Hi, Leo Famulari <l...@famulari.name> skribis:
> On Sun, Apr 11, 2021 at 09:29:00PM -0400, Leo Famulari wrote: >> I checked and, although there have been some changes upstream at Let's >> Encrypt [0], our le-certs still works for contacting Savannah with TLS. > > I checked wrong; le-certs needs to be updated. I'm testing the update > now... So I think the issue is that, when ‘nss-certs’ is not installed, ‘guix pull’ uses the LE certs, but these certificates expire quite frequently, whereas if you have ‘nss-certs’ installed, there’s “always” a valid authentication chain from the roots. Indeed, running ‘guix pull’ in the 1.2.0 live VM image works (it has ‘nss-certs’ installed in /etc/ssl/certs). Likewise, a Guix System 1.2.0 installation that includes ‘nss-certs’ (which is the default) is unaffected. For those who do not have ‘nss-certs’ installed, a workaround is to do avoid HTTPS: guix pull --url=http://git.savannah.gnu.org/git/guix.git This is fine because the ‘guix’ channel is authenticated anyway. We could also add a ‘--no-check-certificates’ option to ‘guix pull’. For that, Guile-Git needs to implement ‘git_transport_certificate_check_cb’ & co. I started doing that but it’s a bit of work (wrapping ‘struct git_cert’ is cumbersome) so I’m willing to punt on it for now. Thoughts? Ludo’.
