From unknown Sat Aug 16 19:14:46 2025 X-Loop: help-debbugs@gnu.org Subject: bug#36363: let's encrypt hash mismatch Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 24 Jun 2019 17:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 36363 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 36363@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.156139701023710 (code B ref -1); Mon, 24 Jun 2019 17:24:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Jun 2019 17:23:30 +0000 Received: from localhost ([127.0.0.1]:57890 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfSgj-0006AM-KC for submit@debbugs.gnu.org; Mon, 24 Jun 2019 13:23:29 -0400 Received: from lists.gnu.org ([209.51.188.17]:44065) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfSgg-0006AC-PX for submit@debbugs.gnu.org; Mon, 24 Jun 2019 13:23:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44616) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hfSgf-0003VZ-ER for bug-guix@gnu.org; Mon, 24 Jun 2019 13:23:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hfSge-0003X6-4f for bug-guix@gnu.org; Mon, 24 Jun 2019 13:23:25 -0400 Received: from lepiller.eu ([2a00:5884:8208::1]:52646) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hfSgd-0003JP-Qd for bug-guix@gnu.org; Mon, 24 Jun 2019 13:23:24 -0400 Received: from tachikoma.lepiller.eu (89-92-10-229.hfc.dyn.abo.bbox.fr [89.92.10.229]) by lepiller.eu (OpenSMTPD) with ESMTPSA id bd913a00 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Mon, 24 Jun 2019 17:23:13 +0000 (UTC) Date: Mon, 24 Jun 2019 19:23:02 +0200 From: Julien Lepiller Message-ID: <20190624192302.0eccdd72@tachikoma.lepiller.eu> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:5884:8208::1 X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi! trying to run guix pull on the overdrive at my place to try and fix a bug in openssh which doesn't start at boot, I get this error message: building /gnu/store/qvrwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv... building /gnu/store/3s8l6bg8gsfxrqallc5w02drl1m021ky-letsencryptauthorityx3= .pem.drv... Starting download of /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem From https://letsencrypt.org/certs/isrgrootx1.pem... Starting download of /gnu/store/bcq7sqhg18b7b1q87j8z60d5hybsdafm-letsencryptauthorityx3.pem =46rom https://letsencrypt.org/certs/letsencryptauthorityx3.pem... downloading from https://letsencrypt.org/certs/isrgrootx1.pem... downloading from https://letsencrypt.org/certs/letsencryptauthorityx3.pem... letsencryptauthorityx3.pem 2KiB 385KiB/s 00:00 [##################] 100.0% sha256 hash mismatch for /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem: expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac hash mismatch for store item '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build of /gnu/store/qvrwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv failed View build log at '/var/log/guix/drvs/qv/rwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv.b= z2'. cannot build derivation `/gnu/store/03xigpq7w1ll67ydrwhjydmybdj5gd2i-le-certs-0.drv': 1 dependencies couldn't be built guix pull: error: build failed: build of `/gnu/store/03xigpq7w1ll67ydrwhjydmybdj5gd2i-le-certs-0.drv' failed Thanks! From unknown Sat Aug 16 19:14:46 2025 X-Loop: help-debbugs@gnu.org Subject: bug#36363: let's encrypt hash mismatch Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 24 Jun 2019 18:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 36363 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: julien lepiller Cc: 36363@debbugs.gnu.org Received: via spool by 36363-submit@debbugs.gnu.org id=B36363.15614018607634 (code B ref 36363); Mon, 24 Jun 2019 18:45:02 +0000 Received: (at 36363) by debbugs.gnu.org; 24 Jun 2019 18:44:20 +0000 Received: from localhost ([127.0.0.1]:57962 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfTwy-0001z4-0C for submit@debbugs.gnu.org; Mon, 24 Jun 2019 14:44:20 -0400 Received: from tobias.gr ([80.241.217.52]:37950) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfTwv-0001yq-ME for 36363@debbugs.gnu.org; Mon, 24 Jun 2019 14:44:18 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 7dadd4f1; Mon, 24 Jun 2019 18:44:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=vIeb8ZsXjt8hjA2FqVPjdu qmsBJxjaayyrJJDIeEqNM=; b=kqKi3CIDgteJjkQpivPxNxQ5NQFKaQ7QKtAMDR JYYGZ22wThAJAwHfSeNOfEpXLm1AifTomArQCuz8kArsRTE8k9BRTc4vAnqj3Fzi xsqcn3fpkpw8pI+3ZlQPHIFyVxs6grtWkNLby7vZs8X5v02LPPalDdVvh2TjJBTE ldoA9o2/QNNFr81RXzmn5Ej/fuVeSkaC2F7fpJPVnPfRRHDo96Kr1jfMEfIH9OHn svD3YvQ3NNBNuWaFUOgC1n1BtYVXu86ghylyMlDoStNcbjTUWu2m9w8ZBQSFW/9A /4GjaoqaRuXfiDil3Iq9k3Nnum1M9BiZ239JSO9kUTMuNHeQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 767b6289 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 24 Jun 2019 18:44:08 +0000 (UTC) From: Tobias Geerinckx-Rice References: <20190624192302.0eccdd72@tachikoma.lepiller.eu> In-reply-to: <20190624192302.0eccdd72@tachikoma.lepiller.eu> Date: Mon, 24 Jun 2019 20:44:07 +0200 Message-ID: <87pnn2su14.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Julien, Julien Lepiller wrote: > trying to run guix pull on the overdrive at my place to try and=20 > fix a > bug in openssh which doesn't start at boot, I get this error=20 > message: [=E2=80=A6] > letsencryptauthorityx3.pem 2KiB 385KiB/s 00:00 > [##################] 100.0% sha256 hash mismatch > for /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem: > expected hash:=20 > 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y > actual hash:=20 > 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac This will keep happening until we find(/create) a versioned URL=20 for these files. Let's Encrypt like to change them in place. The last time this happened they'd added CR/LF line endings for no=20 reason at all, but this time I don't have the old version around=20 anymore=E2=80=A6 Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQT12iAyS4c9C3o4dnINsP+IT1VteQUCXREZ9wAKCRANsP+IT1Vt eb68AP9kHVa3N5XK+oVT5VWBbR0tESbh6hwE8xU+FpY/C0xi7QD+M1IwdZwag8Zz oQCHuZx4oKQuhwfOUDuhJCPvOxu5RA0= =hqxO -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Aug 16 19:14:46 2025 X-Loop: help-debbugs@gnu.org Subject: bug#36363: let's encrypt hash mismatch Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 24 Jun 2019 20:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 36363 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Julien Lepiller Cc: 36363@debbugs.gnu.org Received: via spool by 36363-submit@debbugs.gnu.org id=B36363.15614069793843 (code B ref 36363); Mon, 24 Jun 2019 20:10:02 +0000 Received: (at 36363) by debbugs.gnu.org; 24 Jun 2019 20:09:39 +0000 Received: from localhost ([127.0.0.1]:58077 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfVHX-0000zv-4T for submit@debbugs.gnu.org; Mon, 24 Jun 2019 16:09:39 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51921) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfVHS-0000zh-Ve for 36363@debbugs.gnu.org; Mon, 24 Jun 2019 16:09:35 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:43351) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hfVHM-0002fa-F0; Mon, 24 Jun 2019 16:09:28 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43808 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1hfVHK-0007Of-0c; Mon, 24 Jun 2019 16:09:27 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20190624192302.0eccdd72@tachikoma.lepiller.eu> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 6 Messidor an 227 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 24 Jun 2019 22:09:23 +0200 In-Reply-To: <20190624192302.0eccdd72@tachikoma.lepiller.eu> (Julien Lepiller's message of "Mon, 24 Jun 2019 19:23:02 +0200") Message-ID: <874l4e4ufg.