From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 16 15:29:30 2023 Received: (at submit) by debbugs.gnu.org; 16 Feb 2023 20:29:30 +0000 Received: from localhost ([127.0.0.1]:37752 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pSksj-0006aK-SZ for submit@debbugs.gnu.org; Thu, 16 Feb 2023 15:29:30 -0500 Received: from lists.gnu.org ([209.51.188.17]:54716) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pSksh-0006aC-Pg for submit@debbugs.gnu.org; Thu, 16 Feb 2023 15:29:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSksh-0002Vw-JE for bug-guix@gnu.org; Thu, 16 Feb 2023 15:29:27 -0500 Received: from cathode.kb8ojh.net ([162.243.72.198]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pSksf-0005wY-MC for bug-guix@gnu.org; Thu, 16 Feb 2023 15:29:27 -0500 Received: from anode.kb8ojh.net (pool-68-133-30-163.bflony.fios.verizon.net [68.133.30.163]) by cathode.kb8ojh.net (Postfix) with ESMTPSA id 016B04078D for ; Thu, 16 Feb 2023 20:29:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kb8ojh.net; s=cathode; t=1676579364; bh=QKpLvAmRgaxoE3kV+tP3RN9bhFyIqkGZPLRLHzAgIKE=; h=Date:From:To:Subject:From; b=eCQ7ZM8LPA3VMCd1u48mZNhU7UwNlWN/iUC1w6kXd3fzSwbY5HFNeGzvIJFm3/xnR R5baHERq0FCBstc9V4e6n9u0ht5tvSsF7ce8d8cW5GdFrt8Kvg43orghMI8z9USJEp avUZzJgP2X6wla59rs9fOon6K6cTZBxQO22ls4ac= Received: by anode.kb8ojh.net (Postfix, from userid 1000) id ADD8E400D9; Thu, 16 Feb 2023 15:29:23 -0500 (EST) Date: Thu, 16 Feb 2023 15:29:23 -0500 From: Ethan Blanton To: bug-guix@gnu.org Subject: vdirsyncer fails to verify certificates Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GnuPG-Fingerprint: 2A9A 7752 8B91 6586 6289 FD3D 6CA9 2AC6 A1A8 AD0E Received-SPF: pass client-ip=162.243.72.198; envelope-from=elb@kb8ojh.net; helo=cathode.kb8ojh.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Package: vdirsyncer Version: 0.19.0 I am using Guix on a foreign distro of Debian GNU/Linux 11 (bullseye). I have the following manifest installed in particular profile: (specifications->manifest (list "go" "sbcl" "khal" "mutt" "nss-certs" "protobuf" "vdirsyncer")) Since vdirsyncer updated to 0.19.0, I cannot sync with any remote host using CalDAV or HTTPS iCalendar files. This is reproducible with my private servers, Microsoft Outlook 365 calendars, Google Calendars, and others. I have moset recently verified it with Guix 312f1f4 and a vdirsyncer producing /gnu/store/9aa2bj3likla61zqbsim1a1c99k3jk93-vdirsyncer-0.19.0 (I don't know how to give a more precise or useful install, please let me know if I should, and how I would), but I have narrowed the breaking change down to Guix revision f635f725778f86abaa77f674f8f670f74bffd7be. Revision ed18b697c4783f139e23731f5bd0b0ed197997bb, which is vdirsyncer 0.18.0, works as expected. The lightly redacted error that vdirsyncer produces is: error: Unknown error occurred for [config entry]/calendarname: Cannot connect to host cloud.kb8ojh.net:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')] An example configuration that causes this is: [storage samplecalendar_public] type = "http" url = "https://calendar.google.com/calendar/ical/[redacted]group.calendar.google.com/public/basic.ics" [storage localcalendar_public] type = "filesystem" path = "~/.calendars/public" fileext = ".ics" [pair public_calendar] a = "samplecalendar_public" b = "localcalendar public" collections = [ "from a" ] It appears that the root cause is in Python aiohttp, as starting the python3 