From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id sOhvLkeRIWTlGQEASxT56A (envelope-from ) for ; Mon, 27 Mar 2023 14:51:19 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 4LO7LUeRIWRQdQAAauVa8A (envelope-from ) for ; Mon, 27 Mar 2023 14:51:19 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F09432E0BA for ; Mon, 27 Mar 2023 14:51:18 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1679921479; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=XT/9JBNFLH1LjM8GpsVIzpes5dqgarWxAqGgiMvcLNE=; b=glOBz9h+Oru/Y8zwGy3Qk+Jw1bB49KAWyNDrd8Wp6iO3yE2GpfcADbsH//RkMR9ran/JrY XJpjCE9N171wDg8l2KQXFKMFve/F3pcBb+1BbLHpdRTd+9x05dEm+w8re3jzQPIVdbYxH7 obiJK6/4ATTPV7M/gubYxtm/b/UMU/Ysi6HPi3fV5uHrFeZZNjhDlmS7EBl4zw06Btp+1L jjqfYRq3oUZXspqFf/eZ4Ein9ggONfL8Mf1hnKg74LL5aya6xmEq8O43542mRx0f3BpWEQ z6Mybd0AicDffgf6dg4+vH0HLkpMb+afeJyGpAU/SuTHKyLAOe8c2g0y1cHQlQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1679921479; a=rsa-sha256; cv=none; b=gLpSa7sGDsU8AIboRc0AyqIoDg2y+bbfzylQirq5oouHLTDvGg+QACqgwXYB0cJE91mKBv JydOgot85hUp2qcydA2Pc53mS7XeW4XkIiGoLipvbs1qPwsDJrWFeSmNToQ4jg6auK2LUp Bzv4WALAuwT7r91LA+EBzc7qPxvqE66R4jSOwkQAqoKpxecbyIC+5UkolCXlEHuEb4T9ec y9LuYXPqg4T/H0PMbYH1J6SZ3b2EA34jXzOa+50lKZ9LnG5YJ3twdjTU5sjnEZHJSZwQzj ChXW44Cgkbo5VrIWZY4UHWLs22Pf2lDYoDLA8kGp6jicgzXTyb+EKCamuHN9/Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=none Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pgmJY-0006Sa-Gp; Mon, 27 Mar 2023 08:51:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pgmJU-0006SN-Kn for bug-guix@gnu.org; Mon, 27 Mar 2023 08:51:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pgmJS-00073K-U1 for bug-guix@gnu.org; Mon, 27 Mar 2023 08:51:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pgmJS-0004mk-6h for bug-guix@gnu.org; Mon, 27 Mar 2023 08:51:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#61557: vdirsyncer fails to verify certificates Resent-From: Giovanni Biscuolo Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 27 Mar 2023 12:51:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61557 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ethan Blanton , 61557@debbugs.gnu.org Cc: Leo Famulari Received: via spool by 61557-submit@debbugs.gnu.org id=B61557.167992141818341 (code B ref 61557); Mon, 27 Mar 2023 12:51:02 +0000 Received: (at 61557) by debbugs.gnu.org; 27 Mar 2023 12:50:18 +0000 Received: from localhost ([127.0.0.1]:46760 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgmIk-0004lk-86 for submit@debbugs.gnu.org; Mon, 27 Mar 2023 08:50:18 -0400 Received: from ns13.heimat.it ([46.4.214.66]:36674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgmIh-0004lS-3s for 61557@debbugs.gnu.org; Mon, 27 Mar 2023 08:50:16 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id C26D930087D; Mon, 27 Mar 2023 12:50:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THWTAuI7pbbH; Mon, 27 Mar 2023 12:50:06 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.161.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id CEBE030085C; Mon, 27 Mar 2023 12:50:06 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 550B52481ED8; Mon, 27 Mar 2023 14:50:06 +0200 (CEST) Received: (nullmailer pid 25936 invoked by uid 1000); Mon, 27 Mar 2023 12:50:05 -0000 From: Giovanni Biscuolo In-Reply-To: Organization: Xelera.eu References: Date: Mon, 27 Mar 2023 14:50:04 +0200 Message-ID: <87mt3y2war.