GNU bug report logs - #46829
Let's Encrypt certificate store (le-certs) expired

Previous Next

Package: guix;

Reported by: Christopher Baines <mail <at> cbaines.net>

Date: Sun, 28 Feb 2021 10:28:02 UTC

Severity: important

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46829 in the body.
You can then email your comments to 46829 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sun, 28 Feb 2021 10:28:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christopher Baines <mail <at> cbaines.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 28 Feb 2021 10:28:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: bug-guix <at> gnu.org
Subject: Fresh install of 1.2.0 can't guix pull
Date: Sun, 28 Feb 2021 10:27:02 +0000
[Message part 1 (text/plain, inline)]
I believe there's TLS issues with pulling for the current 1.2.0 release.

root <at> horna ~# guix pull
substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
0.0 MB will be downloaded
downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
 le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%

Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
guix pull: error: Git error: the SSL certificate is invalid

root <at> horna ~# wget https://git.savannah.gnu.org/git/guix.git
--2021-02-28 11:22:49--  https://git.savannah.gnu.org/git/guix.git
Resolving git.savannah.gnu.org (git.savannah.gnu.org)... 209.51.188.201, 2001:470:142:5::201
Connecting to git.savannah.gnu.org (git.savannah.gnu.org)|209.51.188.201|:443... connected.
ERROR: The certificate of ‘git.savannah.gnu.org’ is not trusted.
ERROR: The certificate of ‘git.savannah.gnu.org’ doesn't have a known issuer.


This is probably possible to work around by doing:

  guix pull --url=http://git.savannah.gnu.org/git/guix.git

As the commit signatures are checked, the risk of not using HTTPS should
be reduced.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sun, 28 Feb 2021 11:07:02 GMT) Full text and rfc822 format available.

Message #8 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sun, 28 Feb 2021 12:06:34 +0100
Am Sun, Feb 28, 2021 at 10:27:02AM +0000 schrieb Christopher Baines:
> I believe there's TLS issues with pulling for the current 1.2.0 release.
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

I noticed the same for the following, slightly older version:
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: 0939462e3f81bc98b38bdb7610e6a80ca1cbaa1b

And it also occurs with the current master checkout using
   ./pre-inst-env guix pull

I tried again after updating my nss-certs package, but it did not make
any difference.

This is on dover, an aarch64 machine. I successfully did "guix pull"
on other machines, however.

Andreas





Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sun, 28 Feb 2021 11:11:02 GMT) Full text and rfc822 format available.

Message #11 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sun, 28 Feb 2021 12:10:15 +0100
Am Sun, Feb 28, 2021 at 10:27:02AM +0000 schrieb Christopher Baines:
> This is probably possible to work around by doing:
>   guix pull --url=http://git.savannah.gnu.org/git/guix.git

This works, thanks for sharing! But it prints a nonsensical warning message:
Updating channel 'guix' from Git repository at 'http://git.savannah.gnu.org/git/guix.git'...
Authenticating channel 'guix', commits 9edb3f6 to bebfe06 (7,806 new commits)...
guix pull: warning: pulled channel 'guix' from a mirror of https://git.savannah.gnu.org/git/guix.git, which might be stale
Building from this channel:
  guix      http://git.savannah.gnu.org/git/guix.git	bebfe06

It is weird to call the https location a potentially stale mirror of the
http location.

Andreas





Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 01 Mar 2021 10:03:01 GMT) Full text and rfc822 format available.

Message #14 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 01 Mar 2021 10:49:14 +0100
Hi Chris,

On Sun, 28 Feb 2021 at 10:27, Christopher Baines <mail <at> cbaines.net> wrote:
> I believe there's TLS issues with pulling for the current 1.2.0
> release.

Is this bug different from <http://issues.guix.gnu.org/issue/44559#8>?

And fixes are also discussed here:
<http://issues.guix.gnu.org/issue/46650>.


Cheers,
simon




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 01 Mar 2021 10:16:02 GMT) Full text and rfc822 format available.

Message #17 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Andreas Enge <andreas <at> enge.fr>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 01 Mar 2021 11:15:27 +0100
Hi,

Andreas Enge <andreas <at> enge.fr> skribis:

> This works, thanks for sharing! But it prints a nonsensical warning message:
> Updating channel 'guix' from Git repository at 'http://git.savannah.gnu.org/git/guix.git'...
> Authenticating channel 'guix', commits 9edb3f6 to bebfe06 (7,806 new commits)...
> guix pull: warning: pulled channel 'guix' from a mirror of https://git.savannah.gnu.org/git/guix.git, which might be stale
> Building from this channel:
>   guix      http://git.savannah.gnu.org/git/guix.git	bebfe06
>
> It is weird to call the https location a potentially stale mirror of the
> http location.

There’s no way to know that the two URLs point to the same thing, hence
the message.

Thanks,
Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 01 Mar 2021 10:20:02 GMT) Full text and rfc822 format available.

