LetsEncrypt root certificate hash changed

  • Done
  • quality assurance status badge
Details
2 participants
  • Christopher Baines
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Christopher Baines
Severity
normal

Debbugs page

Christopher Baines wrote 5 years ago
(address . bug-guix@gnu.org)
871rqv27d2.fsf@cbaines.net
~$ guix pull
building /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv...
building /gnu/store/dhlb62lpf1ggcrax62hm7l7rlcf5c4fi-letsencryptauthorityx3.pem.drv...
-sha256 hash mismatch for /gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem:
expected hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
actual hash: 1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92
hash mismatch for store item '/gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem'
build of /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv failed
View build log at '/var/log/guix/drvs/1r/2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv.bz2'.
cannot build derivation `/gnu/store/lv78345x77bv6103l9ssqkx4l3v7z0xj-le-certs-0.drv': 1 dependencies couldn't be built
guix pull: error: build of `/gnu/store/lv78345x77bv6103l9ssqkx4l3v7z0xj-le-certs-0.drv' failed
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl5IDzlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9XeQgw/+Ib52EXttuWAzHYm+IOx6OeJvwyD4ol0uKZlEqQ2Mv7NTtjLUuk3btspj
jBjdzZa1OcYTDJYdS5inxsRUWoHJFRjte66IOYcD1MWZjnPv+Z2u+Q4P0ymNAVZk
I2YVdBgWUa+gDsqPF6iG9kibgnqnodgGNfqKr9axjTQMaz0lK4OPJHoe46dGT79V
E6TJsmIPn4M277mJQo7TqJ3WdiRepdEYyqnWNev/SKN65Eqd9uVCXmmQo6UoemNI
IiNlp2W69dEoTzdIdmWKgd2R4Ifxkykjn4C2kujexVuL1sfVGxVIQJzdpYCwU32Z
KIiMK32HD1jJERR2cdbFIt+O/MVm5SbwVHaLHc3ql7dVT0DppungX6AS1+y2fCnR
SNeC4Hsut6VZAn656iCveiGuRcMxi0fk/T7mkfkgbkNkrUWPuikw6KZiYiwqX57g
K4Vem2X0ete42Axla7fAL9XMI9ZlgyL1j/HRiU3IpN4a1wh0BMqse2ZMfUYTWhnx
hTeWyWS2mL9BFUzSz0d0jQicHr6zF/vX1Xu68sbIsJPuZnBTJdZkSo6ZRjQF/p/A
nKBkB6VwS/OQZu2N/PHn7aotwmgFOrMu5FPffwVZfPm7T2CnZvB7dvH4v4eX6iZK
t7WlqhztO1CH3Xt8wNyMrjGaN/hkaTHelWhAofGMF2M6IUvfnew=
=LZUm
-----END PGP SIGNATURE-----

Tobias Geerinckx-Rice wrote 5 years ago
(address . 39615-done@debbugs.gnu.org)
878sl3hlbi.fsf@nckx
Chris,

Christopher Baines 写道:
Toggle quote (13 lines)
> ~$ guix pull
> building
> /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv...
> building
> /gnu/store/dhlb62lpf1ggcrax62hm7l7rlcf5c4fi-letsencryptauthorityx3.pem.drv...
> downloading from https://letsencrypt.org/certs/isrgrootx1.pem...
> -sha256 hash mismatch for
> /gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem:
> expected hash:
> 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
> actual hash:
> 1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92

Thanks! I ran into this issue myself and updated the hashes in
505b2631a9c35bbaa5ba6771ad4f646086f23cad.