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Julien, Julien Lepiller skribis: > expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y > actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac > hash mismatch for store item > '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build I believe you=E2=80=99d be fine if substitutes were enabled, but they=E2=80= =99re not. In the meantime, you can fetch those files with something like: wget -O /tmp/isrgrootx1.pem \ http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52x= k3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y guix download file:///tmp/isrgrootx1.pem But yeah, like Tobias writes, it=E2=80=99s a bit of a problem. Should we m= irror them somewhere? Does Let=E2=80=99s Encrypt have them under a versioned URL elsewhere? HTH, Ludo=E2=80=99. From unknown Sat Aug 16 19:14:46 2025 X-Loop: help-debbugs@gnu.org Subject: bug#36363: let's encrypt hash mismatch Resent-From: Chris Marusich Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 21 Jul 2019 23:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 36363 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 36363@debbugs.gnu.org, Julien Lepiller Received: via spool by 36363-submit@debbugs.gnu.org id=B36363.156375076430841 (code B ref 36363); Sun, 21 Jul 2019 23:13:02 +0000 Received: (at 36363) by debbugs.gnu.org; 21 Jul 2019 23:12:44 +0000 Received: from localhost ([127.0.0.1]:59675 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hpL0V-00081M-HC for submit@debbugs.gnu.org; Sun, 21 Jul 2019 19:12:43 -0400 Received: from mail-pf1-f180.google.com ([209.85.210.180]:33674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hpL0R-00080p-4o for 36363@debbugs.gnu.org; Sun, 21 Jul 2019 19:12:39 -0400 Received: by mail-pf1-f180.google.com with SMTP id g2so16450265pfq.0 for <36363@debbugs.gnu.org>; Sun, 21 Jul 2019 16:12:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=26rNDn52TYsW0/3MWq+psC/WONAqFSbXoFXWbW+OndQ=; b=n4aMZTbZgyNmibocBqsbhCb96FR9sJHli4g4OIrLm3K3X2VHKoAu2HZSpo3DMd2yNs V2enENE3HYpJmyB9u6ErJfkGvtpQ+xqcLJf6+EiMW883bz26nVRedCy05DI8Lzj6sDzZ XR6pN5nVqYv+LGyHXsee3JT2PJCgxmobqYQvBsmjUDjF8cp1Ag+/kuw4NMW4qQFxJ8dX vVp5lmh2t8NKCi+FGntI5oEcqH1n+by13E2sn48ICJZsk33RorGlVMjkn4s2eXdTQ5E7 gbFtmFUFC/7DeR8dg8cf7mWxz/s+WydSY7ClRtAtExzaZCJKpr10YRHsWroEY+2NYUdp j4lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=26rNDn52TYsW0/3MWq+psC/WONAqFSbXoFXWbW+OndQ=; b=JLnKIu4II4qPfg5jQ19JqgePF+Q+fbbwqXNVHMsWWKj0e+X1Q3v92EsNcJDFQ81WjP quH7QT9mh+74UC9uNuDL8ffKWMfk+uxy26s/LtiKRQM5QEbsoLkUPdozykSdbt7KCFI8 wBqVR2JCzZO188BxrL/VCFlZFgfhO5onI+wTynPJfsVgiWDVbmPa5GUkdD7Fd/WwHiBB GMUNnVaFk0gFuvHCEgINRx1wrJhS/Z42KgLgQr1xqbYQD+3TVFwU9BeKAF8TLdamfVp9 zq7pGBK+SYn/0IMsmpadCUVXDIHfHGDWlUX8nbHsaSxJix30D+z1NQIbof32i4z1IkvP Jlag== X-Gm-Message-State: APjAAAWmaSjA22DVikMsBefuRKOvotkHFOSty8RErQjAMNk2Hp5seSz0 i6GkKciYMNgAnW8ONOylK/WRpw3o X-Google-Smtp-Source: APXvYqy/emfNKDE3qFRQcySK3ScAJvl6aZITz5AQW7zqZSF9aCeVEsNsaeTLTY7qfic9lM/Pb+FN1g== X-Received: by 2002:a17:90a:3225:: with SMTP id k34mr72684400pjb.31.1563750752769; Sun, 21 Jul 2019 16:12:32 -0700 (PDT) Received: from garuda.local ([2601:601:9d80:25b2::d12]) by smtp.gmail.com with ESMTPSA id 22sm43364485pfu.179.2019.07.21.16.12.30 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 21 Jul 2019 16:12:31 -0700 (PDT) From: Chris Marusich References: <20190624192302.0eccdd72@tachikoma.lepiller.eu> <874l4e4ufg.fsf@gnu.org> Date: Sun, 21 Jul 2019 16:12:25 -0700 In-Reply-To: <874l4e4ufg.