GNU bug report logs - #36363
let's encrypt hash mismatch

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Chris Marusich <cmmarusich <at> gmail.com>
Cc: 36363 <at> debbugs.gnu.org, Julien Lepiller <julien <at> lepiller.eu>
Subject: bug#36363: let's encrypt hash mismatch
Date: Mon, 22 Jul 2019 12:34:05 +0200

Hi Chris,

Chris Marusich <cmmarusich <at> gmail.com> skribis:

> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Julien Lepiller <julien <at> lepiller.eu> skribis:
>>
>>>  expected hash: 0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>>>  actual hash:   0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>>>  hash mismatch for store item
>>>  '/gnu/store/1drx7dy1zakc0xs60nb0im1jbvxp11dj-isrgrootx1.pem' build
>>
>> I believe you’d be fine if substitutes were enabled, but they’re not.
>>
>> In the meantime, you can fetch those files with something like:
>>
>>   wget -O /tmp/isrgrootx1.pem \
>>     http://berlin.guix.gnu.org/file/isrgrootx1.pem/sha256/0zhd1ps7sz4w1x52xk3v7ng6d0rcyi7y7rcrplwkmilnq5hzjv1y
>>   guix download file:///tmp/isrgrootx1.pem
>>
>> But yeah, like Tobias writes, it’s a bit of a problem.  Should we mirror
>> them somewhere?  Does Let’s Encrypt have them under a versioned URL
>> elsewhere?
>
> What is Guix using these files for?  I realize it's got something to do
> with TLS, but it isn't clear to me why Guix downloads these certs.

This is used by (guix scripts pull) so we can always authenticate
git.savannah.gnu.org when we fetch from the Git repo.  It’s used if and
only if certificates aren’t available system-wide (see
‘honor-x509-certificates’.)

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.