One'd assume this to be caused by a tweaked expiry date somewhere,
but the ‘contents’ of both old and new PEM files is actually the
same:
Attachment: file
I don't know what to make of that.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl5IGtIACgkQ2Imw8BjF
STwhShAAhtpQ0MfxuvK5Y5WuckkrpZ/xAtskrrSjvKcyVHpXgpoVt6+TmZPXYN1t
M4DGBN5+8Daxuhj6YGmL+jR/UMPdImvlG+wGCDO+cMMWFD7XOh8mfLM/nflC6clB
/Gx4sgIxVmiyYCwdTNX4GJzPl83XzhXU/ToRrp0SF3IMInopOEuSAtOFhD3oED5i
5swY/KL71kEPF9LRq8wPO5MC2bBJ+yAb77sx1GUEu22oG0DjTCJiGIxL7yyEclPU
ZF0P1y7JlLjrCTumbwHI9GLQM8nbb2u9Iw1PJsTkXJl2teGX8HrzhPpNtba9pogk
yFQuaDNhdk1RLvJ68wZKitxAIt0OtOMVDGYNsgCtMO+c8VG+Z40JMS2WeVYkmlgL
T8gN+ceBkNk1gbrnvPK3zplQijLx1B/dcgIg4GzmeOdWJ2Ce2lPvnII8DA+WLiMN
YTtokWBUHhZhVJXx6Nm55R01q7gw4YyLnIbPHWdxCoL4GegOaD4L9nS3M7CPdYJp
/y4DZa7VmgO7LUgHK+TCrCHH5mXYngLLXkiTQKBKZZCTO7YhZhirj6VZudFkFHWs
0D7b/lK/LlavC5gLNQdx5gZHWFoh1uB0Fo4bRRNySjkSzPRnrcecoSImjg1OhnKe
HBThxwipLs9qPB8yUZO7CC2EGjNl+ozzQjL7j8hY3Xqsv1Z2f54=
=VzpM
-----END PGP SIGNATURE-----

Closed
Christopher Baines wrote 5 years ago
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 39615@debbugs.gnu.org)
87zhdjym2z.fsf@cbaines.net
Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Toggle quote (19 lines)
> Chris,
>
> Christopher Baines 写道:
>> ~$ guix pull
>> building
>> /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv...
>> building
>> /gnu/store/dhlb62lpf1ggcrax62hm7l7rlcf5c4fi-letsencryptauthorityx3.pem.drv...
>> downloading from https://letsencrypt.org/certs/isrgrootx1.pem...
>> -sha256 hash mismatch for
>> /gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem:
>> expected hash:
>> 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac
>> actual hash:
>> 1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92
>
> Thanks! I ran into this issue myself and updated the hashes in
> 505b2631a9c35bbaa5ba6771ad4f646086f23cad.

Great, thanks.

However, while this change might avoid the problem with guix pull in the
future, I still a bit stuck. I got this from a fresh install of Guix on
the Overdrive machine I have (aarch64-linux).

I'm hoping that I'll be able to install git and the Guix dependencies,
download the repository, and then get a newer version of Guix that way,
but I'm guessing this will still be a problem for other aarch64-linux
machines unless there's a substitute out there somewhere.
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl5I/LRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9Xd+whAAmn1HB00nxUgV4p+g3g/KpKxG6wPdzP/eqC4AaXt4a2s7jPegypDBnKJJ
+ALidm4sAdIebDynGQitKaeIcaeDYafNPb9Ost//9WVxIreAgplIK1ulRrWfDh+c
1PquNcwap3r842qARD+N7UAN3f2Ng6h4qAwc6pb1W/SXqioSWZPpcaToEcY8CiNG
m+lmWmxfJz3Tb29+ZoeM+NBvPFBIysr5HwxmDt0JzRSO6o8IIIZUQdDBka5v3seT
KBtUnX6Nh11tgp8b7Dg27vaMYGTncd1QQnoGeFXeybSsyBNSHWIGo9XyFKMBkQrD
3gL6L0x0dVbb+sEY1vIR2PzKBZ/UoJNzJ107O8FJFnhhWh6yw5MNU86huqJnY7Kp
SjQJoPQefYYw0eBNlh7W6FnA/i23MBXNH2o4M4a+HpIgOiX5y8Ape4yZUIzrSQli
F9Vnz6Y1qKouzy7yy4jpiL3p49FrGOHbwKIfHZ7RdIz6JaJ6tC/kamfBZhu4dZIP
+ofrk63+7B7slMd/KE4t9TKQiCMkOjlDfVTwevPhHkuVN9oZgmHZGqR079LfBmuU
XOWuvS3J2bLb1hjXH5nm3hO2fnkMvC6MeJYfTmMi8m4Ze0MxBRDKBHdvqAHPIZ2D
OABTcXz5a1Tmn2A5mZNK0O9AaUKq+ppCb6Fen3/Bh9bv6MwXBq8=
=+0Wn
-----END PGP SIGNATURE-----

Tobias Geerinckx-Rice wrote 5 years ago
(name . Christopher Baines)(address . mail@cbaines.net)(address . 39615@debbugs.gnu.org)
87h7zq97wf.fsf@nckx
Chris,

Christopher Baines 写道:
Toggle quote (6 lines)
> However, while this change might avoid the problem with guix
> pull in the
> future, I still a bit stuck. I got this from a fresh install of
> Guix on
> the Overdrive machine I have (aarch64-linux).