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Mon, 24 Jun 2019 22:09:23 +0200") Message-ID: <87y30rugme.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Julien Lepiller skribis: > >> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y >> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac >> hash mismatch for store item >> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build > > I believe you=E2=80=99d be fine if substitutes were enabled, but they=E2= =80=99re not. > > In the meantime, you can fetch those files with something like: > > wget -O /tmp/isrgrootx1.pem \ > http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x5= 2xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y > guix download file:///tmp/isrgrootx1.pem > > But yeah, like Tobias writes, it=E2=80=99s a bit of a problem. Should we= mirror > them somewhere? Does Let=E2=80=99s Encrypt have them under a versioned U= RL > elsewhere? What is Guix using these files for? I realize it's got something to do with TLS, but it isn't clear to me why Guix downloads these certs. I don't have the full context, so please forgive me if my comments are unhelpful, but before deciding to use stale versions, I think it's worth asking, "Could using a stale version introduce any security risk?" Maybe there's a reason why LE doesn't publish the old versions. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAl008VkACgkQ3UCaFdgi Rp2GNxAA0qvrADUFzZq1uMo9cV6oPXrNk+ujIWV5Cy2/O4CHQGJdguZUkARmg/bW BIxBTpCbZYNfwta0GfbruZWY22ukpRRTJYHpROUmYJFTrYmcC+Hb//J4jK3KYAGc WI38xcOblUTqIu3z4RebWo8/BzmR2Sf6RMOO6fyDuAHmDD4ifwMZaXbbWHpff5Qp ow+GguKurhC4ieknVN+kAHOdmPI39XZ9g+tPWsTVmWQ3Y7wqo4eBQkb0USI2aSM4 gQXeAZzc8cfvek1MWaw+KiJ4HLtYpu1FFJ9Jqic11jfY5DMtdva110+NKBPr0Y5C 5BRBOgRfGvbfO0HRa4Bt6R7QeiaqyKza01vS3vStIrp4gtkLH/NlDU5d5+OSP1wF 4PCDHb1cooKxumNr4lDc+t6RRIF3joHjEV+ZNaV+MtLSnLR3TJSx+GtnWPindAoo FQ+HWBFAo41WCMBvjkffFy26z4WfW7JqtEhMvkkNXcs/GONSS9rwwIoyG9+THI/a Kr+Vi4MswDi2wJAtayC/0LAgYE9k6ItJGIOeXjXNd10Y9fDqPwDCNP3SKrhxbB4L Q70+x6yBpjlgzo3JE2WG5glcT+j+S50F18XhVfdJ4wHsHYxceKfzo8U4edSwW3df IzBKjoCSgCML9vMXbe0/5Ndxtw1r9zV3b/gTX04uCSC3V88NHNc= =Jh12 -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Aug 16 19:14:46 2025 X-Loop: help-debbugs@gnu.org Subject: bug#36363: let's encrypt hash mismatch Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 22 Jul 2019 10:35:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 36363 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Chris Marusich Cc: 36363@debbugs.gnu.org, Julien Lepiller Received: via spool by 36363-submit@debbugs.gnu.org id=B36363.156379166232713 (code B ref 36363); Mon, 22 Jul 2019 10:35:02 +0000 Received: (at 36363) by debbugs.gnu.org; 22 Jul 2019 10:34:22 +0000 Received: from localhost ([127.0.0.1]:59997 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hpVeA-0008VZ-7q for submit@debbugs.gnu.org; Mon, 22 Jul 2019 06:34:22 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51577) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hpVe8-0008VM-Cn for 36363@debbugs.gnu.org; Mon, 22 Jul 2019 06:34:20 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:56184) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hpVe1-0005V6-DM; Mon, 22 Jul 2019 06:34:13 -0400 Received: from [2a01:e35:2ffd:930:d5d6:61ca:ae54:d991] (port=41454 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1hpVdy-0007br-8n; Mon, 22 Jul 2019 06:34:12 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20190624192302.0eccdd72@tachikoma.lepiller.eu> <874l4e4ufg.fsf@gnu.org> <87y30rugme.