GNU bug report logs - #75902
guile-gnutls does not set up search paths for the certificates

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Tomas Volf <~@wolfsden.cz>; dated Mon, 27 Jan 2025 22:05:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 75902 <at> debbugs.gnu.org:


Received: (at 75902) by debbugs.gnu.org; 15 Feb 2025 21:06:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Feb 15 16:06:09 2025
Received: from localhost ([127.0.0.1]:58243 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tjPMX-0007hp-Iv
	for submit <at> debbugs.gnu.org; Sat, 15 Feb 2025 16:06:09 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:49958)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1tjPMU-0007hI-6Z
 for 75902 <at> debbugs.gnu.org; Sat, 15 Feb 2025 16:06:07 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1tjPMN-0003ZO-Ox; Sat, 15 Feb 2025 16:05:59 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=za2aA7cNu8bwGZWKDrCMtRu1fTFnOe3EJRiBMD7K0OE=; b=DFwDuJ6SIDz8s4oJTZ8O
 Qe0IA3IljJGL+DVf+CpOFuQ6Io7wQysG0V01dVeQXOVuX6w047ub4oTw0IYd2Myl8lilW7Doi8M5t
 J2ByyBXpwgOco9t8+iD1XyanRLg24zt7izoZKBb4qf0KYqp7SVjTb00XsrFO7SMhHxw9giQXDd3JG
 U9yqFFdXQl17f0bWzDXzZ34K1eYRse9nemvsEy/5EQK+Ro+9rgna/0unT0nOY/XECLzNI+nrecdkS
 w6NEZ1xWmtHNzka42tIAc/FpZr39lAVh0SyFWT1rKv48YtYkl0iRXEnUc9cPvyhhMqRidWDnbQXKC
 Xeoutz9PCkHtBQ==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Tomas Volf <~@wolfsden.cz>
Subject: Re: bug#75902: guile-gnutls does not set up search paths for the
 certificates
In-Reply-To: <87ikpzhq1q.fsf@HIDDEN> (Tomas Volf's message of "Mon, 27
 Jan 2025 23:04:17 +0100")
References: <87ikpzhq1q.fsf@HIDDEN>
Date: Sat, 15 Feb 2025 22:05:55 +0100
Message-ID: <87bjv2x6j0.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 75902
Cc: 75902 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Tomas Volf <~@wolfsden.cz> skribis:

> We can see the difference boils down to different search paths:
>
> $ guix shell -CN guile guile-gnutls nss-certs --search-paths
> export PATH=3D"/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${P=
ATH:+:}$PATH"
> export GUILE_LOAD_PATH=3D"/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-pro=
file/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
> export GUILE_LOAD_COMPILED_PATH=3D"/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2=
mcbyz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q=
3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_L=
OAD_COMPILED_PATH"

GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.
Instead it=E2=80=99s up to applications to set up their certificate search =
path.

See for example the discussion at <https://issues.guix.gnu.org/46779>.

