all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Certificates in pure and containerized environments
@ 2021-09-30 10:08 Konrad Hinsen
  2021-10-03 16:45 ` Wiktor Żelazny
  0 siblings, 1 reply; 11+ messages in thread
From: Konrad Hinsen @ 2021-09-30 10:08 UTC (permalink / raw)
  To: help-guix

Dear Guix experts,

I am trying to move the execution of a Python script into a pure
environment, but it fails because of certificate issues for which I am
looking for a good fix.

The minimal example I came up with is:

   guix environment --pure \
           --ad-hoc python -- \
           python3 -c 'import urllib.request; print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS"))'

This fails with the error message

    urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1108)>

I have no idea why Python's urllib checks a certificate chain for a http
URL, but that's not my subject now. A variant that works fine is

   guix environment --pure --preserve=^SSL_CERT \
           --ad-hoc python -- \
           python3 -c 'import urllib.request; print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS"))'

which adds two environment variables to the temporary environment:

   SSL_CERT_DIR=/home/hinsen/.guix-profile/etc/ssl/certs
   SSL_CERT_FILE=/home/hinsen/.guix-profile/etc/ssl/certs/ca-certificates.crt

Since all the certificates come from Guix, I expect that I should also
be able to use

   guix environment --pure \
           --ad-hoc python nss-certs -- \
           python3 -c 'import urllib.request; print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS"))'

but this doesn't work - same error as initially.

I am not happy with exposing an environment variable from my personal
account, as I want my run to be reproducible and portable to any machine
running Guix, Ideally, I'd even move on to a containerized environment.
Is there any way to achieve this?

Thanks in advance,
  Konrad



^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-10-13 11:52 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-09-30 10:08 Certificates in pure and containerized environments Konrad Hinsen
2021-10-03 16:45 ` Wiktor Żelazny
2021-10-04  7:25   ` zimoun
2021-10-04  9:37     ` Konrad Hinsen
2021-10-04 10:04       ` zimoun
2021-10-10 15:42     ` Wiktor Żelazny
2021-10-11  6:27       ` Konrad Hinsen
2021-10-05 17:42   ` Maxim Cournoyer
2021-10-08  8:47     ` Konrad Hinsen
2021-10-11 15:05       ` Maxim Cournoyer
2021-10-13 11:51         ` Konrad Hinsen

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.