interpreter invoked by the vdirsyncer binary in the installed profile with the GUIX_PYTHONPATH provided, then attempting to fetch an HTTPS URL using aiohttp, will fail with an SSL error. I cannot tell if the root configuration problem is in vdirsyncer and its dependencies or in aiohttp, so I am reporting it against vdirsyncer, which I can confirm is broken. I have tried installing various certificate packages and other packages that seemed like they might be related (such as nss-certs, nss itself, gnutls, etc.), but not found anything that seemed to resolve the issue. This bug that I have reported upstream is related, but I think the problem is with the Guix packaging and/or dependencies, not with vdirsyncer itself: https://github.com/pimutils/vdirsyncer/issues/1034 Ethan From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 24 21:31:01 2023 Received: (at submit) by debbugs.gnu.org; 25 Feb 2023 02:31:01 +0000 Received: from localhost ([127.0.0.1]:38679 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVkKz-0004dG-3k for submit@debbugs.gnu.org; Fri, 24 Feb 2023 21:31:01 -0500 Received: from lists.gnu.org ([209.51.188.17]:45866) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVkKx-0004d7-5V for submit@debbugs.gnu.org; Fri, 24 Feb 2023 21:30:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVkKw-0003u7-Pn for bug-guix@gnu.org; Fri, 24 Feb 2023 21:30:58 -0500 Received: from cathode.kb8ojh.net ([162.243.72.198]) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pVkKv-0000wB-5j for bug-guix@gnu.org; Fri, 24 Feb 2023 21:30:58 -0500 Received: from anode.kb8ojh.net (pool-68-133-30-163.bflony.fios.verizon.net [68.133.30.163]) by cathode.kb8ojh.net (Postfix) with ESMTPSA id 9E89A405C6 for ; Sat, 25 Feb 2023 02:30:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kb8ojh.net; s=cathode; t=1677292255; bh=8Fbg8P76grBLSR//juAYGGlVUy0tuyXcOO/4YI2nL64=; h=Date:From:To:Subject:From; b=IWea+yGIUW/oz7UIl3uM9l/bYPjQIO2ntO8IuQtfZ9d6owb/rJDK6ZH6S6hXCR37w IMg+NiPoPxSzFH7rm2xwrOaqky40AUfFMq3KTLNWFkejIzEtsYP6mRG+x9xW0OFzrv xIB3MByA/iqBjGduOXOh0qgw4g2EDkjv/Tx3gyds= Received: by anode.kb8ojh.net (Postfix, from userid 1000) id 585E3400E9; Fri, 24 Feb 2023 21:30:55 -0500 (EST) Date: Fri, 24 Feb 2023 21:30:55 -0500 From: Ethan Blanton To: bug-guix@gnu.org Subject: bug database indexing problem for bug #61557 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GnuPG-Fingerprint: 2A9A 7752 8B91 6586 6289 FD3D 6CA9 2AC6 A1A8 AD0E Received-SPF: pass client-ip=162.243.72.198; envelope-from=elb@kb8ojh.net; helo=cathode.kb8ojh.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Bug #61557, filed against the vdirsyncer package in Guix and having the title "vdirsyncer fails to verify certificates", does not show up in the Guix bug database at issues.guix.gnu.org when searching by keywords such as "vdirsyncer" or "certificates", although it does appear when searching for "61557". There may be an indexing problem. (Filing at the request of nckx/irc) From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 24 21:41:10 2023 Received: (at control) by debbugs.gnu.org; 25 Feb 2023 02:41:10 +0000 Received: from localhost ([127.0.0.1]:38684 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVkUo-0004tF-Av for submit@debbugs.gnu.org; Fri, 24 Feb 2023 21:41:10 -0500 Received: from cathode.kb8ojh.net ([162.243.72.198]:56710) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVkUn-0004t7-5s for control@debbugs.gnu.org; Fri, 