Message #20 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 01 Mar 2021 11:19:08 +0100
Hi,

Christopher Baines <mail <at> cbaines.net> skribis:

> I believe there's TLS issues with pulling for the current 1.2.0 release.
>
> root <at> horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%
>
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

That’s on an installation without ‘nss-certs’ in the system profile,
right?

I suppose we need to update the ‘le-certs’ package, or maybe skip X.509
certification verification altogether for the ‘guix’ channel?

Thanks,
Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 01 Mar 2021 12:05:02 GMT) Full text and rfc822 format available.

Message #23 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Enge <andreas <at> enge.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 1 Mar 2021 13:03:52 +0100
Am Mon, Mar 01, 2021 at 11:19:08AM +0100 schrieb Ludovic Courtès:
> That’s on an installation without ‘nss-certs’ in the system profile,
> right?

Yes, I installed nss-certs into the profiles from which I wanted to do
the "guix pull".

Andreas





Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Mon, 01 Mar 2021 14:11:01 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Fri, 05 Mar 2021 10:50:02 GMT) Full text and rfc822 format available.

Message #28 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: zimoun <zimon.toutoune <at> gmail.com>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Fri, 05 Mar 2021 10:49:04 +0000
[Message part 1 (text/plain, inline)]
zimoun <zimon.toutoune <at> gmail.com> writes:

> Hi Chris,
>
> On Sun, 28 Feb 2021 at 10:27, Christopher Baines <mail <at> cbaines.net> wrote:
>> I believe there's TLS issues with pulling for the current 1.2.0
>> release.
>
> Is this bug different from <http://issues.guix.gnu.org/issue/44559#8>?
>
> And fixes are also discussed here:
> <http://issues.guix.gnu.org/issue/46650>.

Yes, this bug is about a problem with guix pull, whereas #44559 relates
to a specific issue building the gnutls package.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Wed, 17 Mar 2021 14:38:01 GMT) Full text and rfc822 format available.

Message #31 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Wed, 17 Mar 2021 15:36:44 +0100
Hi,

Ludovic Courtès <ludo <at> gnu.org> skribis:

> Christopher Baines <mail <at> cbaines.net> skribis:
>
>> I believe there's TLS issues with pulling for the current 1.2.0 release.
>>
>> root <at> horna ~# guix pull
>> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
>> 0.0 MB will be downloaded
>> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%
>>
>> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
>> guix pull: error: Git error: the SSL certificate is invalid
>
> That’s on an installation without ‘nss-certs’ in the system profile,
> right?

Looking at (guix scripts pull), I think that is the case:

  (define (honor-x509-certificates store)
    "Use the right X.509 certificates for Git checkouts over HTTPS."
    (unless (honor-system-x509-certificates!)
      (honor-lets-encrypt-certificates! store)))

By default, 1.2.0 installs ‘nss-certs’, so I would assume such
installations are unaffected, right?

> I suppose we need to update the ‘le-certs’ package, or maybe skip X.509
> certification verification altogether for the ‘guix’ channel?

In hindsight, it seems preferable to keep X.509 authentication for now,
because there are still unauthenticated channels out there and because
it’s a bit tedious to work around it in (guix channels) and (guix git).

I checked the ‘le-certs’ package like so:

--8<---------------cut here---------------start------------->8---
$ guix gc --references $(guix build -d le-certs) |grep pem
/gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv
/gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv
/gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv
$ guix build --check -v1 $(guix gc --references $(guix build -d le-certs) |grep pem)
La jenaj derivoj estos konstruataj:
   /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv
   /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv
   /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv

building /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv...
downloading from https://letsencrypt.org/certs/isrgrootx1.pem ...
|warning: rewriting hashes in `/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem'; cross fingers
building /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv...
downloading from https://letsencrypt.org/certs/letsencryptauthorityx3.pem ...
\warning: rewriting hashes in `/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem'; cross fingers
building /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv...
downloading from https://letsencrypt.org/certs/letsencryptauthorityx4.pem ...
|warning: rewriting hashes in `/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem'; cross fingers
/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem
/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem
/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem
--8<---------------cut here---------------end--------------->8---

AFAICS, everything is up-to-date here.  So I don’t get where the ‘guix
pull’ error above comes from.

Ideas?

Ludo’.




Added indication that bug 46829 blocks47297 Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Tue, 23 Mar 2021 22:44:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sat, 10 Apr 2021 19:03:01 GMT) Full text and rfc822 format available.

Message #36 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sat, 10 Apr 2021 15:02:43 -0400
[Message part 1 (text/plain, inline)]
On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> I believe there's TLS issues with pulling for the current 1.2.0 release.

On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
instructions in the manual section Binary Installation.

Then, `guix pull` succeeded for me, no problem.

Can anyone reproduce still reproduce this bug?

> root <at> horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%

If it's still around, maybe you can share this store item? I wonder if
it got corrupted.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sat, 10 Apr 2021 19:46:01 GMT) Full text and rfc822 format available.

Message #39 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sat, 10 Apr 2021 20:45:22 +0100
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
>> I believe there's TLS issues with pulling for the current 1.2.0 release.
>
> On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
> instructions in the manual section Binary Installation.
>
> Then, `guix pull` succeeded for me, no problem.
>
> Can anyone reproduce still reproduce this bug?

