I'd like at least two other Guix developers to try recreating the repository "from scratch", and to send signed email to this thread saying that they were able to successfully recreate this custom certificate store. > I wonder what happens if we simply switch %snapshot-url to HTTPS in > `guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR > configured? I think it would be sufficient to mention in the manual to > install one of "nss-certs" or "le-certs" before running `guix pull` for > the first time. How does that sound? I think it's too much of a regression if users have to fiddle with environment variables for `guix pull` to work reliably. People are constantly asking for help with environment variables in the #guix chat room. I want to bundle a 'le-certs' package with GNU Guix, and change `guix pull` to know to use the le-certs bundle when pulling from %snapshot-url. For other URLs, users will have to take care of it themselves.=20 This should preserve the existing user experience of `guix pull`, which is that the default invocation "just works", at least in terms of downloading the source code. It could fail anyways if their clock is way off... any other ideas about how it could fail? > $ CURL_CA_BUNDLE=3D/tmp/le-certs/le-certs.pem curl -sv https://nrk.no > /= dev/null > * Rebuilt URL to: https://nrk.no/ > * Trying 160.68.205.231... > * TCP_NODELAY set > * Connected to nrk.no (160.68.205.231) port 443 (#0) > * found 10 certificates in /tmp/le-certs/le-certs.pem > * ALPN, offering http/1.1 > * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 > * server certificate verification failed. CAfile: /tmp/le-certs/le-certs.= pem CRLfile: none > * Closing connection 0 >=20 > $ CURL_CA_BUNDLE=3D/tmp/le-certs/le-certs.pem curl -sv https://gnu.org > = /dev/null > * Rebuilt URL to: https://gnu.org/ > * Trying 208.118.235.148... > * TCP_NODELAY set > * Connected to gnu.org (208.118.235.148) port 443 (#0) > * found 10 certificates in /tmp/le-certs/le-certs.pem > * ALPN, offering http/1.1 > * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 > * server certificate verification OK > * server certificate status verification SKIPPED > * common name: gnu.org (matched) > * server certificate expiration date OK > * server certificate activation date OK > * certificate public key: RSA > * certificate version: #3 > * subject: CN=3Dgnu.org > * start date: Wed, 15 Feb 2017 10:01:00 GMT > * expire date: Tue, 16 May 2017 10:01:00 GMT > * issuer: C=3DUS,O=3DLet's Encrypt,CN=3DLet's Encrypt Authority X3 > * compression: NULL >=20 > $ GIT_SSL_CAINFO=3D"" git clone --depth=3D1 https://git.savannah.gnu.org/= git/guix.git > Cloning into 'guix'... > fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': Pro= blem with the SSL CA cert(path? access rights?) >=20 > $ GIT_SSL_CAINFO=3D/tmp/le-certs/le-certs.pem git clone --depth=3D1 https= ://git.savannah.gnu.org/git/guix.git > Cloning into 'guix'... > remote: Counting objects: 1409, done. Excellent :) --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAli1pVsACgkQJkb6MLrK fwhbrQ//Ysqptc3KtsKmQzo7O+PHbZBWsOZPTFcSPum1fhivnyK3drtu+JGCKBWR BRx6eVlsnmNBBBaOHnmOlUBLi78WyfHsYCaMCTz0bGUInpymL14Udb/zFk1A3Y95 Yi55wOxxtjbBUB2fRyQ+xmk2POfF7ot54XK8ZwyfS9u2yy3+6W7Y+pr43S+Z1HQr LnQWV6MvJs7AaxxIMkcPDkBmO7ymaTBryofK3e8rh+KkI3xuT9JB/wjGFV+4rc2X zFIjY+EAEeGMGNVlLBIZgjk5C3h6TUtdnWiErUSKLLpqhD7bF/cCc9sRVC86mbcJ XFzoyOzs9jswpV0cqTQ9Du3ZUUWy6VQUZZH6q7p/TimNSltPdFvhqUgIkMIGZiRK prCUj/K3xLLkCTXNS1aoytnqJcHdI7gil8tp9VZGwgfc/HaZx7dlMmNdCKgWJPzZ giPhEocgUG7vjtWcfHLiPj5pGBRy9A4QzEJy8Xi92+eWrIyI3cmWs6Hk6Rps2q7H vjvuk/+jDGd0hQblYn4l8TCZGSJgaiSPLrHs1ftVYLEYyUHEQMqw0OnMB3YGvQ1A Uc81cBliYi6bwPRcDfOT3QIqI/ffRCnCmeVcTZ7dZyRkWTENqAqxkriB8190h0aC /3Bp5nfdyWqDFI++McOo0RKxFTYG2XWgkkkSr3q7qRQ3vh/Bwwk= =jXkS -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT--