GNU bug report logs - #75902
guile-gnutls does not set up search paths for the certificates

Package: guix;

Date: Mon, 27 Jan 2025 22:05:02 UTC

Severity: normal

To reply to this bug, email your comments to 75902 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#75902; Package guix. (Mon, 27 Jan 2025 22:05:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tomas Volf <~@wolfsden.cz>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 27 Jan 2025 22:05:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tomas Volf <~@wolfsden.cz>
To: bug-guix <at> gnu.org
Subject: guile-gnutls does not set up search paths for the certificates
Date: Mon, 27 Jan 2025 23:04:17 +0100

[Message part 1 (text/plain, inline)]

When trying to use (web client) Guile module, one gets the following
error:

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs -- guile -c '((@ (web client) http-get) "https://gnu.org")'
Backtrace:
In ice-9/boot-9.scm:
  1752:10  7 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
           6 (apply-smob/0 #<thunk 7f625f6c1300>)
In ice-9/boot-9.scm:
    724:2  5 (call-with-prompt _ _ #<procedure default-prompt-handle?>)
In ice-9/eval.scm:
    619:8  4 (_ #(#(#<directory (guile-user) 7f625f6c4c80>)))
In ice-9/command-line.scm:
   185:19  3 (_ #<input: string 7f625f6be850>)
In unknown file:
           2 (eval ((@ (web client) http-get) "https://gnu.org") #<d?>)
In web/client.scm:
    576:0  1 (http-get "https://gnu.org" #:body _ # _ #:port _ # #<?> ?)
    286:6  0 (tls-wrap #<closed: file 7f6256da2c40> _ # _)

web/client.scm:286:6: In procedure tls-wrap:
X.509 certificate of 'gnu.org' could not be verified:
  signer-not-found invalid

--8<---------------cut here---------------end--------------->8---

It seems that guile-gnutls fails to find the certificates, which is
unexpected.  Adding `curl' into the list of packages works around the
problem:

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs curl -- guile -c '((@ (web client) http-get) "https://gnu.org")'
--8<---------------cut here---------------end--------------->8---

We can see the difference boils down to different search paths:

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs --search-paths
export PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${PATH:+:}$PATH"
export GUILE_LOAD_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
export GUILE_LOAD_COMPILED_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"
--8<---------------cut here---------------end--------------->8---

and

--8<---------------cut here---------------start------------->8---
$ guix shell -CN guile guile-gnutls nss-certs curl --search-paths
export PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/bin${PATH:+:}$PATH"
export SSL_CERT_DIR="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs"
export SSL_CERT_FILE="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs/ca-certificates.crt"
export CURL_CA_BUNDLE="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs/ca-certificates.crt"
export GUILE_LOAD_PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
export GUILE_LOAD_COMPILED_PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/lib/guile/3.0/site-ccache:/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"
--8<---------------cut here---------------end--------------->8---

I think guile-gnutls should also declare the SSL_* variables, since it
needs the certificates for vast majority of things one could want to do
with it..

Have a nice day,
Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#75902; Package guix. (Sat, 15 Feb 2025 21:07:02 GMT) Full text and rfc822 format available.

Message #8 received at 75902 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Tomas Volf <~@wolfsden.cz>
Cc: 75902 <at> debbugs.gnu.org
Subject: Re: bug#75902: guile-gnutls does not set up search paths for the
 certificates
Date: Sat, 15 Feb 2025 22:05:55 +0100

Hi,

Tomas Volf <~@wolfsden.cz> skribis:

> We can see the difference boils down to different search paths:
>
> $ guix shell -CN guile guile-gnutls nss-certs --search-paths
> export PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${PATH:+:}$PATH"
> export GUILE_LOAD_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
> export GUILE_LOAD_COMPILED_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"

GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.
Instead it’s up to applications to set up their certificate search path.

See for example the discussion at <https://issues.guix.gnu.org/46779>.

Thanks,
Ludo’.

Information forwarded to bug-guix <at> gnu.org:
bug#75902; Package guix. (Sat, 15 Feb 2025 23:59:02 GMT) Full text and rfc822 format available.

Message #11 received at 75902 <at> debbugs.gnu.org (full text, mbox):

From: Tomas Volf <~@wolfsden.cz>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 75902 <at> debbugs.gnu.org
Subject: Re: bug#75902: guile-gnutls does not set up search paths for the
 certificates
Date: Sun, 16 Feb 2025 00:58:17 +0100

[Message part 1 (text/plain, inline)]

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi,
>
> Tomas Volf <~@wolfsden.cz> skribis:
>
>> We can see the difference boils down to different search paths:
>>
>> $ guix shell -CN guile guile-gnutls nss-certs --search-paths
>> export PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${PATH:+:}$PATH"
>> export GUILE_LOAD_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
>> export
>> GUILE_LOAD_COMPILED_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"
>
> GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.
> Instead it’s up to applications to set up their certificate search path.
>
> See for example the discussion at <https://issues.guix.gnu.org/46779>.

Thank you for the link.  However after reading through it, and basing on
your sentence above, is the guile-gnutls not in a position to be
considered "application" that should configure the certificate search
path?

Or to put this in other words, when I want to use guile-gnutls from
REPL, what is the "application" that should configure the the search
path, if not guile-gnutls itself?

Have a nice day,
Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#75902; Package guix. (Fri, 21 Feb 2025 10:11:01 GMT) Full text and rfc822 format available.