I'm pretty sure I experienced this with a fresh install of Guix System,
I should have given more information in the initial report.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sat, 10 Apr 2021 20:31:02 GMT) Full text and rfc822 format available.

Message #42 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sat, 10 Apr 2021 16:30:42 -0400
On Sat, Apr 10, 2021 at 08:45:22PM +0100, Christopher Baines wrote:
> 
> Leo Famulari <leo <at> famulari.name> writes:
> 
> > On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> >> I believe there's TLS issues with pulling for the current 1.2.0 release.
> >
> > On a fresh Debian ISO image, I installed Guix 1.2.0 based on the
> > instructions in the manual section Binary Installation.
> >
> > Then, `guix pull` succeeded for me, no problem.
> >
> > Can anyone reproduce still reproduce this bug?
> 
> I'm pretty sure I experienced this with a fresh install of Guix System,
> I should have given more information in the initial report.

Okay, I'm testing this now, in a VM.

I wonder if it's the same thing as
<https://lists.gnu.org/archive/html/help-guix/2021-04/msg00075.html>?




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sat, 10 Apr 2021 21:10:01 GMT) Full text and rfc822 format available.

Message #45 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sat, 10 Apr 2021 17:09:16 -0400
[Message part 1 (text/plain, inline)]
On Sat, Apr 10, 2021 at 04:30:42PM -0400, Leo Famulari wrote:
> Okay, I'm testing this now, in a VM.
> 
> I wonder if it's the same thing as
> <https://lists.gnu.org/archive/html/help-guix/2021-04/msg00075.html>?

I followed the instructions in the manual section Installing Guix in a
VM.

Then, I booted the new system, opened a terminal emulator in the XFCE
desktop environment, and ran `guix pull`. It succeeded.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sat, 10 Apr 2021 21:22:01 GMT) Full text and rfc822 format available.

Message #48 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Christopher Baines <mail <at> cbaines.net>
To: Leo Famulari <leo <at> famulari.name>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sat, 10 Apr 2021 22:21:35 +0100
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Apr 10, 2021 at 04:30:42PM -0400, Leo Famulari wrote:
>> Okay, I'm testing this now, in a VM.
>> 
>> I wonder if it's the same thing as
>> <https://lists.gnu.org/archive/html/help-guix/2021-04/msg00075.html>?
>
> I followed the instructions in the manual section Installing Guix in a
> VM.
>
> Then, I booted the new system, opened a terminal emulator in the XFCE
> desktop environment, and ran `guix pull`. It succeeded.

Maybe it just doesn't work for the root user... I encountered this when
running guix pull as the root user on a headless machine.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sat, 10 Apr 2021 22:55:01 GMT) Full text and rfc822 format available.

Message #51 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sat, 10 Apr 2021 18:54:23 -0400
[Message part 1 (text/plain, inline)]
On Sat, Apr 10, 2021 at 10:21:35PM +0100, Christopher Baines wrote:
> Maybe it just doesn't work for the root user... I encountered this when
> running guix pull as the root user on a headless machine.

I logged in as root from the console, and `guix pull` worked there too.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sat, 10 Apr 2021 23:05:03 GMT) Full text and rfc822 format available.

Message #54 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sat, 10 Apr 2021 19:04:28 -0400
[Message part 1 (text/plain, inline)]
On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...

I downloaded this file, un-lzipped it, and extracted the nar. The
results are bit-identical to the le-certs from ci.guix.gnu.org.

Maybe there was a momentary misconfiguration on Savannah? Or something
like that?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sat, 10 Apr 2021 23:14:01 GMT) Full text and rfc822 format available.

Message #57 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sat, 10 Apr 2021 19:13:09 -0400
[Message part 1 (text/plain, inline)]
On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> root <at> horna ~# wget https://git.savannah.gnu.org/git/guix.git
> --2021-02-28 11:22:49--  https://git.savannah.gnu.org/git/guix.git
> Resolving git.savannah.gnu.org (git.savannah.gnu.org)... 209.51.188.201, 2001:470:142:5::201
> Connecting to git.savannah.gnu.org (git.savannah.gnu.org)|209.51.188.201|:443... connected.
> ERROR: The certificate of ‘git.savannah.gnu.org’ is not trusted.
> ERROR: The certificate of ‘git.savannah.gnu.org’ doesn't have a known issuer.

By the way, it's expected that wget would fail here, if you had not
installed and configured nss-certs as directed in the manual.

`guix pull` uses its own certificate store (le-certs), and it's
suppposed to happen automatically.
[signature.asc (application/pgp-signature, inline)]

Changed bug title to '`guix pull` uses incorrect certificate store' from 'Fresh install of 1.2.0 can't guix pull' Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Sun, 11 Apr 2021 20:16:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Sun, 11 Apr 2021 20:43:02 GMT) Full text and rfc822 format available.

