GNU bug report logs - #75917
[PATCH v2] guix: scripts: environment: add tls certs to networked containers.

Previous Next

Full log

Message #10 received at 75917 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Richard Sent <richard <at> freakingpenguin.com>
Cc: Josselin Poiret <dev <at> jpoiret.xyz>,
 Simon Tournier <zimon.toutoune <at> gmail.com>, Mathieu Othacehe <othacehe <at> gnu.org>,
 Ludovic Courtès <ludo <at> gnu.org>,
 Tobias Geerinckx-Rice <me <at> tobias.gr>, Ricardo Wurmus <rekado <at> elephly.net>,
 75917 <at> debbugs.gnu.org, Christopher Baines <guix <at> cbaines.net>,
 70314 <at> debbugs.gnu.org
Subject: Re: [bug#70314] [PATCH] guix: scripts: environment: add tls certs
 to networked containers
Date: Wed, 21 May 2025 16:34:46 +0900

Hello!

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> Hi,
>
> Richard Sent <richard <at> freakingpenguin.com> writes:
>
>> * guix/scripts/environment.scm: Add --no-tls flag. By default when starting a
>> container with -N, add nss-certs package and set SSL_CERT_DIR and
>> SSL_CERT_FILE environment variables. When --no-tls is passed, default to old
>> behavior.
>> * doc/guix.texi: Document it.
>
> I just wanted to share that I have a WIP in progress that would address
> this differently; by using p11-kit with a trusted path to nss certs by
> default:
>
> gnu: p11-kit: Add nss-certs to default trust path.
>
> * gnu/packages/tls.scm (p11-kit) [native-inputs]: Add nss-certs.
> [arguments] <#:configure-flags>: Register its etc/ssl/certs directory as a
> trust path.
>
> Change-Id: Iee727edb1f51f8503fcbdd4ec1dee0d47a6bba39
>
> 1 file changed, 5 insertions(+), 2 deletions(-)
> gnu/packages/tls.scm | 7 +++++--
>
> modified   gnu/packages/tls.scm
> @@ -61,6 +61,7 @@ (define-module (gnu packages tls)
>    #:use-module (gnu packages base)
>    #:use-module (gnu packages bash)
>    #:use-module (gnu packages build-tools)
> +  #:use-module (gnu packages certs)
>    #:use-module (gnu packages check)
>    #:use-module (gnu packages curl)
>    #:use-module (gnu packages dns)
> @@ -160,6 +161,7 @@ (define-public p11-kit
>             docbook-xsl
>             gettext-minimal
>             libxslt
> +           nss-certs                    ;default certs
>             pkg-config))
>      (inputs
>       (append (list libffi libtasn1)
> @@ -175,9 +177,10 @@ (define-public p11-kit
>                (string-append
>                 "-Dtrust_paths="
>                 (string-join
> -                '("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
> +                `("/etc/ssl/certs/ca-certificates.crt" ;guix, debian, gentoo, etc.
>                    "/etc/pki/tls/certs/ca-bundle.crt"   ;fedora, centos
> -                  "/var/lib/ca-certificates/ca-bundle.pem") ;opensuse
> +                  "/var/lib/ca-certificates/ca-bundle.pem"
> +                  ,(search-input-directory %build-inputs "etc/ssl/certs"))
>                  ":")))))
>      (home-page "https://p11-glue.github.io/p11-glue/p11-kit.html")
>      (synopsis "PKCS#11 library")
>
> And then building gnutls with the
> '--with-default-trust-store-pkcs11=pkcs11:' configure flag.  In theory
> that would mean that any GnuTLS using application would work out of the
> box.  p11-kit also allows users to override certs by user configuration
> in XDG directories, should someone want to add their own certs or
> override the default trust store (to be documented).

I've finally found the last details to make this work!  I will send the
series soon.  This would partially obsolete this series here in the case of
gnutls, since certs would always be made available to it.  We could look
into the p11-kit plugin for openssl to extend that same goodness to openssl.

-- 
Thanks,
Maxim

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.