Thanks,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#75902; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 27 Jan 2025 22:04:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jan 27 17:04:34 2025
Received: from localhost ([127.0.0.1]:34717 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tcXDe-0005jQ-4o
	for submit <at> debbugs.gnu.org; Mon, 27 Jan 2025 17:04:34 -0500
Received: from lists.gnu.org ([2001:470:142::17]:57096)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1tcXDa-0005j5-DE
 for submit <at> debbugs.gnu.org; Mon, 27 Jan 2025 17:04:31 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1tcXDU-0001B0-NU
 for bug-guix@HIDDEN; Mon, 27 Jan 2025 17:04:24 -0500
Received: from wolfsden.cz ([37.205.8.62])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1tcXDS-0000ZE-Fe
 for bug-guix@HIDDEN; Mon, 27 Jan 2025 17:04:24 -0500
Received: by wolfsden.cz (Postfix, from userid 104)
 id 271D231542E; Mon, 27 Jan 2025 22:04:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail;
 t=1738015459; bh=WwZ13/vECLRnfWBfHLdJnOO5vVwA+2oScLNyOB4CZS4=;
 h=From:To:Subject:Date;
 b=Dy5+1FUsZJNj/HqvX6IymoHYKbN/TFRBRzNsVDbo6rJxO/bjKV7Jj3z8iIbcBFas8
 ravtoeiDte48gKq9G6LokT94q2N6Ml8sdVuqJjiaOIBmRVuHIvCCSM1JcE3uXXyyy6
 gFehpH3Mc1lne6Z7UvZHj3gT8TCd5rKmCLf1OUsW+7UTiknTW5EjSC0x9Xcjy3ZuFW
 tBylacs3/BUKHeXZfm54eP/4y8Ar0iiGtN9MhGIPV3jpgYc5CU/aA4TcoVi0se5GNq
 W4AvVXfpBhxzhWiDIZ5+l7Crg81KtS2FrLfzULbUVN66CIbnTXYZuJ/2sURa/ntYgK
 NkYmmZ6OXjq5gYh+K+3exjdOyyB+NyDKOMuzla3dqICz/yhQP5X0FszxlgnaRIs29x
 KeSMzF999TrH7ASRTIaTGB+ePZM0aWMtcW8DEbn81RDDlX4ilJBXwQaJttfWvEQy9j
 SfzewGqe1L82VzXmKaAevF/JXD79Ruf63Q8zRLUKLIuBIpgmjLzls0YZH8q7tn75ya
 s/XM9j6zW/Y3VIbirBFz0DqmsHmr1w3zUZVxMwWKUWP6baeJmjhdN4UXlRqEFTaXlK
 1AvE5mHGWjXMRdqy7QBPCHDy6hDpC6yUGxP8p9Lo69JkfQTeSvvOyv2uWeRk5VKLOk
 5L5sbPaxGuChHT91tyJ9oThA=
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on wolfsden
X-Spam-Level: 
X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
 T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
 version=3.4.6
Received: from localhost (unknown [128.0.188.242])
 by wolfsden.cz (Postfix) with ESMTPSA id 49BAB315C04
 for <bug-guix@HIDDEN>; Mon, 27 Jan 2025 22:04:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail;
 t=1738015458; bh=WwZ13/vECLRnfWBfHLdJnOO5vVwA+2oScLNyOB4CZS4=;
 h=From:To:Subject:Date;
 b=O+zUaNMXP/HThA6YBMyFvld8beORIR/a7y+NJl56Y4AVk3aia0Jk3it+EH4m5DuwB
 AOQpHs5OloKl7Ephpv+WKGVfSmP2e09eo4LSuoJ8z/o0Q1aotgplLas04P3UYOPCks
 v5FLww22dkst7h9cuM/Kbtcbp6NPGISPTJadTrRcJPi8poLPZnnLpyifNLiy6791B4
 gjWx6DGLeQI2tkrIR85jJjyEXeFig23cuPxU25DY6FHoLSLkbAlJT3rBtRysfE59b0
 kql/CNIjx4DGiVgt2ZAcrHGaBWXAwubXgOiCU+G7svp6+F0AhaIVaxI/4wfjB83Zb6
 md8y0j5eWOYWx2um6CIfHf0Ik/yYgQy6+QkSBafLNd3d9D1Y6ItcaqJBcC+knvazDK
 /bF4ePf3iDahThFNXbuYIyPksKvaDaa2a50VY1XlnF5F2wr67sqqtZ6OKrx+tERG/T
 JTYujUQ8HQ5NZ7TMl5j2C+x+1mfFsiiPxyZGogiLJ1uJrJX3T1bEfS77en4UkQCDAa
 0KNbqUuOo5KHpEJzxim2kd0N7sXvrT+FUTQ7Tdu/an9HAUeCJPyYuYjPeVJVQZ8azI
 LZqYep+bbc5Vggjmdzp9w7p4uMmVUBOcZdYUnxrnKRQvLrSMln3SBiAeewxESuRUBl
 PFs+gu21t4f3vyEQHfKFICaI=
From: Tomas Volf <~@wolfsden.cz>
To: bug-guix@HIDDEN
Subject: guile-gnutls does not set up search paths for the certificates
Date: Mon, 27 Jan 2025 23:04:17 +0100
Message-ID: <87ikpzhq1q.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=37.205.8.62; envelope-from=~@wolfsden.cz;
 helo=wolfsden.cz
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


When trying to use (web client) Guile module, one gets the following
error:

=2D-8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs -- guile -c '((@ (web client)=
 http-get) "https://gnu.org")'
Backtrace:
In ice-9/boot-9.scm:
  1752:10  7 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
           6 (apply-smob/0 #<thunk 7f625f6c1300>)
In ice-9/boot-9.scm:
    724:2  5 (call-with-prompt _ _ #<procedure default-prompt-handle?>)
In ice-9/eval.scm:
    619:8  4 (_ #(#(#<directory (guile-user) 7f625f6c4c80>)))
In ice-9/command-line.scm:
   185:19  3 (_ #<input: string 7f625f6be850>)
In unknown file:
           2 (eval ((@ (web client) http-get) "https://gnu.org") #<d?>)
In web/client.scm:
    576:0  1 (http-get "https://gnu.org" #:body _ # _ #:port _ # #<?> ?)
    286:6  0 (tls-wrap #<closed: file 7f6256da2c40> _ # _)

web/client.scm:286:6: In procedure tls-wrap:
X.509 certificate of 'gnu.org' could not be verified:
  signer-not-found invalid

=2D-8<---------------cut here---------------end--------------->8---

It seems that guile-gnutls fails to find the certificates, which is
unexpected.  Adding `curl' into the list of packages works around the
problem:

=2D-8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs curl -- guile -c '((@ (web cl=
ient) http-get) "https://gnu.org")'
=2D-8<---------------cut here---------------end--------------->8---

We can see the difference boils down to different search paths:

=2D-8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs --search-paths
export PATH=3D"/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${PAT=
H:+:}$PATH"
export GUILE_LOAD_PATH=3D"/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profi=
le/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
export GUILE_LOAD_COMPILED_PATH=3D"/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mc=
byz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m=
2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOA=
D_COMPILED_PATH"
=2D-8<---------------cut here---------------end--------------->8---

and

=2D-8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs curl --search-paths
export PATH=3D"/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/bin${PAT=
H:+:}$PATH"
export SSL_CERT_DIR=3D"/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/=
etc/ssl/certs"
export SSL_CERT_FILE=3D"/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile=
/etc/ssl/certs/ca-certificates.crt"
export CURL_CA_BUNDLE=3D"/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profil=
e/etc/ssl/certs/ca-certificates.crt"
export GUILE_LOAD_PATH=3D"/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profi=
le/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
export GUILE_LOAD_COMPILED_PATH=3D"/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnx=
iql-profile/lib/guile/3.0/site-ccache:/gnu/store/6zbi90idpfww3y4k7bcnm38lwi=
lnxiql-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOA=
D_COMPILED_PATH"
=2D-8<---------------cut here---------------end--------------->8---

I think guile-gnutls should also declare the SSL_* variables, since it
needs the certificates for vast majority of things one could want to do
with it..

Have a nice day,
Tomas

=2D-=20
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJCBAEBCgAsFiEEt4NJs4wUfTYpiGikL7/ufbZ/wakFAmeYAuEOHH5Ad29sZnNk
ZW4uY3oACgkQL7/ufbZ/walKnhAAgMHr0fRFxh6x4Ghh5q0ts2XClSI7m4yfdz4S
q7hicMaz6fKlS9PJMYTrTOlskAn48NvfLV7dGoCLrMIZrqPZRc8+BvnsvoJJgoU6
BAK6+F0zBPFSEpu60tm1AKQp6ZMGJ9gGWPgOAVwt3a9A6ZciiAcY+sgq8WLRd6bU
LegyE0ePZFXq6WAACMDijO5NBf45V4FSIlA6bWWkFkYI7KalsjJlCC8DYvOC+D9+
x1BlMVPQ7hnCVj5DW3bqA1FpT6BXYO6GTs9U0njaKCYtbD7jPQO8vmH21u38qcoe
6c0nqXBTR6EoyBRXv0pquKXz6nXr30Obi3TAecw1jSuODoRhWto8Rb6HQVmPN8VV
Bp6Sieyunl/RnF2NEIu2FUmSc6qrpwm4qGSGC0GECVaONH346ZBQWR9+q4tUNn2M
W0DA9MUT+XxnAICREZW8llYI9q4QK4qs5pNEzt1QpicxJIqchcyY9mjwMX7JCyQj
2eJiRnqvXRkgs/LdDJh2wHMdJlBgqK56iKKDAgCxErgCvH4aTyBttLC/0AGtmRYY
EzEV4Imillt4uSoSwLyPWMOcTzVpSr2NxkpnTHMJk6aJlpfIYlVVSy2L0SKUWK+0
ATFbSqlXYQF0/p0aUY0yw4PBzAIypE8Pwf5VMVuPzmMnVIvPVZF8UvZ81XiZbwFC
SdRI8js=
=hLQN
-----END PGP SIGNATURE-----
--=-=-=--




Acknowledgement sent to Tomas Volf <~@wolfsden.cz>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#75902; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sat, 15 Feb 2025 21:15:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.