24 Feb 2023 21:41:09 -0500 Received: from anode.kb8ojh.net (pool-68-133-30-163.bflony.fios.verizon.net [68.133.30.163]) by cathode.kb8ojh.net (Postfix) with ESMTPSA id A2F10406D0 for ; Sat, 25 Feb 2023 02:41:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kb8ojh.net; s=cathode; t=1677292868; bh=wM50JBK9FkCYrGw0cRO2i/Cz/XjHbObz/U+bTIpB0U8=; h=Date:From:To:Subject:From; b=W4Ujg3y0BYh+Ye/c0QeJz/Sn2JgutgrBN9D+qwZeJ3JBQwk56nBozzcUBDbj4m0wz EwBtLk1ft6z5slTwTCnoSp+gEB2cN9X4fJzd2/YL86HntA+17kTQmjvHvz8JzSUCCb 9I0BnbKU+yCvbRnLaYf0I3//BSy8w49P5OmpjnB0= Received: by anode.kb8ojh.net (Postfix, from userid 1000) id 51ADA400E9; Fri, 24 Feb 2023 21:41:08 -0500 (EST) Date: Fri, 24 Feb 2023 21:41:08 -0500 From: Ethan Blanton To: control@debbugs.gnu.org Subject: reassign 61557 guix Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GnuPG-Fingerprint: 2A9A 7752 8B91 6586 6289 FD3D 6CA9 2AC6 A1A8 AD0E X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) reassign 61557 guix thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 24 21:44:08 2023 Received: (at 61557) by debbugs.gnu.org; 25 Feb 2023 02:44:08 +0000 Received: from localhost ([127.0.0.1]:38690 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVkXf-0004yD-Qx for submit@debbugs.gnu.org; Fri, 24 Feb 2023 21:44:08 -0500 Received: from tobias.gr ([80.241.217.52]:58706) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVkXd-0004y0-Hh; Fri, 24 Feb 2023 21:44:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=2WaS5/WUjYGEa 7AuAGD9u6zoL3MJxNPaC/5l2o8H2Uw=; h=subject:to:from:date; d=tobias.gr; b=NJAfWhn9rnNGavy+Ijxr016PCAFAoRDKotOSMYZixRZPiOpPrGdKnDkWFGX00rkP61Df /pqmqgYm8PpZ/YKdI43QipO5fB0jt/J1moz80ET2R0bX6Gl9C9ZVMQifgB7r/HmqR5v++5 IX7eNT8Q8pzGD7cpe+mnQIdfrhNqzCJJ+Z0TmH2A1frt69CEZXcQ/tRNycO11p3+oSHkhD lX87TJEhZzSjVnGGGm3m+SofCiYgT6rZAhOXfbGhs4M4+FXuAmU76ueI4Xt6UqdXv6+R4X Fa1HYCNgrepXXcY4RODtkmqgRe1Od2fk2daG4NFT/jDFRDcMAmgdrgAHstX1UauA== Received: by submission.tobias.gr (OpenSMTPD) with ESMTP id 8b075506; Sat, 25 Feb 2023 02:44:01 +0000 (UTC) MIME-Version: 1.0 Date: Sat, 25 Feb 2023 03:44:01 +0100 From: Tobias Geerinckx-Rice To: control@debbugs.gnu.org, 61557@debbugs.gnu.org Subject: vdirsyncer fails to verify certificates Message-ID: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 61557 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) reassign 61557 guix thanks Hi, I had missed the Package: pseudo-header because I shouldn't be alive at this point. All Guix bugs should be filed against the ‘guix’ package, no matter what the package—confusing, I know. Luckily, sending mail to bug-guix@ does this for you, so you don't usually need to think about it. Thanks again! Kind regards, T G-R Sent from a Web browser. Excuse or enjoy my brevity. From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 25 03:59:09 2023 Received: (at submit) by debbugs.gnu.org; 25 Feb 2023 08:59:09 +0000 Received: from localhost ([127.0.0.1]:39018 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVqOb-0005YK-2J for submit@debbugs.gnu.org; Sat, 25 Feb 2023 03:59:09 -0500 Received: from lists.gnu.org ([209.51.188.17]:43472) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVqOY-0005YA-Fz for submit@debbugs.gnu.org; Sat, 25 Feb 2023 03:59:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVqOX-0007zk-W3; Sat, 25 Feb 2023 03:59:06 -0500 Received: from mout.gmx.net ([212.227.15.15]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVqOW-0004kX-Ab; Sat, 