Message #62 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sun, 11 Apr 2021 16:41:11 -0400
On Wed, Mar 17, 2021 at 03:36:44PM +0100, Ludovic Courtès wrote:
>   (define (honor-x509-certificates store)
>     "Use the right X.509 certificates for Git checkouts over HTTPS."
>     (unless (honor-system-x509-certificates!)
>       (honor-lets-encrypt-certificates! store)))
> 
> By default, 1.2.0 installs ‘nss-certs’, so I would assume such
> installations are unaffected, right?

So, the bug here is that `guix pull` is using the wrong certificate
store. It should use le-certs, but is instead ignoring le-certs, and
looking for a system-wide store that doesn't exist.

I tested with an installer image from current master, and the bug still
exists.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 01:30:01 GMT) Full text and rfc822 format available.

Message #65 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sun, 11 Apr 2021 21:29:00 -0400
On Sun, Apr 11, 2021 at 04:41:11PM -0400, Leo Famulari wrote:
> On Wed, Mar 17, 2021 at 03:36:44PM +0100, Ludovic Courtès wrote:
> >   (define (honor-x509-certificates store)
> >     "Use the right X.509 certificates for Git checkouts over HTTPS."
> >     (unless (honor-system-x509-certificates!)
> >       (honor-lets-encrypt-certificates! store)))
> > 
> > By default, 1.2.0 installs ‘nss-certs’, so I would assume such
> > installations are unaffected, right?
> 
> So, the bug here is that `guix pull` is using the wrong certificate
> store. It should use le-certs, but is instead ignoring le-certs, and
> looking for a system-wide store that doesn't exist.
> 
> I tested with an installer image from current master, and the bug still
> exists.

I checked and, although there have been some changes upstream at Let's
Encrypt [0], our le-certs still works for contacting Savannah with TLS.

[0] Some new root and intermediate certificates:

https://letsencrypt.org/certificates/

Once we fix this bug, we should look into updating the le-certs package.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 06:43:02 GMT) Full text and rfc822 format available.

Message #68 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 02:42:07 -0400
On Sun, Apr 11, 2021 at 09:29:00PM -0400, Leo Famulari wrote:
> I checked and, although there have been some changes upstream at Let's
> Encrypt [0], our le-certs still works for contacting Savannah with TLS.

I checked wrong; le-certs needs to be updated. I'm testing the update
now...

> [0] Some new root and intermediate certificates:
> 
> https://letsencrypt.org/certificates/




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 08:31:01 GMT) Full text and rfc822 format available.

Message #71 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 04:30:04 -0400
[Message part 1 (text/plain, inline)]
On Mon, Apr 12, 2021 at 02:42:07AM -0400, Leo Famulari wrote:
> I checked wrong; le-certs needs to be updated. I'm testing the update
> now...

I couldn't figure out how to test an update of the Guix package, but
here is my patch updating le-certs.

`make update-guix-package` segfaults for me, sometime after it updates
the source tree but before adding the source checkout to the store.

I did `guix build guix --with-git-url=guix=$PWD`, which succeeded, but
using --with-git-url changes the derivation, so I couldn't test this in
a VM sans nss-certs.
[0001-gnu-le-certs-Update-to-new-Let-s-Encrypt-certificate.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 12:26:01 GMT) Full text and rfc822 format available.

Message #74 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 14:25:43 +0200
Hi Leo,

Leo Famulari <leo <at> famulari.name> skribis:

> I couldn't figure out how to test an update of the Guix package, but
> here is my patch updating le-certs.

Cool!

> `make update-guix-package` segfaults for me, sometime after it updates
> the source tree but before adding the source checkout to the store.

Could you grab a backtrace, with:

  gdb $(which guile) core

where ‘core’ is the core file (it might live elsewhere on a foreign
distro).  It could be that the foreign distro packages being used are
buggy, or that a mixture of Guix- and distro-provided libraries are
being loaded.

In the meantime, you could also update the ‘guix’ package by hand for
testing purposes.

> From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Mon, 12 Apr 2021 02:19:33 -0400
> Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.
>
> * gnu/packages/certs.scm (le-certs): Update the certificate store.
> [inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
> letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
> letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
> letsencryptauthorityx4.pem.
> [arguments]: Adjust the builder accordingly.

Nice!  So how do we know if/when this has to be updated?  Maybe we can
add a ‘release-monitoring-url’ property?

I just checked that the files currently in use were still there, and
they are, but they’re outdated.

Thanks!

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 12:26:02 GMT) Full text and rfc822 format available.

Message #77 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 14:25:11 +0200
Hi Leo,

Leo Famulari <leo <at> famulari.name> skribis:

> I couldn't figure out how to test an update of the Guix package, but
> here is my patch updating le-certs.

Cool!

> `make update-guix-package` segfaults for me, sometime after it updates
> the source tree but before adding the source checkout to the store.

Could you grab a backtrace, with:

  gdb $(which guile) core

where ‘core’ is the core file (it might live elsewhere on a foreign
distro).  It could be that the foreign distro packages being used are
buggy, or that a mixture of Guix- and distro-provided libraries are
being loaded.

