pypi import certs issues

pypi import certs issues

[ng0]

Hi,

on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:

user@abyayala ~$ guix package -l | grep "nss-certs"
user@abyayala ~$ env | grep "SSL_"
GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
user@abyayala ~$ guix import pypi readline
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
;;; note: source file /home/user/.config/guix/latest/guix/download.scm
;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
Backtrace:
          11 (apply-smob/1 #<catch-closure 24703a0>)
          In ice-9/boot-9.scm:
              705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
              In ice-9/eval.scm:
                  619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
                  In guix/ui.scm:
                    1501:12  8 (run-guix-command _ . _)
                    In guix/scripts/import.scm:
                       114:11  7 (guix-import . _)
                       In guix/scripts/import/pypi.scm:
                           84:19  6 (guix-import-pypi . _)
                           In guix/import/pypi.scm:
                              274:17  5 (pypi->guix-package _)
                              In ice-9/boot-9.scm:
                                  829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
                                  In guix/import/json.scm:
                                      32:17  3 (_)
                                      In guix/http-client.scm:
                                          88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
                                          In guix/build/download.scm:
                                              398:4  1 (open-connection-for-uri _ #:timeout _ # _)
                                                  296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)

guix/build/download.scm:296:6: In procedure tls-wrap:
X.509 certificate of 'pypi.python.org' could not be verified:
  insecure-algorithm
    signer-not-found
      invalid

user@abyayala ~$ ^C
user@abyayala ~$ cat src/systems/old_systems/guixsd/workstations/abyayala/config.scm | grep "nss-certs"
                                                  "nss-certs" ;certs
                                                  

-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

Re: pypi import certs issues

[Ludovic Courtès]

Hello,

ng0 <ng0@n0.is> skribis:

> on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
>
> user@abyayala ~$ guix package -l | grep "nss-certs"
> user@abyayala ~$ env | grep "SSL_"
> GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> user@abyayala ~$ guix import pypi readline
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
> ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> ;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
> Backtrace:
>           11 (apply-smob/1 #<catch-closure 24703a0>)
>           In ice-9/boot-9.scm:
>               705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
>               In ice-9/eval.scm:
>                   619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
>                   In guix/ui.scm:
>                     1501:12  8 (run-guix-command _ . _)
>                     In guix/scripts/import.scm:
>                        114:11  7 (guix-import . _)
>                        In guix/scripts/import/pypi.scm:
>                            84:19  6 (guix-import-pypi . _)
>                            In guix/import/pypi.scm:
>                               274:17  5 (pypi->guix-package _)
>                               In ice-9/boot-9.scm:
>                                   829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
>                                   In guix/import/json.scm:
>                                       32:17  3 (_)
>                                       In guix/http-client.scm:
>                                           88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
>                                           In guix/build/download.scm:
>                                               398:4  1 (open-connection-for-uri _ #:timeout _ # _)
>                                                   296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)
>
> guix/build/download.scm:296:6: In procedure tls-wrap:
> X.509 certificate of 'pypi.python.org' could not be verified:
>   insecure-algorithm
>     signer-not-found
>       invalid

I don’t see that.  Could it be that the certs you have in /etc/ssl are
too old, or something along these lines?

Thanks,
Ludo’.

Re: pypi import certs issues

[ng0]

