[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#26948: gnutls errors on multiple guix commands
From: |
Ludovic Courtès |
Subject: |
bug#26948: gnutls errors on multiple guix commands |
Date: |
Wed, 17 May 2017 14:56:15 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Hi Maxim,
Maxim Cournoyer <address@hidden> skribis:
> This problem has been ongoing for some time. It prevents me from using
> things such as "guix lint" or "guix import" (seems to be related to
> certs and gnutls). I thought a guix system reconfigure (I'm on GuixSD)
> would fix it but it hasn't, even after rebooting the system.
>
> It is reminiscent of bug#25200, but there doesn't appear to be any
> dangling symlinks this time around.
>
> The nss-certs package is present in my operating system declaration, and
> the /etc/ssl/certs directory is populated ('/etc/ssl' is a symbolic link
> pointing to /run/current-system/profile/etc/ssl).
>
> SSL_CERT_DIR is set to "/etc/ssl/certs"
> SSL_CERT_FILE is set to "/etc/ssl/certs/ca-certificates.crt"
>
>
> A couple examples of how things break:
>
> * guix lint
>
> guix lint emacs
> Backtrace:address@hidden [cve]...
> 9 (primitive-load "/gnu/store/80k8kz7qk9palbn0ccw7y3fgym8&")
> In guix/ui.scm:
> 1257:8 8 (run-guix-command _ . _)
> In srfi/srfi-1.scm:
> 640:9 7 (for-each #<procedure 183c060 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
> 982:4 6 (run-checkers _ _)
> In srfi/srfi-1.scm:
> 640:9 5 (for-each #<procedure 1f252a0 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
> 805:4 4 (check-vulnerabilities _)
> 800:9 3 (_ _)
> In unknown file:
> 2 (force #<promise #<procedure 7f1db4d41f88 at guix/scrip&>)
> In guix/scripts/lint.scm:
> 789:24 1 (_)
> In ice-9/boot-9.scm:
> 837:9 0 (catch srfi-34 #<procedure 7f1db4d4d3a8 at guix/script&> &)
>
> ice-9/boot-9.scm:837:9: In procedure catch:
> ice-9/boot-9.scm:837:9: Throw to key `gnutls-error' with args
> `(#<gnutls-error-enum Error while reading file.>
> set-certificate-credentials-x509-trust-file!)'.
So the problem here is that $SSL_CERT_DIR or $SSL_CERT_FILE is
unreadable for some reason. Could you ‘strace’ it to see exactly which
file cannot be opened and why?
However, I cannot reproduce it with current master:
--8<---------------cut here---------------start------------->8---
$ rm -rf ~/.cache/guix/cve
$ SSL_CERT_FILE=/sdfsfd SSL_CERT_DIR=/sdfs guix lint emacs
gnu/packages/emacs.scm:99:2: address@hidden: TLS certificate error: ERROR:
X.509 certificate of 'www.gnu.org' could not be verified:
signer-not-found
invalid
guix lint: warning: TLS certificate error: ERROR: X.509 certificate of
'static.nvd.nist.gov' could not be verified:
signer-not-found
invalid
guix lint: warning: assuming no CVE vulnerabilities
--8<---------------cut here---------------end--------------->8---
This is the same story for the other ones.
Essentially, this code from (guix build download):
(define (make-credendials-with-ca-trust-files directory)
"Return certificate credentials with X.509 authority certificates read from
DIRECTORY. Those authority certificates are checked when
'peer-certificate-status' is later called."
(let ((cred (make-certificate-credentials))
(files (or (scandir directory
(lambda (file)
(string-suffix? ".pem" file)))
'())))
(for-each (lambda (file)
(let ((file (string-append directory "/" file)))
;; Protect against dangling symlinks.
(when (file-exists? file)
(set-certificate-credentials-x509-trust-file!
cred file
x509-certificate-format/pem))))
(or files '()))
cred))
seems to select a FILE that passes ‘file-exists?’ but that cannot be
read by ‘set-certificate-credentials-x509-trust-file!’. I think that
can happen with unreadable files (EPERM), though I can’t reproduce it.
The ‘strace’ output should help us figure out what’s going on.
Thanks,
Ludo’.
- bug#26948: gnutls errors on multiple guix commands, Maxim Cournoyer, 2017/05/16
- bug#26948: gnutls errors on multiple guix commands,
Ludovic Courtès <=
- bug#26948: gnutls errors on multiple guix commands, Maxim Cournoyer, 2017/05/25
- bug#26948: gnutls errors on multiple guix commands, Ludovic Courtès, 2017/05/26
- bug#26948: gnutls errors on multiple guix commands, Mark H Weaver, 2017/05/28
- bug#26948: gnutls errors on multiple guix commands, Maxim Cournoyer, 2017/05/29
- bug#26948: gnutls errors on multiple guix commands, Ludovic Courtès, 2017/05/29
- bug#26948: gnutls errors on multiple guix commands, Mark H Weaver, 2017/05/29
- bug#26948: gnutls errors on multiple guix commands, Ludovic Courtès, 2017/05/30
- bug#26948: gnutls errors on multiple guix commands, Maxim Cournoyer, 2017/05/28
- bug#26948: ‘write-file’ output should not be locale-dependent, Ludovic Courtès, 2017/05/29
- bug#26948: ‘write-file’ output should not be locale-dependent, Maxim Cournoyer, 2017/05/29