In the meantime, you could also update the ‘guix’ package by hand for
testing purposes.

> From f0da45e7b78a6dd2b51dec1a948ea95866811c02 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo <at> famulari.name>
> Date: Mon, 12 Apr 2021 02:19:33 -0400
> Subject: [PATCH] gnu: le-certs: Update to new Let's Encrypt certificates.
>
> * gnu/packages/certs.scm (le-certs): Update the certificate store.
> [inputs]: Add isrgrootx2.pem, letsencryptauthorityr3.pem,
> letsencryptauthorityr4.pem, letsencryptauthoritye1.pem, and
> letsencryptauthoritye2.pem. Remove letsencryptauthorityx3.pem and
> letsencryptauthorityx4.pem.
> [arguments]: Adjust the builder accordingly.

Nice!  So how do we know if/when this has to be updated?  Maybe we can
add a ‘release-monitoring-url’ property?

I just checked that the files currently in use were still there, and
they are, but they’re outdated.

Thanks!

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 17:03:02 GMT) Full text and rfc822 format available.

Message #80 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 13:02:09 -0400
On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> In the meantime, you could also update the ‘guix’ package by hand for
> testing purposes.

I tried this, but I can't figure out how to actually build the updated
Guix package, since the source code isn't added to the store.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 17:16:02 GMT) Full text and rfc822 format available.

Message #83 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 13:15:11 -0400
On Mon, Apr 12, 2021 at 02:25:11PM +0200, Ludovic Courtès wrote:
> Could you grab a backtrace, with:
> 
>   gdb $(which guile) core

I don't know where to find this 'core' file. I'm on Guix System (the
Berlin server).




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 17:33:01 GMT) Full text and rfc822 format available.

Message #86 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 13:32:21 -0400
[Message part 1 (text/plain, inline)]
On Mon, Apr 12, 2021 at 01:15:11PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 02:25:11PM +0200, Ludovic Courtès wrote:
> > Could you grab a backtrace, with:
> > 
> >   gdb $(which guile) core
> 
> I don't know where to find this 'core' file. I'm on Guix System (the
> Berlin server).

I did `ulimit -c unlimited`, and then the core file was created at
/tmp/core.

I ran your command, and this is the output:

------
gdb $(which guile) /tmp/core                                                                                                                                          
GNU gdb (GDB) 10.1                                                                                                                                                                              
Copyright (C) 2020 Free Software Foundation, Inc.                                                                                                                                               
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>                                                                                                                   
This is free software: you are free to change and redistribute it.                                                                                                                              
There is NO WARRANTY, to the extent permitted by law.                                                                                                                                           
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /gnu/store/ildwvd8sl92znmwpxlnp7pbjkfwccih4-profile/bin/guile...
(No debugging symbols found in /gnu/store/ildwvd8sl92znmwpxlnp7pbjkfwccih4-profile/bin/guile)

warning: Can't open file /home/lfam/.cache/guile/ccache/3.0-LE-8-4.4/home/lfam/guix/gnu/packages/package-management.scm.go (deleted) during file-backed mapping note processing
[New LWP 70404]
[New LWP 70409]
[New LWP 70408]
[New LWP 70412]
[New LWP 70411]
[New LWP 70413]
[New LWP 70410]
[New LWP 70417]
[New LWP 70414]
[New LWP 70416]
[New LWP 70415]
[New LWP 70418]
[New LWP 70419]
[New LWP 70421]
[New LWP 70422]
[New LWP 70420]
[New LWP 70423]
[New LWP 70424]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
Core was generated by `/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile ./build-aux/updat'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
[Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
;;;       or pass the --no-auto-compile argument to disable.
;;; compiling /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm
;;; /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:293:20: warning: possibly unbound variable `program-debug-info-name'
;;; /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:326:9: warning: possibly unbound variable `find-source-for-addr'
;;; /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:326:31: warning: possibly unbound variable `program-debug-info-addr'
;;; /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm:327:31: warning: possibly unbound variable `program-debug-info-context'
;;; compiled /home/lfam/.cache/guile/ccache/3.0-LE-8-4.2/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1.3.0-gdb.scm.go
;;; compiling /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/share/guile/3.0/system/base/types.scm
;;; compiled /home/lfam/.cache/guile/ccache/3.0-LE-8-4.2/gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/share/guile/3.0/system/base/types.scm.go
------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 12 Apr 2021 18:27:02 GMT) Full text and rfc822 format available.

Message #89 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Mon, 12 Apr 2021 14:26:47 -0400
On Mon, Apr 12, 2021 at 01:02:09PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> > In the meantime, you could also update the ‘guix’ package by hand for
> > testing purposes.
> 
> I tried this, but I can't figure out how to actually build the updated
> Guix package, since the source code isn't added to the store.

Alright, I pushed a branch 'wip-update-le-certs' to Savannah and built
the Guix package, and then a VM image sans nss-certs.

I confirm that updating the le-certs package fixes this bug.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Tue, 13 Apr 2021 08:13:02 GMT) Full text and rfc822 format available.