Ludovic Courtès transcribed 2.7K bytes:
> Hello,
> 
> ng0 <ng0@n0.is> skribis:
> 
> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
> >
> > user@abyayala ~$ guix package -l | grep "nss-certs"
> > user@abyayala ~$ env | grep "SSL_"
> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> > user@abyayala ~$ guix import pypi readline
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /home/user/.config/guix/latest/guix/download.go
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /gnu/store/3abjgr7dws69089lrfkf0n92qww1946j-guix-0.14.0-9.bdf0c64/lib/guile/2.2/site-ccache/guix/download.go
> > ;;; note: source file /home/user/.config/guix/latest/guix/download.scm
> > ;;;       newer than compiled /run/current-system/profile/lib/guile/2.2/site-ccache/guix/download.go
> > Backtrace:
> >           11 (apply-smob/1 #<catch-closure 24703a0>)
> >           In ice-9/boot-9.scm:
> >               705:2 10 (call-with-prompt _ _ #<procedure default-prompt-handleb&>)
> >               In ice-9/eval.scm:
> >                   619:8  9 (_ #(#(#<directory (guile-user) 2526140>)))
> >                   In guix/ui.scm:
> >                     1501:12  8 (run-guix-command _ . _)
> >                     In guix/scripts/import.scm:
> >                        114:11  7 (guix-import . _)
> >                        In guix/scripts/import/pypi.scm:
> >                            84:19  6 (guix-import-pypi . _)
> >                            In guix/import/pypi.scm:
> >                               274:17  5 (pypi->guix-package _)
> >                               In ice-9/boot-9.scm:
> >                                   829:9  4 (catch srfi-34 #<procedure 2db97e0 at guix/import/jsonb&> b&)
> >                                   In guix/import/json.scm:
> >                                       32:17  3 (_)
> >                                       In guix/http-client.scm:
> >                                           88:25  2 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # b&)
> >                                           In guix/build/download.scm:
> >                                               398:4  1 (open-connection-for-uri _ #:timeout _ # _)
> >                                                   296:6  0 (tls-wrap #<closed: file 292ee00> _ # _)
> >
> > guix/build/download.scm:296:6: In procedure tls-wrap:
> > X.509 certificate of 'pypi.python.org' could not be verified:
> >   insecure-algorithm
> >     signer-not-found
> >       invalid
> 
> I don’t see that.  Could it be that the certs you have in /etc/ssl are
> too old, or something along these lines?

But how? The system I have is build from the same commit (+ my 4 irrelevant, not SSL touching
packages on top of it). So nss-certs is system-wide, as it has always been, and that's what
used for our /etc/ssl/certs/

> Thanks,
> Ludo’.
> 
> 

Thanks,
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

Re: pypi import certs issues

[Ludovic Courtès]

ng0 <ng0@n0.is> skribis:

> Ludovic Courtès transcribed 2.7K bytes:
>> Hello,
>> 
>> ng0 <ng0@n0.is> skribis:
>> 
>> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
>> >
>> > user@abyayala ~$ guix package -l | grep "nss-certs"
>> > user@abyayala ~$ env | grep "SSL_"
>> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
>> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
>> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs

[...]

>> > guix/build/download.scm:296:6: In procedure tls-wrap:
>> > X.509 certificate of 'pypi.python.org' could not be verified:
>> >   insecure-algorithm
>> >     signer-not-found
>> >       invalid
>> 
>> I don’t see that.  Could it be that the certs you have in /etc/ssl are
>> too old, or something along these lines?

What if you do:

  export SSL_CERT_DIR=/etc/ssl/certs

?

Ludo’.

Re: pypi import certs issues

[ng0]

Ludovic Courtès transcribed 911 bytes:
> ng0 <ng0@n0.is> skribis:
> 
> > Ludovic Courtès transcribed 2.7K bytes:
> >> Hello,
> >> 
> >> ng0 <ng0@n0.is> skribis:
> >> 
> >> > on commit 72406062b9c3cdb6e9e30266f3cc31d0b2116b68 pypi import has issues:
> >> >
> >> > user@abyayala ~$ guix package -l | grep "nss-certs"
> >> > user@abyayala ~$ env | grep "SSL_"
> >> > GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
> >> > SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
> >> > SSL_CERT_DIR=/home/user/.guix-profile/etc/ssl/certs:/etc/ssl/certs
> 
> [...]
> 
> >> > guix/build/download.scm:296:6: In procedure tls-wrap:
> >> > X.509 certificate of 'pypi.python.org' could not be verified:
> >> >   insecure-algorithm
> >> >     signer-not-found
> >> >       invalid
> >> 
> >> I don’t see that.  Could it be that the certs you have in /etc/ssl are
> >> too old, or something along these lines?
> 
> What if you do:
> 
>   export SSL_CERT_DIR=/etc/ssl/certs
> 
> ?
> 
> Ludo’.

