GNU bug report logs - #46829
Let's Encrypt certificate store (le-certs) expired

Previous Next

Package: guix;

Reported by: Christopher Baines <mail <at> cbaines.net>

Date: Sun, 28 Feb 2021 10:28:02 UTC

Severity: important

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #65 received at 46829 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Christopher Baines <mail <at> cbaines.net>, 46829 <at> debbugs.gnu.org
Subject: Re: bug#46829: Fresh install of 1.2.0 can't guix pull
Date: Sun, 11 Apr 2021 21:29:00 -0400

On Sun, Apr 11, 2021 at 04:41:11PM -0400, Leo Famulari wrote:
> On Wed, Mar 17, 2021 at 03:36:44PM +0100, Ludovic Courtès wrote:
> >   (define (honor-x509-certificates store)
> >     "Use the right X.509 certificates for Git checkouts over HTTPS."
> >     (unless (honor-system-x509-certificates!)
> >       (honor-lets-encrypt-certificates! store)))
> > 
> > By default, 1.2.0 installs ‘nss-certs’, so I would assume such
> > installations are unaffected, right?
> 
> So, the bug here is that `guix pull` is using the wrong certificate
> store. It should use le-certs, but is instead ignoring le-certs, and
> looking for a system-wide store that doesn't exist.
> 
> I tested with an installer image from current master, and the bug still
> exists.

I checked and, although there have been some changes upstream at Let's
Encrypt [0], our le-certs still works for contacting Savannah with TLS.

[0] Some new root and intermediate certificates:

https://letsencrypt.org/certificates/

Once we fix this bug, we should look into updating the le-certs package.
This bug report was last modified 3 years and 359 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.