25 Feb 2023 03:59:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1677315539; i=michael.albinus@gmx.de; bh=I9JTetBNItDsrdXajS3cpTYM/dqdAuZJKx2dyGx/NZE=; h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date; b=X/BCXpexW9sr8e5lRjFleD1rYxWG1TG3T/jcr++eBwLJflGcAMPAAR0ghSQlvGcrZ UlLlnLmspXUfwHVQIHomdpTpvL29+yj4Ldd7cY8Y/05BgN0bjDC8WfeCcUUXNu6QqP lWFSZdDuPIdh895IbtrYf8KS2fh+dgCgJ5U5Ita485aBk8XkF/rothePzQElq+wW1X GFEK7/TXfZCbMe720YvehiVUSgFDZlKt9dyjUVh88OELsgv9cqV3Zf2Sh/T5mwZs14 jwweyhmp6F6ns4D0jqtDkSwnoiqLS4a5xOTB2T9wIQcv3RzQ8r3QIB/Kz1N2sN7Bj+ V3Zge3xu18jxw== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from gandalf.gmx.de ([185.89.39.22]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MFsZ3-1pHrMz44gZ-00HKnJ; Sat, 25 Feb 2023 09:58:59 +0100 From: Michael Albinus To: Ethan Blanton via "General discussion for the tracker at debbugs.gnu.org" Subject: Re: bug#61557: bug database indexing problem for bug #61557 In-Reply-To: (Ethan Blanton via's message of "Fri, 24 Feb 2023 21:30:55 -0500") References: Date: Sat, 25 Feb 2023 09:58:57 +0100 Message-ID: <87r0uew27i.fsf@gmx.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:X5Y1iOXcnMIUVyWw1y94buxhBjsW4ANE9cTpE6+NU9JrTLWSpOc Uz+vjKqwnlZuCKDN/ohnqc1ymZkvxB2RDVX7aKzqpVlfX5jZCZI7OletQOX16MS8tv5LJD1 AQiaQvn+MyBnpey0VQ4Gl67aOnuAfQl5eHVjYno0D9xd87pfSS9NpBvi1NadgdTPkgxukMr I/9H3RhlR7u5MdJgQJq/Q== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:+Eu6MGUdEq4=;GPQBn+AgG9Z9teP/90Yoe+PuJFK DJQUUlOlPgVrKWh8l1mmEwZ7TJ4anHZWjmmpnLrLUqg+AxgAqRPc410HhI6CGxf8BIS4THGBO RWTuvcXJoz7ERvBhi21qHITw0x+fi9M+HZJHq3e6OTWe2HNC7dMqubUdSVk1soTfZ8FxCypp5 AY4cTAuyiwAyZHSN6+E4Q6Bp877vXyAK1hi2zrwElDJRbduuIsIaB6ZEfugircg4Vef89B3CU VyQ0BPRfW4W9fFl65TIEc14rl7CEBAYH/FIMmGEfyRG2uLbEuzxWtGIHrBF4l2ZKs5gTJn8oS 30MnT07VlrbP+kM5A3rNjbIQ6L8Y+9HsJlyFulRsAtAQTs1LyyW6jQ3/H032GzeT2ldPTDGC5 vvH09UpoVeGk8tM0Q7+Uq0CYO5H1qf2NO0q0VrOkrkrwasoPxF2CInpdaMwsLoaD20M2TpPZU TxKEG/QqMKyQm/5nvlEPMn6/TzyboZlb1sBZiP4PLSbd3ST+l/qbiVMWUql59erHA7YXrJwEC wijXCKx2Rh7GFvjBNnXEGM/OS8k5GJFFEs3eSc+x0g8FB0ptkMbBvvDOMDE4E+VXWV77wwx2Y OIF6cXpqsWxAK763qZ8Uuk2HJGzzp2KGvS+3uEQuHc6NmhRw+3KHKQH64XkDgpUnitTid3Ggk q+Kq4rCwRjBKhAEgVmfphduMi9dOZs8dtXhwxiigAFem5RlxcluaE7SsfPoW2yKUqPiekZzzR c7RMbW2LSY9WU5K9xzIiOqrp6NABBCXMg6GxKQu3GYTPMJOULgzR0Hv8dGSBUN1sayh+UtTOv uf43//ajy3Y8GEjxv0jwkJiGSiHM4g6+Jt+KmbvciMl4tqY4dJvfvh/56VU4IBeMLlv7ox2l2 whB8izYOO5FVUIuvksPCaSIOjgJp4zvFH6lRx+6tVOBJyqtN1yspNccS2MdKeicTeKqleuQE2 EYWQCcyWDgPEkscyXuCH2H6TMo8= Received-SPF: pass client-ip=212.227.15.15; envelope-from=michael.albinus@gmx.de; helo=mout.gmx.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: Ethan Blanton , bug-guix@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Ethan Blanton via "General discussion for the tracker at debbugs.gnu.org" writes: Hi Ethan, > Bug #61557, filed against the vdirsyncer package in Guix and having > the title "vdirsyncer fails to verify certificates", does not show up > in the Guix bug database at issues.guix.gnu.org when searching by > keywords such as "vdirsyncer" or "certificates", although it does > appear when searching for "61557". When I search for vdirsyncer, bug#61557 appears in the hit list. Searching for certificates does not show such a hit. However, in the bug messages this word appears only as certificates" or "certificates". This seems to prevent the word to be indexed. The HyperEstraier search engine counts only words, and a leading or trailing apostrophe seems to suppress