Okay, that worked. So why is the .guix-profile/etc/ssl/certs
not updated? I don't even have nss-certs in my user profile, it is
global. Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
empty? I assume it is just for user-space (space=profile in my
line of thought here) certificates which are not global?

Thanks
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

Re: pypi import certs issues

[Ricardo Wurmus]

ng0 <ng0@n0.is> writes:

> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> empty? I assume it is just for user-space (space=profile in my
> line of thought here) certificates which are not global?

Which of the packages in your profile provides this directory?  What
does “readlink” tell you?

-- 
Ricardo

Re: pypi import certs issues

[Mark H Weaver]

Ricardo Wurmus <rekado@elephly.net> writes:

> ng0 <ng0@n0.is> writes:
>
>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
>> empty? I assume it is just for user-space (space=profile in my
>> line of thought here) certificates which are not global?

Yes, that's right.

> Which of the packages in your profile provides this directory?  What
> does “readlink” tell you?

The directory is created by the 'ca-certificate-bundle' profile hook in
(guix profiles), whose purpose is to create a single-file certificate
bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
certs from all of the certificate packages included in the profile.

     Mark

Re: pypi import certs issues

[Mark H Weaver]

Mark H Weaver <mhw@netris.org> writes:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> ng0 <ng0@n0.is> writes:
>>
>>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
>>> empty? I assume it is just for user-space (space=profile in my
>>> line of thought here) certificates which are not global?
>
> Yes, that's right.
>
>> Which of the packages in your profile provides this directory?  What
>> does “readlink” tell you?
>
> The directory is created by the 'ca-certificate-bundle' profile hook in
> (guix profiles), whose purpose is to create a single-file certificate
> bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
> certs from all of the certificate packages included in the profile.

Hmm, although it looks like that profile hook shouldn't ever create the
etc/ssl/crts directory without also creating the ca-certificates.crt
file within it.  In this case I guess some other package must have
created that directory, so I'm also curious to see the output of the
following commands:

  readlink ~/.guix-profile/etc
  readlink ~/.guix-profile/etc/ssl
  readlink ~/.guix-profile/etc/ssl/certs

      Mark

Re: pypi import certs issues

[ng0]

Mark H Weaver transcribed 1.1K bytes:
> Mark H Weaver <mhw@netris.org> writes:
> 
> > Ricardo Wurmus <rekado@elephly.net> writes:
> >
> >> ng0 <ng0@n0.is> writes:
> >>
> >>> Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> >>> empty? I assume it is just for user-space (space=profile in my
> >>> line of thought here) certificates which are not global?
> >
> > Yes, that's right.
> >
> >> Which of the packages in your profile provides this directory?  What
> >> does “readlink” tell you?
> >
> > The directory is created by the 'ca-certificate-bundle' profile hook in
> > (guix profiles), whose purpose is to create a single-file certificate
> > bundle in ../etc/ssl/certs/ca-certificates.crt containing all of the
> > certs from all of the certificate packages included in the profile.
> 
> Hmm, although it looks like that profile hook shouldn't ever create the
> etc/ssl/crts directory without also creating the ca-certificates.crt
> file within it.  In this case I guess some other package must have
> created that directory, so I'm also curious to see the output of the
> following commands:
> 
>   readlink ~/.guix-profile/etc
>   readlink ~/.guix-profile/etc/ssl
>   readlink ~/.guix-profile/etc/ssl/certs
> 
>       Mark

Ah, this is where my custom global profile seems to come in to blame:

user@abyayala ~$ readlink ~/.guix-profile/etc
user@abyayala ~$ readlink ~/.guix-profile/etc/ssl
/gnu/store/bfrpbapb440fkqb7n389xry596i73jml-libressl-2.6.4/etc/ssl
user@abyayala ~$ readlink ~/.guix-profile/etc/ssl/certs
user@abyayala ~$ 

