Hi, Ludovic Courtès <l...@gnu.org> skribis:
> Christopher Baines <m...@cbaines.net> skribis: > >> I believe there's TLS issues with pulling for the current 1.2.0 release. >> >> root@horna ~# guix pull >> substitute: updating substitutes from 'https://guix.cbaines.net'... 100.0% >> 0.0 MB will be downloaded >> downloading from >> https://guix.cbaines.net/nar/lzip/zg72c146skpca45ijvjigqhqgx0mwiny-le-certs-0 >> ... >> le-certs-0 4KiB >> >> 1.8MiB/s 00:00 [##################] 100.0% >> >> Updating channel 'guix' from Git repository at >> 'https://git.savannah.gnu.org/git/guix.git'... >> guix pull: error: Git error: the SSL certificate is invalid > > That’s on an installation without ‘nss-certs’ in the system profile, > right? Looking at (guix scripts pull), I think that is the case: (define (honor-x509-certificates store) "Use the right X.509 certificates for Git checkouts over HTTPS." (unless (honor-system-x509-certificates!) (honor-lets-encrypt-certificates! store))) By default, 1.2.0 installs ‘nss-certs’, so I would assume such installations are unaffected, right? > I suppose we need to update the ‘le-certs’ package, or maybe skip X.509 > certification verification altogether for the ‘guix’ channel? In hindsight, it seems preferable to keep X.509 authentication for now, because there are still unauthenticated channels out there and because it’s a bit tedious to work around it in (guix channels) and (guix git). I checked the ‘le-certs’ package like so: --8<---------------cut here---------------start------------->8--- $ guix gc --references $(guix build -d le-certs) |grep pem /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv $ guix build --check -v1 $(guix gc --references $(guix build -d le-certs) |grep pem) La jenaj derivoj estos konstruataj: /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv building /gnu/store/92qqzmbfy72gs5knlpwrz8v2cf0fl1fs-isrgrootx1.pem.drv... downloading from https://letsencrypt.org/certs/isrgrootx1.pem ... |warning: rewriting hashes in `/gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem'; cross fingers building /gnu/store/gm8rfnhlbvdql9dm43vag5p0lha56g4r-letsencryptauthorityx3.pem.drv... downloading from https://letsencrypt.org/certs/letsencryptauthorityx3.pem ... \warning: rewriting hashes in `/gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem'; cross fingers building /gnu/store/733k3s05nribnbbgc99w766gv7q36zgs-letsencryptauthorityx4.pem.drv... downloading from https://letsencrypt.org/certs/letsencryptauthorityx4.pem ... |warning: rewriting hashes in `/gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem'; cross fingers /gnu/store/nfdm0gaa4s34aacr3jjp14wqynphkxcx-letsencryptauthorityx3.pem /gnu/store/hr94djs87lwgcyhz9ks3id3r1a4pgx2b-isrgrootx1.pem /gnu/store/1ldg5q59n2qmq9qmbvyjnkjyxxjmflgh-letsencryptauthorityx4.pem --8<---------------cut here---------------end--------------->8--- AFAICS, everything is up-to-date here. So I don’t get where the ‘guix pull’ error above comes from. Ideas? Ludo’.