Message #92 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Tue, 13 Apr 2021 10:12:13 +0200
Hi,

Leo Famulari <leo <at> famulari.name> skribis:

> I ran your command, and this is the output:

Could you type ‘bt’ (backtrace) at the GDB prompt?

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Tue, 13 Apr 2021 09:31:02 GMT) Full text and rfc822 format available.

Message #95 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: `guix pull` uses incorrect certificate store
Date: Tue, 13 Apr 2021 11:29:58 +0200
Hi,

Leo Famulari <leo <at> famulari.name> skribis:

> On Sun, Apr 11, 2021 at 09:29:00PM -0400, Leo Famulari wrote:
>> I checked and, although there have been some changes upstream at Let's
>> Encrypt [0], our le-certs still works for contacting Savannah with TLS.
>
> I checked wrong; le-certs needs to be updated. I'm testing the update
> now...

So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
pull’ uses the LE certs, but these certificates expire quite frequently,
whereas if you have ‘nss-certs’ installed, there’s “always” a valid
authentication chain from the roots.

Indeed, running ‘guix pull’ in the 1.2.0 live VM image works (it has
‘nss-certs’ installed in /etc/ssl/certs).  Likewise, a Guix System 1.2.0
installation that includes ‘nss-certs’ (which is the default) is
unaffected.

For those who do not have ‘nss-certs’ installed, a workaround is to do
avoid HTTPS:

  guix pull --url=http://git.savannah.gnu.org/git/guix.git

This is fine because the ‘guix’ channel is authenticated anyway.

We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
For that, Guile-Git needs to implement
‘git_transport_certificate_check_cb’ & co.  I started doing that but
it’s a bit of work (wrapping ‘struct git_cert’ is cumbersome) so I’m
willing to punt on it for now.

Thoughts?

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Tue, 13 Apr 2021 17:45:02 GMT) Full text and rfc822 format available.

Message #98 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: `guix pull` uses incorrect certificate store
Date: Tue, 13 Apr 2021 13:44:49 -0400
[Message part 1 (text/plain, inline)]
On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
> pull’ uses the LE certs, but these certificates expire quite frequently,
> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
> authentication chain from the roots.

No, that's incorrect. The certificates in le-certs expired after 5
years, so it's not frequent.

These are the root and intermediate certificates for the Let's Encrypt
certificate authority — they are not the 90 day certificates used by a
webserver.

The problem is that we (I) failed to pay attention and let our le-certs
package go stale.

> For those who do not have ‘nss-certs’ installed, a workaround is to do
> avoid HTTPS:

The original motivation of le-certs was that nss-certs would not be
required, and that `guix pull` would always work. I think we should
still try to achieve this.

>   guix pull --url=http://git.savannah.gnu.org/git/guix.git
> 
> This is fine because the ‘guix’ channel is authenticated anyway.

Yes, that works and is pretty safe. Although Guix will complain because
it can't tell that this is the same repo.

> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.

I think we should avoid adding "use insecure connection" options. Even
if the code itself is signed.

I'm going to figure out how to subscribe to Let's Encrypt announcements
and I'll report back with ideas about how to avoid a repeat of the
problem.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Tue, 13 Apr 2021 17:48:01 GMT) Full text and rfc822 format available.

Message #101 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Tue, 13 Apr 2021 13:47:23 -0400
On Mon, Apr 12, 2021 at 02:26:47PM -0400, Leo Famulari wrote:
> On Mon, Apr 12, 2021 at 01:02:09PM -0400, Leo Famulari wrote:
> > On Mon, Apr 12, 2021 at 02:25:43PM +0200, Ludovic Courtès wrote:
> > > In the meantime, you could also update the ‘guix’ package by hand for
> > > testing purposes.
> > 
> > I tried this, but I can't figure out how to actually build the updated
> > Guix package, since the source code isn't added to the store.
> 
> Alright, I pushed a branch 'wip-update-le-certs' to Savannah and built
> the Guix package, and then a VM image sans nss-certs.

I've pushed the update patch as
15de49e60b255b98a53c6de4780e1ae95a8beada.

Now, we just need to update Guix package for it to take effect for
users, IIUC.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Tue, 13 Apr 2021 18:10:01 GMT) Full text and rfc822 format available.

Message #104 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Tue, 13 Apr 2021 14:09:11 -0400
[Message part 1 (text/plain, inline)]
On Tue, Apr 13, 2021 at 10:12:13AM +0200, Ludovic Courtès wrote:
> Could you type ‘bt’ (backtrace) at the GDB prompt?