Although you should be able to install libressl and use openssl generated data.
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

Re: pypi import certs issues

[ng0]

Ricardo Wurmus transcribed 341 bytes:
> 
> ng0 <ng0@n0.is> writes:
> 
> > Continuing thought: Why is ~/.guix-profile/etc/ssl/certs/
> > empty? I assume it is just for user-space (space=profile in my
> > line of thought here) certificates which are not global?
> 
> Which of the packages in your profile provides this directory?  What
> does “readlink” tell you?

Surprisingly it returns an empty result, which is why I asked :)
Even the files in the directory above (~/.guix-profile/etc/ssl/) are
empty results.

> 
> -- 
> Ricardo
> 
> 

-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is

pypi import certs issues

[c4droid]

Hi, Guix!

on commit dc5430c9dc20ee53441995d9a89a90b0a86aeed3 pypi import has
issues:

Backtrace:
In ice-9/eval.scm:
    619:8 19 (_ #(#(#<directory (guile-user) 7fb1cb718c80>)))
In guix/ui.scm:
   2300:7 18 (run-guix . _)
  2263:10 17 (run-guix-command _ . _)
In guix/scripts/import.scm:
    89:11 16 (guix-import . _)
In ice-9/boot-9.scm:
  1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
In guix/scripts/import/pypi.scm:
    97:21 14 (_)
In guix/import/utils.scm:
   638:27 13 (recursive-import "pwntools" #:repo->guix-package _ # . #)
   630:33 12 (lookup-node "pwntools" #f)
In guix/memoization.scm:
     98:0 11 (mproc "pwntools" #:version #f #:repo->guix-package #<…> …)
In unknown file:
          10 (_ #<procedure 7fb1c7d05a20 at guix/memoization.scm:17…> …)
In guix/import/pypi.scm:
   495:21  9 (_ "pwntools" #:version _)
   126:10  8 (pypi-fetch _)
In ice-9/exceptions.scm:
   406:15  7 (json-fetch _ #:http-fetch _ #:headers _)
In ice-9/boot-9.scm:
  1752:10  6 (with-exception-handler _ _ #:unwind? _ # _)
In guix/import/json.scm:
    53:19  5 (_)
In guix/http-client.scm:
   107:28  4 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
In guix/build/download.scm:
    468:4  3 (open-connection-for-uri _ #:timeout _ # _)
    360:6  2 (tls-wrap #<closed: file 7fb1c7a3ce00> _ # _)
In ice-9/boot-9.scm:
  1685:16  1 (raise-exception _ #:continuable? _)
  1683:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1683:16: In procedure raise-exception:
X.509 certificate of 'pypi.org' could not be verified:
  revocation-data-superseded
  invalid

I found a old discuss in
https://lists.gnu.org/archive/html/guix-devel/2018-03/msg00247.html,
but set SSL_CERTS_DIR to /etc/ssl/certs don't working.

The environment variable for SSL:
GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
SSL_CERT_DIR=/run/current-system/profile/etc/ssl/certs
SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Re: pypi import certs issues

[Maxim Cournoyer]

Hi,

c4droid <c4droid@foxmail.com> writes:

> Hi, Guix!
>
> on commit dc5430c9dc20ee53441995d9a89a90b0a86aeed3 pypi import has
> issues:
>
> Backtrace:
> In ice-9/eval.scm:
>     619:8 19 (_ #(#(#<directory (guile-user) 7fb1cb718c80>)))
> In guix/ui.scm:
>    2300:7 18 (run-guix . _)
>   2263:10 17 (run-guix-command _ . _)
> In guix/scripts/import.scm:
>     89:11 16 (guix-import . _)
> In ice-9/boot-9.scm:
>   1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
> In guix/scripts/import/pypi.scm:
>     97:21 14 (_)
> In guix/import/utils.scm:
>    638:27 13 (recursive-import "pwntools" #:repo->guix-package _ # . #)
>    630:33 12 (lookup-node "pwntools" #f)
> In guix/memoization.scm:
>      98:0 11 (mproc "pwntools" #:version #f #:repo->guix-package #<…> …)
> In unknown file:
>           10 (_ #<procedure 7fb1c7d05a20 at guix/memoization.scm:17…> …)
> In guix/import/pypi.scm:
>    495:21  9 (_ "pwntools" #:version _)
>    126:10  8 (pypi-fetch _)
> In ice-9/exceptions.scm:
>    406:15  7 (json-fetch _ #:http-fetch _ #:headers _)
> In ice-9/boot-9.scm:
>   1752:10  6 (with-exception-handler _ _ #:unwind? _ # _)
> In guix/import/json.scm:
>     53:19  5 (_)
> In guix/http-client.scm:
>    107:28  4 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
> In guix/build/download.scm:
>     468:4  3 (open-connection-for-uri _ #:timeout _ # _)
>     360:6  2 (tls-wrap #<closed: file 7fb1c7a3ce00> _ # _)
> In ice-9/boot-9.scm:
>   1685:16  1 (raise-exception _ #:continuable? _)
>   1683:16  0 (raise-exception _ #:continuable? _)
>
> ice-9/boot-9.scm:1683:16: In procedure raise-exception:
> X.509 certificate of 'pypi.org' could not be verified:
>   revocation-data-superseded
>   invalid
>
> I found a old discuss in
> https://lists.gnu.org/archive/html/guix-devel/2018-03/msg00247.html,
> but set SSL_CERTS_DIR to /etc/ssl/certs don't working.

[...]

Do you have nss-certs installed in your operating system declaration (on
Guix System) ?

Not sure if it could help, but I just updated nss-certs to 3.88.1, up
from 3.85, so pulling and reconfiguring your system may help.

-- 
Thanks,
Maxim

Re: pypi import certs issues

[c4droid]

On Sun, May 07, 2023 at 09:18:25PM -0400, Maxim Cournoyer wrote:
Hi, Maxim

> Hi,
> 
> c4droid <c4droid@foxmail.com> writes:
> 
> > Hi, Guix!
> >
> > on commit dc5430c9dc20ee53441995d9a89a90b0a86aeed3 pypi import has
> > issues:
> >
> > Backtrace:
> > In ice-9/eval.scm:
> >     619:8 19 (_ #(#(#<directory (guile-user) 7fb1cb718c80>)))
> > In guix/ui.scm:
> >    2300:7 18 (run-guix . _)
> >   2263:10 17 (run-guix-command _ . _)
> > In guix/scripts/import.scm:
> >     89:11 16 (guix-import . _)
> > In ice-9/boot-9.scm:
> >   1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
> > In guix/scripts/import/pypi.scm:
> >     97:21 14 (_)
> > In guix/import/utils.scm:
> >    638:27 13 (recursive-import "pwntools" #:repo->guix-package _ # . #)
> >    630:33 12 (lookup-node "pwntools" #f)
> > In guix/memoization.scm:
> >      98:0 11 (mproc "pwntools" #:version #f #:repo->guix-package #<…> …)
> > In unknown file:
> >           10 (_ #<procedure 7fb1c7d05a20 at guix/memoization.scm:17…> …)
> > In guix/import/pypi.scm:
> >    495:21  9 (_ "pwntools" #:version _)
> >    126:10  8 (pypi-fetch _)
> > In ice-9/exceptions.scm:
> >    406:15  7 (json-fetch _ #:http-fetch _ #:headers _)
> > In ice-9/boot-9.scm:
> >   1752:10  6 (with-exception-handler _ _ #:unwind? _ # _)
> > In guix/import/json.scm:
> >     53:19  5 (_)
> > In guix/http-client.scm:
> >    107:28  4 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
> > In guix/build/download.scm:
> >     468:4  3 (open-connection-for-uri _ #:timeout _ # _)
> >     360:6  2 (tls-wrap #<closed: file 7fb1c7a3ce00> _ # _)
> > In ice-9/boot-9.scm:
> >   1685:16  1 (raise-exception _ #:continuable? _)
> >   1683:16  0 (raise-exception _ #:continuable? _)
> >
> > ice-9/boot-9.scm:1683:16: In procedure raise-exception:
> > X.509 certificate of 'pypi.org' could not be verified:
> >   revocation-data-superseded
> >   invalid
> >
> > I found a old discuss in
> > https://lists.gnu.org/archive/html/guix-devel/2018-03/msg00247.html,
> > but set SSL_CERTS_DIR to /etc/ssl/certs don't working.
> 
> [...]
> 
> Do you have nss-certs installed in your operating system declaration (on
> Guix System) ?