a string to be regarded as word. Just a guess, but it is the most plausible explanation. Best regards, Michael. From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 25 16:52:20 2023 Received: (at 61557) by debbugs.gnu.org; 25 Feb 2023 21:52:20 +0000 Received: from localhost ([127.0.0.1]:41726 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pW2Sq-0006au-Fb for submit@debbugs.gnu.org; Sat, 25 Feb 2023 16:52:20 -0500 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:37491) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pW2Sp-0006af-06 for 61557@debbugs.gnu.org; Sat, 25 Feb 2023 16:52:19 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 0347D32001AB; Sat, 25 Feb 2023 16:52:10 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sat, 25 Feb 2023 16:52:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to; s=mesmtp; t=1677361930; x=1677448330; bh=yTLNyZM4rnV0WVQvJJ2C0YJNSrsonVWB opNeEFWsu6E=; b=K8vkJmgA7XaTJLsvhQnjG/GigQb+az6G0b9qyDcMwRAToqP/ TdfgjpLOPZhM4dz+VS7qJAksOLMgPky9QSqzGaxGQB52wE2fPfHAnIYrTBbc79QZ gYFXTSy/0Gi3pYli1ZQIaAW7tHoco2QPQaoDoeonCZANNQK6PqZqBUm0a1I= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:message-id:mime-version :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1677361930; x= 1677448330; bh=yTLNyZM4rnV0WVQvJJ2C0YJNSrsonVWBopNeEFWsu6E=; b=B 4ixVNAzJE5VJLrP1077dDhl8QROa6UTwC9iE1R4RCFYaqK3mTKFSKzG3qX9Lypwb 6lYK4+IkjDmwObbPB01wjM94LwxoWHRFGJggt4lnjMNzqXCZ7HzCT+WfraRzRYa2 bvEyzM/Ahmm7AowhFZNPsUywBvrYCFhytimr5VKwH1V/W+0eImOLV2Mmpd0dNNby Kj3QvwN0HM9WEVOY1IirI4YtFfosDSovOh84+uf8lLGou6naoT8fYSzAmbi+f5MB jgFJnQoL0bSCW+NsihQCkDNjkY6P9OzZKZY+BTH/2mqq1UtkUZ53eEmZ/lIvoQ8k chx4d+X5q/UEYBUlpd3Fw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudekiedgleduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnhepffehtdeffedtvdeuieefudeujedvkeehff euieejgfdvteelgeehgeefheehuddunecuvehluhhsthgvrhfuihiivgeptdenucfrrghr rghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for <61557@debbugs.gnu.org>; Sat, 25 Feb 2023 16:52:10 -0500 (EST) Date: Sat, 25 Feb 2023 16:52:08 -0500 From: Leo Famulari To: 61557@debbugs.gnu.org Subject: Re: vdirsyncer fails to verify certificates Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 61557 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Thanks for the report! Did you follow the instructions about X.509 Certificates in the manual section Application Setup? That section is about using Guix on other distros. I use vdirsyncer from Guix on Debian and it works fine when validating X.509 / TLS / HTTPS certificates. From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 26 18:05:26 2023 Received: (at 61557) by debbugs.gnu.org; 26 Mar 2023 22:05:27 +0000 Received: from localhost ([127.0.0.1]:46036 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgYUQ-0000KC-IN for submit@debbugs.gnu.org; Sun, 26 Mar 2023 18:05:26 -0400 Received: from cathode.kb8ojh.net ([162.243.72.198]:36424) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgYUO-0000K4-Q5 for 61557@debbugs.gnu.org; Sun, 26 Mar 2023 18:05:25 -0400 Received: from anode.kb8ojh.net (pool-68-133-30-163.bflony.fios.verizon.net [68.133.30.163]) by cathode.kb8ojh.net (Postfix) with ESMTPSA id CD7D94040B for <61557@debbugs.gnu.org>; Sun, 26 Mar 2023 22:05:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kb8ojh.net; s=cathode; t=1679868323; bh=DvKaJUqkDAmWw41ipL3xjemwgeWqAW2ZaQtWaaV53ww=; h=Date:From:To:Subject:From; b=cIYFQEnJkrPkU0/rAiIwcAiUP6XFdBfDvRvQo9FDMZuf5o/JXx4xwC5rmcYSc59ua