It goes like this:

------
Using host libthread_db library "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
Core was generated by `/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile ./build-aux/updat'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
[Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007eff61d9d4c4 in git_buf_try_grow () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#2  0x00007eff61d9d7a5 in git_buf_set () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#3  0x00007eff61deffe7 in git_path_prettify () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#4  0x00007eff61e043ad in find_repo () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#5  0x00007eff61e0528b in git_repository_discover () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
#6  0x00007eff7de6166d in ffi_call_unix64 () from /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
#7  0x00007eff7de5fac0 in ffi_call_int () from /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
#8  0x00007eff7df4efbe in scm_i_foreign_call () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#9  0x00007eff7dfbd904 in foreign_call () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#10 0x00007eff7dfc4118 in vm_regular_engine () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#11 0x00007eff7dfc55b5 in scm_call_n () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#12 0x00007eff7df42d27 in scm_primitive_eval () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#13 0x00007eff7df42d83 in scm_eval () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#14 0x00007eff7df9b830 in scm_shell () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#15 0x00007eff7df5a73d in invoke_main_func () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#16 0x00007eff7df3cb0a in c_body () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#17 0x00007eff7dfc4149 in vm_regular_engine () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#18 0x00007eff7dfc55b5 in scm_call_n () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#19 0x00007eff7df41bba in scm_call_2 () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#20 0x00007eff7df433ba in scm_c_with_exception_handler () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#21 0x00007eff7dfbac3d in scm_c_catch () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#22 0x00007eff7df3d0b3 in scm_i_with_continuation_barrier () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#23 0x00007eff7df3d145 in scm_c_with_continuation_barrier () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#24 0x00007eff7dfb96df in with_guile () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#25 0x00007eff7de97c78 in GC_call_with_stack_base () from /gnu/store/zg126cjicrpm2p6zc08ra5vh4ddag7ww-libgc-8.0.4/lib/libgc.so.1
#26 0x00007eff7dfb99f8 in scm_with_guile () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#27 0x00007eff7df5a8b2 in scm_boot_guile () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1
#28 0x0000000000401100 in main ()
------

By the way, I can no longer reproduce the crash, now that I am using
`make update-guix-package` with a commit that has been pushed to
Savannah.
[signature.asc (application/pgp-signature, inline)]

Changed bug title to 'Let's Encrypt certificate store (le-certs) expired' from '`guix pull` uses incorrect certificate store' Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Tue, 13 Apr 2021 18:27:02 GMT) Full text and rfc822 format available.

Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Wed, 14 Apr 2021 01:09:02 GMT) Full text and rfc822 format available.

Notification sent to Christopher Baines <mail <at> cbaines.net>:
bug acknowledged by developer. (Wed, 14 Apr 2021 01:09:02 GMT) Full text and rfc822 format available.

Message #111 received at 46829-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Baines <mail <at> cbaines.net>
Cc: 46829-done <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Tue, 13 Apr 2021 21:08:20 -0400
[Message part 1 (text/plain, inline)]
On Sun, Feb 28, 2021 at 10:27:02AM +0000, Christopher Baines wrote:
> root <at> horna ~# guix pull
> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0%
> 0.0 MB will be downloaded
> downloading from https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 ...
>  le-certs-0  4KiB                                                                                                                                                           1.8MiB/s 00:00 [##################] 100.0%
> 
> Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
> guix pull: error: Git error: the SSL certificate is invalid

This should be fixed with commit
a758a8a3c20052c5f1228e1ec80068652bbc3849, which updates the Guix package
to include commit 15de49e60b255b98a53c6de4780e1ae95a8beada.

There's nothing we can do for the 1.2.0 release artifacts at this point.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Wed, 14 Apr 2021 10:51:02 GMT) Full text and rfc822 format available.

Message #114 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: `guix pull` uses incorrect certificate store
Date: Wed, 14 Apr 2021 12:50:39 +0200
Hi,

Leo Famulari <leo <at> famulari.name> skribis:

> On Tue, Apr 13, 2021 at 11:29:58AM +0200, Ludovic Courtès wrote:
>> So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix
>> pull’ uses the LE certs, but these certificates expire quite frequently,
>> whereas if you have ‘nss-certs’ installed, there’s “always” a valid
>> authentication chain from the roots.
>
> No, that's incorrect. The certificates in le-certs expired after 5
> years, so it's not frequent.
>
> These are the root and intermediate certificates for the Let's Encrypt
> certificate authority — they are not the 90 day certificates used by a
> webserver.
>
> The problem is that we (I) failed to pay attention and let our le-certs
> package go stale.

OK.  5 years still looks kinda “frequent” to me.  I would think that old
software installations (including “appliances”) would live longer than
that, no?

You install Guix on a laptop, you leave it in a drawer, and you come a
few years later and you can neither access HTTPS web sites nor run ‘guix
pull’?

>> For those who do not have ‘nss-certs’ installed, a workaround is to do
>> avoid HTTPS:
>
> The original motivation of le-certs was that nss-certs would not be
> required, and that `guix pull` would always work. I think we should
> still try to achieve this.

OK.

>> We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
>
> I think we should avoid adding "use insecure connection" options. Even
> if the code itself is signed.

“Insecure” is a strong word: it still prevents eavesdropping, which is
the only property that matters in the presence of authenticated
channels.

> I'm going to figure out how to subscribe to Let's Encrypt announcements
> and I'll report back with ideas about how to avoid a repeat of the
> problem.

Yes, that’s the better option.  Thank you!