Message #14 received at 75902 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Tomas Volf <~@wolfsden.cz>
Cc: 75902 <at> debbugs.gnu.org
Subject: Re: bug#75902: guile-gnutls does not set up search paths for the
 certificates
Date: Fri, 21 Feb 2025 11:10:37 +0100

Hi,

Tomas Volf <~@wolfsden.cz> skribis:

>> GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.
>> Instead it’s up to applications to set up their certificate search path.
>>
>> See for example the discussion at <https://issues.guix.gnu.org/46779>.
>
> Thank you for the link.  However after reading through it, and basing on
> your sentence above, is the guile-gnutls not in a position to be
> considered "application" that should configure the certificate search
> path?

Well yes, we can do anything we want.  My take on this is that bindings
should remain close to the library they’re wrapping, generally speaking,
to avoid bad surprises.

I think certificate search should either but up to actual applications
(like Guix), as is the case now, or changed in GnuTLS proper.  Doing it
in guile-gnutls just because we can easily do so doesn’t sound like a
good idea to me.

WDYT?

Ludo’.

Information forwarded to bug-guix <at> gnu.org:
bug#75902; Package guix. (Sun, 16 Mar 2025 21:38:02 GMT) Full text and rfc822 format available.

Message #17 received at 75902 <at> debbugs.gnu.org (full text, mbox):

From: Tomas Volf <~@wolfsden.cz>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 75902 <at> debbugs.gnu.org
Subject: Re: bug#75902: guile-gnutls does not set up search paths for the
 certificates
Date: Sun, 16 Mar 2025 22:37:19 +0100

[Message part 1 (text/plain, inline)]

Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi,
>
> Tomas Volf <~@wolfsden.cz> skribis:
>
>>> GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.
>>> Instead it’s up to applications to set up their certificate search path.
>>>
>>> See for example the discussion at <https://issues.guix.gnu.org/46779>.
>>
>> Thank you for the link.  However after reading through it, and basing on
>> your sentence above, is the guile-gnutls not in a position to be
>> considered "application" that should configure the certificate search
>> path?
>
> Well yes, we can do anything we want.  My take on this is that bindings
> should remain close to the library they’re wrapping, generally speaking,
> to avoid bad surprises.
>
> I think certificate search should either but up to actual applications
> (like Guix), as is the case now, or changed in GnuTLS proper.  Doing it
> in guile-gnutls just because we can easily do so doesn’t sound like a
> good idea to me.
>
> WDYT?

Honestly I am not sure what I think.  Since Guile is a Scheme, using it
from REPL is fairly common, and wanting to do HTTPS requests is probably
(well, at least for me) fairly common as well.

And currently I am just not sure how to do that in an intuitive way.
The first approach anyone probably tries is:

--8<---------------cut here---------------start------------->8---
guix shell -CN guile -- guile
--8<---------------cut here---------------end--------------->8---

However we all know that does not work.  You need both guile-gnutls and
nss-certs to get it working, but you can probably get that far by trial
and error:

--8<---------------cut here---------------start------------->8---
guix shell -CN guile guile-gnutls nss-certs -- guile
--8<---------------cut here---------------end--------------->8---

However this *also* does not work, you need to define the environment
variables.  My personal solution is to just throw curl into the pile of
packages to get them, but that is neither intuitive nor elegant.

So while I do understand your point above, I also want to have Guile
REPL that is easy to use, including for networking experimentation.

Maybe a `guile-full' package that would have wider list of dependencies?
I am thinking guile-gnutls, guile-readline, guile-colorized, nss-certs
and a command wrapper to set the environment.  Opinions?

Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#75902; Package guix. (Tue, 18 Mar 2025 16:46:02 GMT) Full text and rfc822 format available.

Message #20 received at 75902 <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>, Tomas Volf <~@wolfsden.cz>
Cc: 75902 <at> debbugs.gnu.org
Subject: Re: bug#75902: guile-gnutls does not set up search paths for the
 certificates
Date: Tue, 18 Mar 2025 15:15:33 +0100

Hi,

On Fri, 21 Feb 2025 at 11:10, Ludovic Courtès <ludo <at> gnu.org> wrote:

>>> GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.
>>> Instead it’s up to applications to set up their certificate search path.
>>>
>>> See for example the discussion at <https://issues.guix.gnu.org/46779>.

[...]

> I think certificate search should either but up to actual applications
> (like Guix), as is the case now, or changed in GnuTLS proper.  Doing it
> in guile-gnutls just because we can easily do so doesn’t sound like a
> good idea to me.

Somehow it’s documented [1] for the one who knows very well all the Guix
quirks. ;-)

Do we agree that typing this:

    $ guix shell -CN guile guile-gnutls nss-certs

    [env]$ export SSL_CERT_DIR=$GUIX_ENVIRONMENT/etc/ssl/certs
    [env]$ export SSL_CERT_FILE=$GUIX_ENVIRONMENT/etc/ssl/certs/ca-certificates.crt

    [env]$ guile
[...]
    scheme@(guile-user)> ,use(web client)
    scheme@(guile-user)> (http-get "https://gnu.org")
    $1 = #<<response> version: (1 . 1) …
    $2 = "<!DOCTYPE HTML PUBLIC …

is cumbersome?  And not intuitive, to put it mildly.

As Tomas is proposing, maybe we could have a package
’guile-gnutls-certs’ which would do all the search-paths dance?

WDYT?

Cheers,
simon


1: https://guix.gnu.org/manual/devel/en/guix.html#X.509-Certificates

This bug report was last modified 89 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #75902 guile-gnutls does not set up search paths for the certificates

GNU bug report logs - #75902
guile-gnutls does not set up search paths for the certificates