Leo Famulari <l...@famulari.name> writes: > On Sat, Feb 11, 2017 at 03:28:52PM +0100, Ludovic Courtès wrote: >> Marius Bakke <mba...@fastmail.com> skribis: >> > I think having a separate 'le-certs' package that can verify the Lets >> > Encrypt chain sounds like the easiest option. Presumably new >> > intermediates etc will be known well in advance. >> >> That sounds more reasonable to me. Do you know what it would take to >> get the whole LE chain in such a package? Would you like to give it a >> try? > > I tried it. The next intermediate (also called the "backup") is already > known. > > I've made it available here: > > https://github.com/lfam/le-certs > > You can try it out: > > $ echo | openssl s_client -CAfile /tmp/le-certs/le-certs.pem -CApath > /tmp/le-certs -connect git.savannah.gnu.org:443 > > Your feedback is requested!
Wow, this is cool! $ SSL_CERT_FILE="" SSL_CERT_DIR="" guix pull --url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz Starting download of /tmp/guix-file.7U65Ts From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz... ERROR: X.509 certificate of 'git.savannah.gnu.org' could not be verified: signer-not-found invalid SSL_CERT_FILE="" SSL_CERT_DIR="/tmp/le-certs/" guix pull --url=https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz Starting download of /tmp/guix-file.wOblWP From https://git.savannah.gnu.org/cgit/guix.git/snapshot/master.tar.gz... ….tar.gz 1.0MiB/s 00:11 | 11.1MiB transferred unpacking '/gnu/store/p0gbr83a4g9qlk59vvxkw8gvrv1z8cnw-guix-latest.tar.gz'... For some reason setting SSL_CERT_FILE to "le-certs.pem" does not work for `guix download`, but having just the one file in SSL_CERT_DIR does. That's good enough for me! Could you make this into a Guix package? I wonder what happens if we simply switch %snapshot-url to HTTPS in `guix/scripts/pull.scm`. How many users do not have SSL_CERT_DIR configured? I think it would be sufficient to mention in the manual to install one of "nss-certs" or "le-certs" before running `guix pull` for the first time. How does that sound? These certs are valid until at least 2020, so using a Guix release snapshot of this package should work for a long time. Some other tests: $ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://nrk.no > /dev/null * Rebuilt URL to: https://nrk.no/ * Trying 160.68.205.231... * TCP_NODELAY set * Connected to nrk.no (160.68.205.231) port 443 (#0) * found 10 certificates in /tmp/le-certs/le-certs.pem * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification failed. CAfile: /tmp/le-certs/le-certs.pem CRLfile: none * Closing connection 0 $ CURL_CA_BUNDLE=/tmp/le-certs/le-certs.pem curl -sv https://gnu.org > /dev/null * Rebuilt URL to: https://gnu.org/ * Trying 208.118.235.148... * TCP_NODELAY set * Connected to gnu.org (208.118.235.148) port 443 (#0) * found 10 certificates in /tmp/le-certs/le-certs.pem * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: gnu.org (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=gnu.org * start date: Wed, 15 Feb 2017 10:01:00 GMT * expire date: Tue, 16 May 2017 10:01:00 GMT * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 * compression: NULL $ GIT_SSL_CAINFO="" git clone --depth=1 https://git.savannah.gnu.org/git/guix.git Cloning into 'guix'... fatal: unable to access 'https://git.savannah.gnu.org/git/guix.git/': Problem with the SSL CA cert(path? access rights?) $ GIT_SSL_CAINFO=/tmp/le-certs/le-certs.pem git clone --depth=1 https://git.savannah.gnu.org/git/guix.git Cloning into 'guix'... remote: Counting objects: 1409, done.
signature.asc
Description: PGP signature