I installed nss-certs on my operating-system declaration.

> 
> Not sure if it could help, but I just updated nss-certs to 3.88.1, up
> from 3.85, so pulling and reconfiguring your system may help.

Hope it can be use for me, I'll update my guix channel and reconfiguring system then running guix
import pypi again.

> 
> -- 
> Thanks,
> Maxim
\0

Re: pypi import certs issues

[c4droid]

Hi, Maxim

On Sun, May 07, 2023 at 09:18:25PM -0400, Maxim Cournoyer wrote:
> Hi,
> 
> c4droid <c4droid@foxmail.com> writes:
> 
> > Hi, Guix!
> >
> > on commit dc5430c9dc20ee53441995d9a89a90b0a86aeed3 pypi import has
> > issues:
> >
> > Backtrace:
> > In ice-9/eval.scm:
> >     619:8 19 (_ #(#(#<directory (guile-user) 7fb1cb718c80>)))
> > In guix/ui.scm:
> >    2300:7 18 (run-guix . _)
> >   2263:10 17 (run-guix-command _ . _)
> > In guix/scripts/import.scm:
> >     89:11 16 (guix-import . _)
> > In ice-9/boot-9.scm:
> >   1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
> > In guix/scripts/import/pypi.scm:
> >     97:21 14 (_)
> > In guix/import/utils.scm:
> >    638:27 13 (recursive-import "pwntools" #:repo->guix-package _ # . #)
> >    630:33 12 (lookup-node "pwntools" #f)
> > In guix/memoization.scm:
> >      98:0 11 (mproc "pwntools" #:version #f #:repo->guix-package #<…> …)
> > In unknown file:
> >           10 (_ #<procedure 7fb1c7d05a20 at guix/memoization.scm:17…> …)
> > In guix/import/pypi.scm:
> >    495:21  9 (_ "pwntools" #:version _)
> >    126:10  8 (pypi-fetch _)
> > In ice-9/exceptions.scm:
> >    406:15  7 (json-fetch _ #:http-fetch _ #:headers _)
> > In ice-9/boot-9.scm:
> >   1752:10  6 (with-exception-handler _ _ #:unwind? _ # _)
> > In guix/import/json.scm:
> >     53:19  5 (_)
> > In guix/http-client.scm:
> >    107:28  4 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
> > In guix/build/download.scm:
> >     468:4  3 (open-connection-for-uri _ #:timeout _ # _)
> >     360:6  2 (tls-wrap #<closed: file 7fb1c7a3ce00> _ # _)
> > In ice-9/boot-9.scm:
> >   1685:16  1 (raise-exception _ #:continuable? _)
> >   1683:16  0 (raise-exception _ #:continuable? _)
> >
> > ice-9/boot-9.scm:1683:16: In procedure raise-exception:
> > X.509 certificate of 'pypi.org' could not be verified:
> >   revocation-data-superseded
> >   invalid
> >
> > I found a old discuss in
> > https://lists.gnu.org/archive/html/guix-devel/2018-03/msg00247.html,
> > but set SSL_CERTS_DIR to /etc/ssl/certs don't working.
> 
> [...]
> 
> Do you have nss-certs installed in your operating system declaration (on
> Guix System) ?
> 
> Not sure if it could help, but I just updated nss-certs to 3.88.1, up
> from 3.85, so pulling and reconfiguring your system may help.