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: X-Migadu-Queue-Id: F09432E0BA X-Spam-Score: -5.33 X-Migadu-Spam-Score: -5.33 X-Migadu-Scanner: scn0.migadu.com List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-TUID: zQPGx9vfm4q7 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Ethan, I'm also using Guix on a foreign distribution (Debian) Ethan Blanton via Bug reports for GNU Guix writes: > I had read the X.509 Certificates section of the manual, but since my > certificates ARE in the default location of /etc/ssl/certs, and > vdirsyncer had previously worked, for some reason I did not dig into > it deeply enough, or perhaps I attempted to set it up wrongly at some > point in the past. I'm pretty sure my default profile vdirsyncer was working in the past but stopped working while ago for this very same issue [1]; vdirsyncer it's not working in my default profile but it's working in my "emacs" profile Reading (again) the "X.509 Certificates" section [2] I realized that I had not set up SSL_CERT_DIR and SSL_CERT_FILE env variables in my .profile After adding this to my .profile: =2D-8<---------------cut here---------------start------------->8--- export SSL_CERT_DIR=3D"$HOME/.guix-profile/etc/ssl/certs" export SSL_CERT_FILE=3D"$HOME/.guix-profile/etc/ssl/certs/ca-certificates.c= rt" =2D-8<---------------cut here---------------end--------------->8--- now "vdirsyncer sync" is working (in my default profile, including cron jobs) As I said before, the SSL_CERT_* variables setting was/is not necessary in my emacs profile and it depends on this: within a shell in my emacs profile I have: =2D-8<---------------cut here---------------start------------->8--- $: cat $GUIX_PROFILE/etc/profile | grep -i ssl export CURL_CA_BUNDLE=3D"${GUIX_PROFILE:-/gnu/store/hwc2pm42r2xg3mv0f7jlkf7= dlvi6rpxh-profile}/etc/ssl/certs/ca-certificates.crt" export SSL_CERT_FILE=3D"${GUIX_PROFILE:-/gnu/store/hwc2pm42r2xg3mv0f7jlkf7d= lvi6rpxh-profile}/etc/ssl/certs/ca-certificates.crt" export SSL_CERT_DIR=3D"${GUIX_PROFILE:-/gnu/store/hwc2pm42r2xg3mv0f7jlkf7dl= vi6rpxh-profile}/etc/ssl/certs" export GIT_SSL_CAINFO=3D"${GUIX_PROFILE:-/gnu/store/hwc2pm42r2xg3mv0f7jlkf7= dlvi6rpxh-profile}/etc/ssl/certs/ca-certificates.crt" =2D-8<---------------cut here---------------end--------------->8--- within a shell in my default profile: =2D-8<---------------cut here---------------start------------->8--- $: cat $GUIX_PROFILE/etc/profile | grep -i ssl export GIT_SSL_CAINFO=3D"${GUIX_PROFILE:-/gnu/store/ylycvfsnm1gkzhph39g62bw= bc9lbh3g7-profile}/etc/ssl/certs/ca-certificates.crt" =2D-8<---------------cut here---------------end--------------->8--- For sure it depends on the fact that an installed package in my emacs profile (curl, not installed in my default profile) is adding "SSL_CERT_FILE" and "SSL_CERT_DIR" in $GUIX_PROFILE/etc/profile Since I usually source the latter when I switch to my "emacs" profile before starting emacs in a shell: =2D-8<---------------cut here---------------start------------->8--- GUIX_PROFILE=3D"$GUIX_EXTRA_PROFILES"/emacs/emacs; . "$GUIX_PROFILE"/etc/pr= ofile =2D-8<---------------cut here---------------end--------------->8--- I get the two env variables defined in my "emacs" profile, while in my default profile I don't > Setting SSL_CERT_DIR=3D/etc/ssl/certs in my environment fixes the > vdirsyncer package, and it syncs correctly. I'd use the Guix certs installed via nss-certs, but both dirs works obviously Please note that you should set SSL_CERT_FILE for other software > I have also discovered that python aiohttp will correctly verify > certificates WITHOUT this environment variable with: > > guix shell -P -C -N python python-aiohttp nss-certs openssl > > Leaving out EITHER nss-certs OR openssl