n3erTWV+i90ytfs7hN7M9JtHNsdUYk1SZyvsFV0lt8iQrCxHoF9sOE/uf63IFYyROd 3J+mUVcCfiEJYuVQJ19g478xU5T2tG8FEqhYgDu4= Received: by anode.kb8ojh.net (Postfix, from userid 1000) id 56D61418AA; Sun, 26 Mar 2023 18:05:25 -0400 (EDT) Date: Sun, 26 Mar 2023 18:05:25 -0400 From: Ethan Blanton To: 61557@debbugs.gnu.org Subject: Re: vdirsyncer fails to verify certificates Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GnuPG-Fingerprint: 2A9A 7752 8B91 6586 6289 FD3D 6CA9 2AC6 A1A8 AD0E X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 61557 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) (Pardon the delay, for some reason I do not get email notifications for this bug.) I had read the X.509 Certificates section of the manual, but since my certificates ARE in the default location of /etc/ssl/certs, and vdirsyncer had previously worked, for some reason I did not dig into it deeply enough, or perhaps I attempted to set it up wrongly at some point in the past. Setting SSL_CERT_DIR=/etc/ssl/certs in my environment fixes the vdirsyncer package, and it syncs correctly. I have also discovered that python aiohttp will correctly verify certificates WITHOUT this environment variable with: guix shell -P -C -N python python-aiohttp nss-certs openssl Leaving out EITHER nss-certs OR openssl causes aiohttp to exhibit the same behavior as vdirsyncer. However, including both of these packages in the same (foreign distro) profile that includes vdirsyncer does NOT cause vdirsyncer to correctly verify certificates. I am not sure what this means for this bug; certainly the change from "working without extra configuration" to "broken without extra configuration" is a regression in user experience, but it may be that it is working as intended. It seems to me that the principle of least astonishment for foreign distro users would suggest that python aiohttp defaults to loading /etc/ssl/certs from the foreign distro, if present. From debbugs-submit-bounces@debbugs.gnu.org Mon Mar 27 08:50:18 2023 Received: (at 61557) by debbugs.gnu.org; 27 Mar 2023 12:50:18 +0000 Received: from localhost ([127.0.0.1]:46760 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgmIk-0004lk-86 for submit@debbugs.gnu.org; Mon, 27 Mar 2023 08:50:18 -0400 Received: from ns13.heimat.it ([46.4.214.66]:36674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pgmIh-0004lS-3s for 61557@debbugs.gnu.org; Mon, 27 Mar 2023 08:50:16 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id C26D930087D; Mon, 27 Mar 2023 12:50:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THWTAuI7pbbH; Mon, 27 Mar 2023 12:50:06 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.161.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id CEBE030085C; Mon, 27 Mar 2023 12:50:06 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id 550B52481ED8; Mon, 27 Mar 2023 14:50:06 +0200 (CEST) Received: (nullmailer pid 25936 invoked by uid 1000); Mon, 27 Mar 2023 12:50:05 -0000 From: Giovanni Biscuolo To: Ethan Blanton , 61557@debbugs.gnu.org Subject: Re: bug#61557: vdirsyncer fails to verify certificates In-Reply-To: Organization: Xelera.eu References: Date: Mon, 27 Mar 2023 14:50:04 +0200 Message-ID: <87mt3y2war.