I tried to update nss-certs, after reconfiguring system still report this.

> 
> -- 
> Thanks,
> Maxim

Re: pypi import certs issues

[James R. Haigh (+ML.GNU.Guix subaddress)]

Hi c4droid,

At Z+0800=2023-05-08Mon23:55:06, c4droid sent:
> […]

You appear to have sent an email from the future.  That time is currently over 4 hours into the future.  Note that certificate validation relies upon correct clock synchronisation, so without even looking into the details of what is going on with Guix, simply correcting your system clock time may in fact resolve your issue afterall.

	Looking at the Received headers on your email, I notice that your email was in fact sent a few hours in the past:–

Mon, 08 May 2023 15:55:05 +0800
Mon, 08 May 2023 03:55:26 -0400
Mon, 08 May 2023 03:55:29 -0400
Mon, 08 May 2023 03:55:31 -0400
Mon, 08 May 2023 09:55:59 +0200
Mon, 08 May 2023 09:56:02 +0200

These are all broadly the same time: UTC+0=07:55.  Therefore, at the time of sending, the timestamp in the Date header of your email was precisely 8 hours into the future.  Its timezone is also UTC+8, which indicates that you may have actually confused local time with system time when setting the time.  If you set your system time to UTC+8 and then on top of that your local time adds another 8 hours, at UTC+0=07:55, UTC+8+8=23:55.  That seems like a plausible explanation.

	Furthermore, a common cause for system time being set to local time is if you dual-boot with another operating system that does not respect the system time being independent of local time.  I have heard that this is a common problem for those who dual-boot with Microsoft Windows – at least it was in the days of XP.  I don't know whether it is still a common issue in newer versions, but if you have such a dual-boot and this keeps happening, that would be a good first place to investigate to try to fix the issue.

Kind regards,
James.
-- 
Wealth doesn't bring happiness, but poverty brings sadness.
Sent from Debian with Claws Mail, using email subaddressing as an alternative to error-prone heuristical spam filtering.

Re: pypi import certs issues

[c4droid]

Hi, James.

On Mon, May 08, 2023 at 12:55:57PM +0100, James R. Haigh (+ML.GNU.Guix subaddress) wrote:
> Hi c4droid,
> 
> At Z+0800=2023-05-08Mon23:55:06, c4droid sent:
> > […]
> 

Thanks for the hint, I just checked my system services noticed the ntp is not install on my system,
after set it up, everything is normal.

> You appear to have sent an email from the future.  That time is currently over 4 hours into the future.  Note that certificate validation relies upon correct clock synchronisation, so without even looking into the details of what is going on with Guix, simply correcting your system clock time may in fact resolve your issue afterall.
> 
> 	Looking at the Received headers on your email, I notice that your email was in fact sent a few hours in the past:–
> 
> Mon, 08 May 2023 15:55:05 +0800
> Mon, 08 May 2023 03:55:26 -0400
> Mon, 08 May 2023 03:55:29 -0400
> Mon, 08 May 2023 03:55:31 -0400
> Mon, 08 May 2023 09:55:59 +0200
> Mon, 08 May 2023 09:56:02 +0200
> 
> These are all broadly the same time: UTC+0=07:55.  Therefore, at the time of sending, the timestamp in the Date header of your email was precisely 8 hours into the future.  Its timezone is also UTC+8, which indicates that you may have actually confused local time with system time when setting the time.  If you set your system time to UTC+8 and then on top of that your local time adds another 8 hours, at UTC+0=07:55, UTC+8+8=23:55.  That seems like a plausible explanation.
> 
> 	Furthermore, a common cause for system time being set to local time is if you dual-boot with another operating system that does not respect the system time being independent of local time.  I have heard that this is a common problem for those who dual-boot with Microsoft Windows – at least it was in the days of XP.  I don't know whether it is still a common issue in newer versions, but if you have such a dual-boot and this keeps happening, that would be a good first place to investigate to try to fix the issue.