causes aiohttp to exhibit the > same behavior as vdirsyncer. > > However, including both of these packages in the same (foreign distro) > profile that includes vdirsyncer does NOT cause vdirsyncer to > correctly verify certificates. Strange behaviour, please can you tell us what is the output of this command: =2D-8<---------------cut here---------------start------------->8--- guix shell --pure --container coreutils grep nss-certs openssl -- env | gre= p -i ssl =2D-8<---------------cut here---------------end--------------->8--- I get this (meaning that both SSL env variables are defined): =2D-8<---------------cut here---------------start------------->8--- SSL_CERT_DIR=3D/gnu/store/1ghginmnzplmp3nbv2jsavjgdjhgq4i3-profile/etc/ssl/= certs SSL_CERT_FILE=3D/gnu/store/1ghginmnzplmp3nbv2jsavjgdjhgq4i3-profile/etc/ssl= /certs/ca-certificates.crt =2D-8<---------------cut here---------------end--------------->8--- while with =2D-8<---------------cut here---------------start------------->8--- guix shell --pure --container coreutils grep nss-certs -- env | grep -i ssl =2D-8<---------------cut here---------------end--------------->8--- I get no output (meaning that env is missing SSL_CERT_* variables) So in my tests openssl (and curl) are defining "SSL_CERT_FILE" and "SSL_CERT_DIR" in $GUIX_PROFILE/etc/profile I guess that also nss-certs package could add both "SSL_CERT_FILE" and "SSL_CERT_DIR" in $GUIX_PROFILE/etc/profile but I don't know the ratio for this choiche > I am not sure what this means for this bug; certainly the change from > "working without extra configuration" to "broken without extra > configuration" is a regression in user experience, but it may be that > it is working as intended. The bug I see here is that X.509 certificates are "working without extra configuration" **depending** on installed packages. If possible I'd patch nss-certs in order to add "SSL_CERT_FILE" and "SSL_CERT_DIR" to $GUIX_PROFILE/etc/profile, this would also avoid the extra step of "manually" defining X.509 related variables on foreign distros I'd also investigate this "meta-issue" for other packages, e.g. for R that needs "CURL_CA_BUNDLE", added when installing curl but not r-minimal > It seems to me that the principle of least astonishment for foreign > distro users would suggest that python aiohttp defaults to loading > /etc/ssl/certs from the foreign distro, if present. IMHO it's better to use the nss-certs installed via Guix than the foreign distro ones HTH! Gio' [1] maybe I was using a Guix package able to add "SSL_CERT_FILE" and "SSL_CERT_DIR" to $GUIX_PROFILE/etc/profile and then I removed it [2] https://guix.gnu.org/en/manual/en/html_node/X_002e509-Certificates.html =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmQhkP0MHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkST8QP/3C+zDL9KIeZZqjN8iLIFfFDz5gqyN5z30EpWXID du/CGki6GiiGOlQ78i4cByIk9bskLD7pLGUgsU66gmMOrP3JYUa+e8CM/XPKtkmH t8j7wvWO0Na+liSVk7zqzmaw7lOzycy9QToK3XC2sidlh4eDThs62x6L3VCCtHq7 CoyomJYO0XM9sewnkR3+GNJr5RZjZP1TzPVYCMf4ziJKnZ8c6VHq2PepOJJn8rLv D5UeRmB4z0HG9vwmnFax6zm0joV0Bn4hOZLBpbrJZd5v5qDBwocwTUDk4BffLH3D 1QzORklqkE4+10WVfxsl3gPi7GEkVxPsD8LigiiEDLo48dG7X0952GQcA1bEGbof ZawD3hFjQyDzQNTuDOt5L4ZYBcw8aD31cg4vKCLGvbOq9b0BiOk5+KD2MozikbBs 5rVR7XaUwLsuQwK4WHSi4xbCWsLfWprKpESt1w+qd9LH3rX3QW2926kv/6oq9SiN pES8EZi5HEXOmyNQonGb4sxCMa2UZaEoMZG7nKdKT+h4ngxXpMDmB8Bp+3uEqVoS oODseq4yvc0ygU+mOb+r6rpcmLyjZBoPIvfS36B6Xh5JimkZEUZn5I4JNh+4WrN3 lN9FqAdDwqNvPoEA/WjoIMvkrAU0GRH7ibrpKxMWfmWe1oI1gBMDPF3AA747NbrK BOG4 =4rvy -----END PGP SIGNATURE----- --=-=-=--