Dear Guix experts,
I am trying to move the execution of a Python script into a pure
environment, but it fails because of certificate issues for which I am
looking for a good fix.
The minimal example I came up with is:
guix environment --pure \
--ad-hoc python -- \
python3 -c 'import urllib.request;
print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS";))'
This fails with the error message
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: self signed certificate in certificate chain
(_ssl.c:1108)>
I have no idea why Python's urllib checks a certificate chain for a http
URL, but that's not my subject now. A variant that works fine is
guix environment --pure --preserve=^SSL_CERT \
--ad-hoc python -- \
python3 -c 'import urllib.request;
print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS";))'
which adds two environment variables to the temporary environment:
SSL_CERT_DIR=/home/hinsen/.guix-profile/etc/ssl/certs
SSL_CERT_FILE=/home/hinsen/.guix-profile/etc/ssl/certs/ca-certificates.crt
Since all the certificates come from Guix, I expect that I should also
be able to use
guix environment --pure \
--ad-hoc python nss-certs -- \
python3 -c 'import urllib.request;
print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS";))'
but this doesn't work - same error as initially.
I am not happy with exposing an environment variable from my personal
account, as I want my run to be reproducible and portable to any machine
running Guix, Ideally, I'd even move on to a containerized environment.
Is there any way to achieve this?
Thanks in advance,
Konrad