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Wed, 14 Apr 2021 14:19:02 GMT) Full text and rfc822 format available.

Message #117 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: François <francois-oss <at> avalenn.eu>
To: 46829 <at> debbugs.gnu.org, leo <at> famulari.name, mail <at> cbaines.net
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Wed, 14 Apr 2021 11:44:10 +0200
Hello,

On Tue, Apr 13, 2021 at 09:08:20PM -0400, Leo Famulari wrote:
> There's nothing we can do for the 1.2.0 release artifacts at this point.

Is there any place were we could document the problem and the suggested
workaround by Ludo (--url=http://)? Perhaps on the "Installation"
chapter of the manual, near the line documenting "guix pull"?

Cheers,
François




Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Wed, 14 Apr 2021 19:58:01 GMT) Full text and rfc822 format available.

Message #120 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Ludovic Courtès <ludo <at> gnu.org>, Leo Famulari
 <leo <at> famulari.name>
Cc: 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: `guix pull` uses incorrect certificate store
Date: Wed, 14 Apr 2021 21:57:03 +0200
[Message part 1 (text/plain, inline)]
On Wed, 2021-04-14 at 12:50 +0200, Ludovic Courtès wrote:
> [...]
> > > We could also add a ‘--no-check-certificates’ option to ‘guix pull’.
> > 
> > I think we should avoid adding "use insecure connection" options. Even
> > if the code itself is signed.
> 
> “Insecure” is a strong word: it still prevents eavesdropping, which is
> the only property that matters in the presence of authenticated
> channels.

Maybe call the option '--tolerate-eavesdropping' then?  That name:

* is technically correct
* doesn't suggest the option is "Insecure"
* but still sounds like something you don't want
* should be clear to people not knowing about TLS' PKI infrastructure,
  ‘will eventually’™ be replaced with GNS + <insert GNUnet protocol here> or
  something like that, which wouldn't use such a centralised structure.

Thoughts?
Maxime.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Wed, 21 Apr 2021 13:15:01 GMT) Full text and rfc822 format available.

Message #123 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Wed, 21 Apr 2021 15:14:14 +0200
Leo Famulari <leo <at> famulari.name> skribis:

> On Tue, Apr 13, 2021 at 10:12:13AM +0200, Ludovic Courtès wrote:
>> Could you type ‘bt’ (backtrace) at the GDB prompt?
>
> It goes like this:
>
> ------
> Using host libthread_db library "/gnu/store/fa6wj5bxkj5ll1d7292a70knmyl7a0cr-glibc-2.31/lib/libthread_db.so.1".
> Core was generated by `/gnu/store/66xwl53f9ws7gin8iaqkhg111gimw1li-profile/bin/guile ./build-aux/updat'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x0000000000000000 in ?? ()
> [Current thread is 1 (Thread 0x7eff7d8cdb80 (LWP 70404))]
> (gdb) bt
> #0  0x0000000000000000 in ?? ()
> #1  0x00007eff61d9d4c4 in git_buf_try_grow () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #2  0x00007eff61d9d7a5 in git_buf_set () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #3  0x00007eff61deffe7 in git_path_prettify () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #4  0x00007eff61e043ad in find_repo () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #5  0x00007eff61e0528b in git_repository_discover () from /gnu/store/2rwa9h8w3ha0hj3zkbnrq1p2z199s2hn-libgit2-1.1.0/lib/libgit2.so
> #6  0x00007eff7de6166d in ffi_call_unix64 () from /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
> #7  0x00007eff7de5fac0 in ffi_call_int () from /gnu/store/bw15z9kh9c65ycc2vbhl2izwfwfva7p1-libffi-3.3/lib/libffi.so.7
> #8  0x00007eff7df4efbe in scm_i_foreign_call () from /gnu/store/m5iprcg6pb5ch86r9agmqwd8v6kp7999-guile-3.0.5/lib/libguile-3.0.so.1

BTW, this must be fixed by 5b35c9adc899749a0bd96a0e6d2c3bbf88e38963.

Ludo'.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 20 May 2021 11:24:06 GMT) Full text and rfc822 format available.

bug unarchived. Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Mon, 31 May 2021 19:18:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#46829; Package guix. (Mon, 31 May 2021 19:18:02 GMT) Full text and rfc822 format available.

Message #130 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: `guix pull` uses incorrect certificate store
Date: Mon, 31 May 2021 15:17:53 -0400
On Wed, Apr 14, 2021 at 12:50:39PM +0200, Ludovic Courtès wrote:
> OK.  5 years still looks kinda “frequent” to me.  I would think that old
> software installations (including “appliances”) would live longer than
> that, no?
> 
> You install Guix on a laptop, you leave it in a drawer, and you come a
> few years later and you can neither access HTTPS web sites nor run ‘guix
> pull’?

Yeah, that's bad.

Let's go ahead with adding some kind of '--allow-insecure-transport'
option to `guix pull` for this use case. Bonus points for making it
sounds as scary as possible :)




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 29 Jun 2021 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 273 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.