Hi,
Le 03/09, Christian Grothoff a écrit :
> On 3/9/20 4:08 PM, Tanguy Le Carrour wrote:
> > In the `gnunet-gns-proxy` logs I only have 2
> > lines:
> >
> > ```
> > Mar 09 15:41:41-485690 gnunet-gns-proxy-18131 ERROR Download curl
> > gnunet.org/ failed: SSL peer certificate or SSH remote key was not OK
> > Mar 09 15:41:58-358297 gnunet-gns-proxy-18131 ERROR Download curl
> > gnunet.org/favicon.ico failed: SSL peer certificate or SSH remote key was
> > not OK
> > ```
> >
> > Any idea?! Have I done something wrong (again)?!
>
> Hard to say. I can't tell if curl fails to accept the Letsencrypt CA, or
> if we lack the LEHO somehow. AFAIK Martin was fixing some LEHO-related
> bugs in GNS, so MAYBE that is hitting you here.
>
> To find out:
> 1) check if curl is happy downloading https://gnunet.org/ directly
> (thus checking curl is installed properly and finds its root CAs)
Checked!
> 2) try adding a TLSA record for gnunet.org to GNS, thereby avoiding
> the use of Letsencrypt and really directly verifying via GNS.
I'll try this and let you know, thanks!
> 3) Maybe enable more logging (-L DEBUG) ;-).
Tried, but it didn't say more! :-(
> 4) Also, given that I have not tried this for a while, there is a
> possibility that we have a regression -> Martin or I should also
> try (but I can't this week).
>
> > The patch to `gnunet-gns-proxy-setup-ca` is trivial. Should I submit it
> > somewhere? Or, as it's a "Guix problem", I can just patch it in the Guix
> > package!?
>
> I am pretty sure this is an 'upstream' issue and that we should patch
> gnunet-gns-proxy-setup-ca. So please do send the patch (to me personally
> will suffice, I'm happy to review and apply).
I'm attaching 2 versions of the patch.
> > And one last question: why is `gnunet-gns-proxy` in
> > `/usr/lib/gnunet/libexec/` and
> > not in `bin`?
>
> The idea is that the gnunet-gns-proxy is launched via gnunet-arm like
> other GNUnet services, instead of being started manually.
Makes perfect sense! The command on the "use" page is just so we can
see the logs, I guess.
Regards
--
Tanguy
>From 8de3d70f96c460377895bd9012fb1f0247854f43 Mon Sep 17 00:00:00 2001
From: Tanguy Le Carrour <tan...@bioneland.org>
Date: Tue, 10 Mar 2020 17:42:04 +0100
Subject: [PATCH] import CA into Icecat
---
src/gns/gnunet-gns-proxy-setup-ca.in | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/gns/gnunet-gns-proxy-setup-ca.in
b/src/gns/gnunet-gns-proxy-setup-ca.in
index 602aadb2a..412e53f8d 100644
--- a/src/gns/gnunet-gns-proxy-setup-ca.in
+++ b/src/gns/gnunet-gns-proxy-setup-ca.in
@@ -224,6 +224,16 @@ importbrowsers()
certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
fi
done
+ for f in ~/.mozilla/icecat/*.*/
+ do
+ if [ -d $f ]; then
+ infomsg "Importing CA into Icecat at $f"
+ # delete old certificate (if any)
+ certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
+ # add new certificate
+ certutil -A -n "GNS Proxy CA" -t CT,, -d "$f" < $GNSCERT
+ fi
+ done
# TODO: Error handling?
if [ -d ~/.pki/nssdb/ ]; then
statusmsg "Importing CA into Chrome at ~/.pki/nssdb/"
--
2.25.1
>From 603a1d937a82cf793a771ada4c084e78c2902872 Mon Sep 17 00:00:00 2001
From: Tanguy Le Carrour <tan...@bioneland.org>
Date: Tue, 10 Mar 2020 17:42:04 +0100
Subject: [PATCH] import CA into Icecat
---
src/gns/gnunet-gns-proxy-setup-ca.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/gns/gnunet-gns-proxy-setup-ca.in
b/src/gns/gnunet-gns-proxy-setup-ca.in
index 602aadb2a..3cf9edb19 100644
--- a/src/gns/gnunet-gns-proxy-setup-ca.in
+++ b/src/gns/gnunet-gns-proxy-setup-ca.in
@@ -214,10 +214,10 @@ importbrowsers()
then
statusmsg "Importing CA into browsers"
# TODO: Error handling?
- for f in ~/.mozilla/firefox/*.*/
+ for f in ~/.mozilla/firefox/*.*/ ~/.mozilla/icecat/*.*/
do
if [ -d $f ]; then
- infomsg "Importing CA into Firefox at $f"
+ infomsg "Importing CA into Firefox/Icecat at $f"
# delete old certificate (if any)
certutil -D -n "GNS Proxy CA" -d "$f" >/dev/null 2>/dev/null
# add new certificate
--
2.25.1
