Hi,
Le 03/14, Schanzenbach, Martin a écrit :
> > On 14. Mar 2020, at 14:55, Tanguy Le Carrour <tan...@bioneland.org> wrote:
> > Le 03/14, Schanzenbach, Martin a écrit :
> >>> On 14. Mar 2020, at 12:00, Tanguy Le Carrour <tan...@bioneland.org> wrote:
> >>> Le 03/13, Schanzenbach, Martin a écrit :
> >>>>> On 13. Mar 2020, at 18:32, Tanguy Le Carrour <tan...@bioneland.org>
> >>>>> wrote:
> >>>>> Le 03/10, Tanguy Le Carrour a écrit :
> >>>>>> Le 03/09, Christian Grothoff a écrit :
> >>>>>>> 2) try adding a TLSA record for gnunet.org to GNS, thereby avoiding
> >>>>>>> the use of Letsencrypt and really directly verifying via GNS.
> >>> […]
> > ```
> > $ gnunet-gns --type ANY --lookup gnunet.myself
> > gnunet.myself:
> > Got `BOX' record: 6 443 52 3 1 1
> > 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939
> > Got `LEHO' record: gnunet.org
> > Got `A' record: 131.159.74.67
> > ```
> >
> > But still, when I try to access `gnunet.myself`, I get a blank page
> > after 5-10 seconds and the same lines in the log:
> >
> > ```
> > $
> > /home/tanguy/.guix-extra-profiles/gnunet/current/lib/gnunet/libexec/gnunet-gns-proxy
> > --log DEBUG
> > Mar 14 14:48:07-948036 gnunet-gns-proxy-1450 ERROR Download curl
> > gnunet.org/ failed: SSL peer certificate or SSH remote key was not OK
> > Mar 14 14:48:24-877522 gnunet-gns-proxy-1450 ERROR Download curl
> > gnunet.org/favicon.ico failed: SSL peer certificate or SSH remote key was
> > not OK
> > ```
> >
> > The good thing is that you were right! Adding a BOX record was
> > apparently not needed!
> >
> > Any thing else I can try?
> > In the meantime, I'll keep on reading the doc, learn some more and play
> > with the other components!
>
> Did you compile gnunet from source or are you using a package? Is it possible
> that the guix gnunet package (or more specifically the guix libgcrypt) does
> not have DANE support?
I compiled it from source. I mean, I built it with Guix, from source,
because I'm working on packaging 0.12.2 which as not yet been integrated
into the official repo.
> I just tested the same configuration locally and it works. I suspect two
> issues which are independent from each other:
> - The guix gnutls does not have DANE support
I guess it does, because in Guix, the `gnunet` packages depends on `gnutls/dane`
which definition is:
```gnu/packages/tls.scm
255 (define-public gnutls/dane
256 ;; GnuTLS with build libgnutls-dane, implementing DNS-based
257 ;; Authentication of Named Entities. This is required for GNS
functionality
258 ;; by GNUnet and gnURL. This is done in an extra package definition
259 ;; to have the choice between GnuTLS with Dane and without Dane.
260 (package
261 (inherit gnutls)
262 (name "gnutls-dane")
263 (inputs `(("unbound" ,unbound)
264 ,@(package-inputs gnutls)))))
```
Due to the way Guix works, I have 2 `gnutls-cli` installed on my system.
One is the "regular" one:
```
$ /gnu/store/hfv[…]p1z-gnutls-3.6.9/bin/gnutls-cli --dane gnunet.org
[…]
*** DANE error: GnuTLS is not compiled with DANE support.
*** Fatal error: Error in the certificate.
```
The other one is the "dane" version:
```
$ /gnu/store/nj6n[…]pwg-gnutls-dane-3.6.9/bin/gnutls-cli --dane gnunet.org
[…]
[1584205654] libunbound[9560:0] error: error opening file
/etc/unbound/root.key: No such file or directory
[1584205654] libunbound[9560:0] error: error reading trust-anchor-file:
/etc/unbound/root.key
[1584205654] libunbound[9560:0] error: validator: error in trustanchors config
[1584205654] libunbound[9560:0] error: validator: could not apply configuration
settings.
[1584205654] libunbound[9560:0] error: module init for module validator failed
*** DANE verification error: There was an error while resolving.
*** Fatal error: Error in the certificate.
```
As you can see, they both fail, but for different reasons. I'll start
investigating the second one, because I'm confident this is the one
used. But I might be wrong! ^_^'
> - The guix curl/gnurl CA certificate location is different and not found (in
> the case w/o a BOX record)
`gnurl` also depends on `gnutls/dane`. The package definition contains
something strange, though:
```gnu/packages/gnunet.scm
202 `(#:configure-flags
203 ;; All of these produce errors during configure.
204 (list […]
216 "--without-ssl"
```
Could this be related to the "SSL peer certificate or SSH remote key was not OK"
error?!
Regards
--
Tanguy