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 4 Thermidor an 227 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 22 Jul 2019 12:34:05 +0200 In-Reply-To: <87y30rugme.fsf@gmail.com> (Chris Marusich's message of "Sun, 21 Jul 2019 16:12:25 -0700") Message-ID: <87tvbe2w9u.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Chris, Chris Marusich skribis: > Ludovic Court=C3=A8s writes: > >> Julien Lepiller skribis: >> >>> expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y >>> actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac >>> hash mismatch for store item >>> '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build >> >> I believe you=E2=80=99d be fine if substitutes were enabled, but they=E2= =80=99re not. >> >> In the meantime, you can fetch those files with something like: >> >> wget -O /tmp/isrgrootx1.pem \ >> http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x= 52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y >> guix download file:///tmp/isrgrootx1.pem >> >> But yeah, like Tobias writes, it=E2=80=99s a bit of a problem. Should w= e mirror >> them somewhere? Does Let=E2=80=99s Encrypt have them under a versioned = URL >> elsewhere? > > What is Guix using these files for? I realize it's got something to do > with TLS, but it isn't clear to me why Guix downloads these certs. This is used by (guix scripts pull) so we can always authenticate git.savannah.gnu.org when we fetch from the Git repo. It=E2=80=99s used if= and only if certificates aren=E2=80=99t available system-wide (see =E2=80=98honor-x509-certificates=E2=80=99.) Ludo=E2=80=99. From unknown Sat Aug 16 19:14:46 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Julien Lepiller Subject: bug#36363: closed (Re: let's encrypt hash mismatch) Message-ID: References: <87tuv3zjua.fsf@nckx> <20190624192302.0eccdd72@tachikoma.lepiller.eu> X-Gnu-PR-Message: they-closed 36363 X-Gnu-PR-Package: guix Reply-To: 36363@debbugs.gnu.org Date: Fri, 09 Oct 2020 12:05:01 +0000 Content-Type: multipart/mixed; boundary="----------=_1602245101-8298-1" This is a multi-part message in MIME format... ------------=_1602245101-8298-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #36363: let's encrypt hash mismatch which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 36363@debbugs.gnu.org. --=20 36363: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D36363 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1602245101-8298-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 36363-done) by debbugs.gnu.org; 9 Oct 2020 12:04:32 +0000 Received: from localhost ([127.0.0.1]:34348 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kQr8S-000297-8B for submit@debbugs.gnu.org; Fri, 09 Oct 2020 08:04:32 -0400 Received: from tobias.gr ([80.241.217.52]:40198) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kQr8P-00028w-PO for 36363-done@debbugs.gnu.org; Fri, 09 Oct 2020 08:04:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=zv51U9CACWhls+wnPI2ldYd8mBW1qoqJIjuSFrfM5JU=; h=date:subject:to: from; b=Yw84OOQA+oLrr8b0CVPg7QeHBxPaT4Vj8AmWPunSxZ8r95Wci7vHMAJUT6MU7t twI6fBPSKYcKN8c58wMw+wKmes2GpSx2w8ce/Im7C0ggXEgPHBOGq9oDwf7Dd9iLYvPtps 1+4KmcV70/tDzcRExq2dEOnXh5s5SPHWTfZbEa/5Qh05U8KbF0qviPCONc6u7f4E5DJG2m tsj4IIlwG39qpEJGrc6ICEZyRzVOhTER10VVUnJ+Glk1VLuCTwe7IjqDkB+I3hGPvpMTn8 9gkpLkMcHA+2pUM9MjaYAb3rz+6wacPqsKmbwQFJNDRnSjnVJOZMUSkmy1w6mg2WcCRgYg == Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 9af75344 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO) for <36363-done@debbugs.gnu.org>; Fri, 9 Oct 2020 12:04:38 +0000 (UTC) BIMI-Selector: v=BIMI1; s=default; From: Tobias Geerinckx-Rice To: 36363-done@debbugs.gnu.org Subject: Re: let's encrypt hash mismatch Date: Fri, 09 Oct 2020 14:04:29 +0200 Message-ID: <87tuv3zjua.