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 61557 Cc: Leo Famulari X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Ethan, I'm also using Guix on a foreign distribution (Debian) Ethan Blanton via Bug reports for GNU Guix writes: > I had read the X.509 Certificates section of the manual, but since my > certificates ARE in the default location of /etc/ssl/certs, and > vdirsyncer had previously worked, for some reason I did not dig into > it deeply enough, or perhaps I attempted to set it up wrongly at some > point in the past. I'm pretty sure my default profile vdirsyncer was working in the past but stopped working while ago for this very same issue [1]; vdirsyncer it's not working in my default profile but it's working in my "emacs" profile Reading (again) the "X.509 Certificates" section [2] I realized that I had not set up SSL_CERT_DIR and SSL_CERT_FILE env variables in my .profile After adding this to my .profile: =2D-8<---------------cut here---------------start------------->8--- export SSL_CERT_DIR=3D"$HOME/.guix-profile/etc/ssl/certs" export SSL_CERT_FILE=3D"$HOME/.guix-profile/etc/ssl/certs/ca-certificates.c= rt" =2D-8<---------------cut here---------------end--------------->8--- now "vdirsyncer sync" is working (in my default profile, including cron jobs) As I said before, the SSL_CERT_* variables setting was/is not necessary in my emacs profile and it depends on this: within a shell in my emacs profile I have: =2D-8<---------------cut here---------------start------------->8--- $: cat $GUIX_PROFILE/etc/profile | grep -i ssl export CURL_CA_BUNDLE=3D"${GUIX_PROFILE:-/gnu/store/hwc2pm42r2xg3mv0f7jlkf7= dlvi6rpxh-profile}/etc/ssl/certs/ca-certificates.crt" export SSL_CERT_FILE=3D"${GUIX_PROFILE:-/gnu/store/hwc2pm42r2xg3mv0f7jlkf7d= lvi6rpxh-profile}/etc/ssl/certs/ca-certificates.crt" export SSL_CERT_DIR=3D"${GUIX_PROFILE:-/gnu/store/hwc2pm42r2xg3mv0f7jlkf7dl= vi6rpxh-profile}/etc/ssl/certs" export GIT_SSL_CAINFO=3D"${GUIX_PROFILE:-/gnu/store/hwc2pm42r2xg3mv0f7jlkf7= dlvi6rpxh-profile}/etc/ssl/certs/ca-certificates.crt" =2D-8<---------------cut here---------------end--------------->8--- within a shell in my default profile: =2D-8<---------------cut here---------------start------------->8--- $: cat $GUIX_PROFILE/etc/profile | grep -i ssl export GIT_SSL_CAINFO=3D"${GUIX_PROFILE:-/gnu/store/ylycvfsnm1gkzhph39g62bw= bc9lbh3g7-profile}/etc/ssl/certs/ca-certificates.crt" =2D-8<---------------cut here---------------end--------------->8--- For sure it depends on the fact that an installed package in my emacs profile (curl, not installed in my default profile) is adding "SSL_CERT_FILE" and "SSL_CERT_DIR" in $GUIX_PROFILE/etc/profile Since I usually source the latter when I switch to my "emacs" profile before starting emacs in a shell: =2D-8<---------------cut here---------------start------------->8--- GUIX_PROFILE=3D"$GUIX_EXTRA_PROFILES"/emacs/emacs; . "$GUIX_PROFILE"/etc/pr= ofile =2D-8<---------------cut here---------------end--------------->8--- I get the two env variables defined in my "emacs" profile, while in my default profile I don't > Setting SSL_CERT_DIR=3D/etc/ssl/certs in my environment fixes the > vdirsyncer package, and it syncs correctly. I'd use the Guix certs installed via nss-certs, but both dirs works obviously Please note that you should set SSL_CERT_FILE for other software > I have also discovered that python aiohttp will correctly verify > certificates WITHOUT this environment variable with: > > guix shell -P -C -N python python-aiohttp nss-certs openssl > > Leaving out EITHER nss-certs OR openssl causes aiohttp to exhibit the > same behavior as vdirsyncer. > > However, including both