BTW, thanks for the answer. :)

> 
> Kind regards,
> James.
> -- 
> Wealth doesn't bring happiness, but poverty brings sadness.
> Sent from Debian with Claws Mail, using email subaddressing as an alternative to error-prone heuristical spam filtering.

Re: pypi import certs issues

[Maxim Cournoyer]

Hi,

c4droid <c4droid@foxmail.com> writes:

> Hi, Maxim
>
> On Sun, May 07, 2023 at 09:18:25PM -0400, Maxim Cournoyer wrote:
>> Hi,
>> 
>> c4droid <c4droid@foxmail.com> writes:
>> 
>> > Hi, Guix!
>> >
>> > on commit dc5430c9dc20ee53441995d9a89a90b0a86aeed3 pypi import has
>> > issues:
>> >
>> > Backtrace:
>> > In ice-9/eval.scm:
>> >     619:8 19 (_ #(#(#<directory (guile-user) 7fb1cb718c80>)))
>> > In guix/ui.scm:
>> >    2300:7 18 (run-guix . _)
>> >   2263:10 17 (run-guix-command _ . _)
>> > In guix/scripts/import.scm:
>> >     89:11 16 (guix-import . _)
>> > In ice-9/boot-9.scm:
>> >   1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
>> > In guix/scripts/import/pypi.scm:
>> >     97:21 14 (_)
>> > In guix/import/utils.scm:
>> >    638:27 13 (recursive-import "pwntools" #:repo->guix-package _ # . #)
>> >    630:33 12 (lookup-node "pwntools" #f)
>> > In guix/memoization.scm:
>> >      98:0 11 (mproc "pwntools" #:version #f #:repo->guix-package #<…> …)
>> > In unknown file:
>> >           10 (_ #<procedure 7fb1c7d05a20 at guix/memoization.scm:17…> …)
>> > In guix/import/pypi.scm:
>> >    495:21  9 (_ "pwntools" #:version _)
>> >    126:10  8 (pypi-fetch _)
>> > In ice-9/exceptions.scm:
>> >    406:15  7 (json-fetch _ #:http-fetch _ #:headers _)
>> > In ice-9/boot-9.scm:
>> >   1752:10  6 (with-exception-handler _ _ #:unwind? _ # _)
>> > In guix/import/json.scm:
>> >     53:19  5 (_)
>> > In guix/http-client.scm:
>> >    107:28  4 (http-fetch _ #:port _ #:text? _ #:buffered? _ # _ # _ # …)
>> > In guix/build/download.scm:
>> >     468:4  3 (open-connection-for-uri _ #:timeout _ # _)
>> >     360:6  2 (tls-wrap #<closed: file 7fb1c7a3ce00> _ # _)
>> > In ice-9/boot-9.scm:
>> >   1685:16  1 (raise-exception _ #:continuable? _)
>> >   1683:16  0 (raise-exception _ #:continuable? _)
>> >
>> > ice-9/boot-9.scm:1683:16: In procedure raise-exception:
>> > X.509 certificate of 'pypi.org' could not be verified:
>> >   revocation-data-superseded
>> >   invalid
>> >
>> > I found a old discuss in
>> > https://lists.gnu.org/archive/html/guix-devel/2018-03/msg00247.html,
>> > but set SSL_CERTS_DIR to /etc/ssl/certs don't working.
>> 
>> [...]
>> 
>> Do you have nss-certs installed in your operating system declaration (on
>> Guix System) ?
>> 
>> Not sure if it could help, but I just updated nss-certs to 3.88.1, up
>> from 3.85, so pulling and reconfiguring your system may help.
>
> I tried to update nss-certs, after reconfiguring system still report this.

At least we've ironed out that.  I'm out of ideas for now :-/.
Hopefully a TLS certs expert jumps in.

-- 
Thanks,
Maxim