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 36363-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; format=flowed Closing as this specific failure has passed and any wider discussion shouldn't happen here. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCX4BRzQ0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15NdcA/0uKQzqwnoNxf9CDppeyHLr0fekdsszfX6P0zc7H epkLAP92PCVCFiKNrIVTV5Aq5v32BqO8U3+4RXTijH5Qay3NAQ== =xegd -----END PGP SIGNATURE----- --=-=-=-- ------------=_1602245101-8298-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 24 Jun 2019 17:23:30 +0000 Received: from localhost ([127.0.0.1]:57890 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfSgj-0006AM-KC for submit@debbugs.gnu.org; Mon, 24 Jun 2019 13:23:29 -0400 Received: from lists.gnu.org ([209.51.188.17]:44065) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hfSgg-0006AC-PX for submit@debbugs.gnu.org; Mon, 24 Jun 2019 13:23:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44616) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hfSgf-0003VZ-ER for bug-guix@gnu.org; Mon, 24 Jun 2019 13:23:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hfSge-0003X6-4f for bug-guix@gnu.org; Mon, 24 Jun 2019 13:23:25 -0400 Received: from lepiller.eu ([2a00:5884:8208::1]:52646) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hfSgd-0003JP-Qd for bug-guix@gnu.org; Mon, 24 Jun 2019 13:23:24 -0400 Received: from tachikoma.lepiller.eu (89-92-10-229.hfc.dyn.abo.bbox.fr [89.92.10.229]) by lepiller.eu (OpenSMTPD) with ESMTPSA id bd913a00 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Mon, 24 Jun 2019 17:23:13 +0000 (UTC) Date: Mon, 24 Jun 2019 19:23:02 +0200 From: Julien Lepiller To: bug-guix@gnu.org Subject: let's encrypt hash mismatch Message-ID: <20190624192302.0eccdd72@tachikoma.lepiller.eu> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:5884:8208::1 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi! trying to run guix pull on the overdrive at my place to try and fix a bug in openssh which doesn't start at boot, I get this error message: building /gnu/store/qvrwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv... building /gnu/store/3s8l6bg8gsfxrqallc5w02drl1m021ky-letsencryptauthorityx3= .pem.drv... Starting download of /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem From https://letsencrypt.org/certs/isrgrootx1.pem... Starting download of /gnu/store/bcq7sqhg18b7b1q87j8z60d5hybsdafm-letsencryptauthorityx3.pem =46rom https://letsencrypt.org/certs/letsencryptauthorityx3.pem... downloading from https://letsencrypt.org/certs/isrgrootx1.pem... downloading from https://letsencrypt.org/certs/letsencryptauthorityx3.pem... letsencryptauthorityx3.pem 2KiB 385KiB/s 00:00 [##################] 100.0% sha256 hash mismatch for /gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem: expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y actual hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac hash mismatch for store item '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build of /gnu/store/qvrwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv failed View build log at '/var/log/guix/drvs/qv/rwd6v9jy50j121f963v7rps8fc8qsa-isrgrootx1.pem.drv.b= z2'. cannot build derivation `/gnu/store/03xigpq7w1ll67ydrwhjydmybdj5gd2i-le-certs-0.drv': 1 dependencies couldn't be built guix pull: error: build failed: build of `/gnu/store/03xigpq7w1ll67ydrwhjydmybdj5gd2i-le-certs-0.drv' failed Thanks! ------------=_1602245101-8298-1--