of these packages in the same (foreign distro) > profile that includes vdirsyncer does NOT cause vdirsyncer to > correctly verify certificates. Strange behaviour, please can you tell us what is the output of this command: =2D-8<---------------cut here---------------start------------->8--- guix shell --pure --container coreutils grep nss-certs openssl -- env | gre= p -i ssl =2D-8<---------------cut here---------------end--------------->8--- I get this (meaning that both SSL env variables are defined): =2D-8<---------------cut here---------------start------------->8--- SSL_CERT_DIR=3D/gnu/store/1ghginmnzplmp3nbv2jsavjgdjhgq4i3-profile/etc/ssl/= certs SSL_CERT_FILE=3D/gnu/store/1ghginmnzplmp3nbv2jsavjgdjhgq4i3-profile/etc/ssl= /certs/ca-certificates.crt =2D-8<---------------cut here---------------end--------------->8--- while with =2D-8<---------------cut here---------------start------------->8--- guix shell --pure --container coreutils grep nss-certs -- env | grep -i ssl =2D-8<---------------cut here---------------end--------------->8--- I get no output (meaning that env is missing SSL_CERT_* variables) So in my tests openssl (and curl) are defining "SSL_CERT_FILE" and "SSL_CERT_DIR" in $GUIX_PROFILE/etc/profile I guess that also nss-certs package could add both "SSL_CERT_FILE" and "SSL_CERT_DIR" in $GUIX_PROFILE/etc/profile but I don't know the ratio for this choiche > I am not sure what this means for this bug; certainly the change from > "working without extra configuration" to "broken without extra > configuration" is a regression in user experience, but it may be that > it is working as intended. The bug I see here is that X.509 certificates are "working without extra configuration" **depending** on installed packages. If possible I'd patch nss-certs in order to add "SSL_CERT_FILE" and "SSL_CERT_DIR" to $GUIX_PROFILE/etc/profile, this would also avoid the extra step of "manually" defining X.509 related variables on foreign distros I'd also investigate this "meta-issue" for other packages, e.g. for R that needs "CURL_CA_BUNDLE", added when installing curl but not r-minimal > It seems to me that the principle of least astonishment for foreign > distro users would suggest that python aiohttp defaults to loading > /etc/ssl/certs from the foreign distro, if present. IMHO it's better to use the nss-certs installed via Guix than the foreign distro ones HTH! Gio' [1] maybe I was using a Guix package able to add "SSL_CERT_FILE" and "SSL_CERT_DIR" to $GUIX_PROFILE/etc/profile and then I removed it [2] https://guix.gnu.org/en/manual/en/html_node/X_002e509-Certificates.html =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmQhkP0MHGdAeGVsZXJh LmV1AAoJENN9DqfOzDkST8QP/3C+zDL9KIeZZqjN8iLIFfFDz5gqyN5z30EpWXID du/CGki6GiiGOlQ78i4cByIk9bskLD7pLGUgsU66gmMOrP3JYUa+e8CM/XPKtkmH t8j7wvWO0Na+liSVk7zqzmaw7lOzycy9QToK3XC2sidlh4eDThs62x6L3VCCtHq7 CoyomJYO0XM9sewnkR3+GNJr5RZjZP1TzPVYCMf4ziJKnZ8c6VHq2PepOJJn8rLv D5UeRmB4z0HG9vwmnFax6zm0joV0Bn4hOZLBpbrJZd5v5qDBwocwTUDk4BffLH3D 1QzORklqkE4+10WVfxsl3gPi7GEkVxPsD8LigiiEDLo48dG7X0952GQcA1bEGbof ZawD3hFjQyDzQNTuDOt5L4ZYBcw8aD31cg4vKCLGvbOq9b0BiOk5+KD2MozikbBs 5rVR7XaUwLsuQwK4WHSi4xbCWsLfWprKpESt1w+qd9LH3rX3QW2926kv/6oq9SiN pES8EZi5HEXOmyNQonGb4sxCMa2UZaEoMZG7nKdKT+h4ngxXpMDmB8Bp+3uEqVoS oODseq4yvc0ygU+mOb+r6rpcmLyjZBoPIvfS36B6Xh5JimkZEUZn5I4JNh+4WrN3 lN9FqAdDwqNvPoEA/WjoIMvkrAU0GRH7ibrpKxMWfmWe1oI1gBMDPF3AA747NbrK BOG4 =4rvy -----END PGP SIGNATURE----- --=-=-=--