GNU bug report logs -
#36363
let's encrypt hash mismatch
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 36363 in the body.
You can then email your comments to 36363 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#36363
; Package
guix
.
(Mon, 24 Jun 2019 17:24:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Julien Lepiller <julien <at> lepiller.eu>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Mon, 24 Jun 2019 17:24:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi!
trying to run guix pull on the overdrive at my place to try and fix a
bug in openssh which doesn't start at boot, I get this error message:
building /gnu/store/qvrwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv...
building /gnu/store/3s8l6bg8gsfxrqallc5w02drl1m021ky-letsencryptauthorityx3.pem.drv...
Starting download
of /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem From
https://letsencrypt.org/certs/isrgrootx1.pem...
Starting download
of /gnu/store/bcq7sqhg18b7b1q87j8z60d5hybsdafm-letsencryptauthorityx3.pem
From https://letsencrypt.org/certs/letsencryptauthorityx3.pem...
downloading from https://letsencrypt.org/certs/isrgrootx1.pem...
downloading from
https://letsencrypt.org/certs/letsencryptauthorityx3.pem...
letsencryptauthorityx3.pem 2KiB 385KiB/s 00:00
[##################] 100.0% sha256 hash mismatch
for /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem:
expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
hash mismatch for store item
'/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
of /gnu/store/qvrwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv
failed View build log at
'/var/log/guix/drvs/qv/rwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv.bz2'.
cannot build derivation
`/gnu/store/03xigpq7w1ll67ydrwhjydmybdj5gd2i-le-certs-0.drv': 1
dependencies couldn't be built guix pull: error: build failed: build
of `/gnu/store/03xigpq7w1ll67ydrwhjydmybdj5gd2i-le-certs-0.drv' failed
Thanks!
Information forwarded
to
bug-guix <at> gnu.org
:
bug#36363
; Package
guix
.
(Mon, 24 Jun 2019 18:45:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 36363 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Julien,
Julien Lepiller wrote:
> trying to run guix pull on the overdrive at my place to try and
> fix a
> bug in openssh which doesn't start at boot, I get this error
> message:
[…]
> letsencryptauthorityx3.pem 2KiB 385KiB/s 00:00
> [##################] 100.0% sha256 hash mismatch
> for /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem:
> expected hash:
> 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
> actual hash:
> 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
This will keep happening until we find(/create) a versioned URL
for these files. Let's Encrypt like to change them in place.
The last time this happened they'd added CR/LF line endings for no
reason at all, but this time I don't have the old version around
anymore…
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#36363
; Package
guix
.
(Mon, 24 Jun 2019 20:10:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 36363 <at> debbugs.gnu.org (full text, mbox):
Hi Julien,
Julien Lepiller <julien <at> lepiller.eu> skribis:
> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
> hash mismatch for store item
> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
I believe you’d be fine if substitutes were enabled, but they’re not.
In the meantime, you can fetch those files with something like:
wget -O /tmp/isrgrootx1.pem \
http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
guix download file:///tmp/isrgrootx1.pem
But yeah, like Tobias writes, it’s a bit of a problem. Should we mirror
them somewhere? Does Let’s Encrypt have them under a versioned URL
elsewhere?
HTH,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#36363
; Package
guix
.
(Sun, 21 Jul 2019 23:13:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 36363 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> Julien Lepiller <julien <at> lepiller.eu> skribis:
>
>> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>> hash mismatch for store item
>> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
>
> I believe you’d be fine if substitutes were enabled, but they’re not.
>
> In the meantime, you can fetch those files with something like:
>
> wget -O /tmp/isrgrootx1.pem \
> http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
> guix download file:///tmp/isrgrootx1.pem
>
> But yeah, like Tobias writes, it’s a bit of a problem. Should we mirror
> them somewhere? Does Let’s Encrypt have them under a versioned URL
> elsewhere?
What is Guix using these files for? I realize it's got something to do
with TLS, but it isn't clear to me why Guix downloads these certs.
I don't have the full context, so please forgive me if my comments are
unhelpful, but before deciding to use stale versions, I think it's worth
asking, "Could using a stale version introduce any security risk?"
Maybe there's a reason why LE doesn't publish the old versions.
--
Chris
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#36363
; Package
guix
.
(Mon, 22 Jul 2019 10:35:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 36363 <at> debbugs.gnu.org (full text, mbox):
Hi Chris,
Chris Marusich <cmmarusich <at> gmail.com> skribis:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Julien Lepiller <julien <at> lepiller.eu> skribis:
>>
>>> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>>> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>>> hash mismatch for store item
>>> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
>>
>> I believe you’d be fine if substitutes were enabled, but they’re not.
>>
>> In the meantime, you can fetch those files with something like:
>>
>> wget -O /tmp/isrgrootx1.pem \
>> http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>> guix download file:///tmp/isrgrootx1.pem
>>
>> But yeah, like Tobias writes, it’s a bit of a problem. Should we mirror
>> them somewhere? Does Let’s Encrypt have them under a versioned URL
>> elsewhere?
>
> What is Guix using these files for? I realize it's got something to do
> with TLS, but it isn't clear to me why Guix downloads these certs.
This is used by (guix scripts pull) so we can always authenticate
git.savannah.gnu.org when we fetch from the Git repo. It’s used if and
only if certificates aren’t available system-wide (see
‘honor-x509-certificates’.)
Ludo’.
Reply sent
to
Tobias Geerinckx-Rice <me <at> tobias.gr>
:
You have taken responsibility.
(Fri, 09 Oct 2020 12:05:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Julien Lepiller <julien <at> lepiller.eu>
:
bug acknowledged by developer.
(Fri, 09 Oct 2020 12:05:01 GMT)
Full text and
rfc822 format available.
Message #22 received at 36363-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Closing as this specific failure has passed and any wider
discussion shouldn't happen here.
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Fri, 06 Nov 2020 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 169 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.