I guess I've found my purpose this week and it's ‘mirroring old
shit’.

This is not at all a solution, but you can ‘guix download’ the old
.pem files here[0] and hopefully be on your merry way.

Toggle quote (8 lines)
> I'm hoping that I'll be able to install git and the Guix
> dependencies,
> download the repository, and then get a newer version of Guix
> that way,
> but I'm guessing this will still be a problem for other
> aarch64-linux
> machines unless there's a substitute out there somewhere.

Indeed, and not just aarch64…

Kind regards,

T G-R

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl5JEMAACgkQ2Imw8BjF
STxNSA//SxC5kgeaAwRHy7QMfqP6kSsNK4fm/abuFHZ2kfnfSmF7/Qf59YtapWpF
YSZ6Gxn4ClwdkCsL9MZlAQ/HILjvxz6o80oRGANv8TjHBGkVEYyHhNm7s5kF3n/l
YA/4UdDGMcOqDAkS9Sn8O6OAkoRTs5YjoOruGAlM8hW86BVfn0w7kzdJNdY+ome9
2gu+5NBHkquz/ii2YUB1wcd9+c+6e9ZwWhZcMSkBa3aL8OayVTKdZpV6Ip7dDLR1
m6GZSF5MOaL6Au0SBoOTeq9rJt7W0lnB9WDsdL752kufQ3gkfW1wHUBWihemSXkJ
I2OQaBDI/Rz8RbejHV7K1adz3OmYs6P9u/U0y+PxS+Fy6yRmSEexhNwE8boPbEPA
rZMsraJb5akymQmYItLcuprSHX4jGagPM2v0HqyRZohjWVUhCONoq//m8am7T6gM
F6JRhE9/j6w+B3YqtNH38GRK1kxUysErho4fEHiwS4VpmC/ggPQAAg70QPOmZ4Tl
ZjzuDaG6XWYjURt1Hppx8T9GADy5XGZpGWxwmxGtrHMsSMPta6O9aYHKEgR/FHmT
CPyVT6buE5RXrQ94CZPqMqAkvozmictyR7CCzjtc6IHY/98hn8VROqNoXB6S58AK
FQcrkLw6+NrCfLPyWxCIIEWM+ED2MnNvm9SjJPIshMcMN4VYHbk=
=Rel2
-----END PGP SIGNATURE-----

Tobias Geerinckx-Rice wrote 5 years ago
87ftfa96zi.fsf@nckx
Chris, Guix,

Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道:
Toggle quote (4 lines)
> This is not at all a solution, but you can ‘guix download’ the
> old
> .pem files here[0] and hopefully be on your merry way.

Actually: this shouldn't be necessary now, since I've copied these
files to berlin (and created gcroots) which ought to serve them as
substitutes.

Kind regards,

T G-R
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl5JFWEACgkQ2Imw8BjF
STwJPA/+Nz6QPZgbykBS+UUoDXV+hhZOjNhOIaP7JPi3bIZsGTxys01MWyMvOyUI
5EtznNgCraG5eko1SO6FAdhceakYXP33YFZG9v5axsbR6H5humALFr9VIR+PcW4H
/N2YN2XG/APdtAYAIfklR6tPqB/iMFRsMXprdgi4t+lxhM3ruH3pcqGmzLCk9tfu
Kyn6gohOSlgn0dZwAkLXMvuvYonRnckYNFWtMpdwSqeyMzRX1YN7t+Bpze8FFaSx
9e3WU+OjQ2dPnjl7oNBTZGB0FLMAlpHMOr4vzxW8xvM5riLdP8+ochSH9PVC2IGP
USMY7uIUgeByh4NcrEzsPmROKXvSMljT+Fp7Pfa1OuwKJ6G2/eSgVXVJh9GJqMBU
y03Y3nXqgtoVRvCOTBDkDT6tAUlaudBv/gXrehQ3dWmgIZtrQL/RI16578cL8EpK
dZ30N5UiN4xz8AVXACu/aQffRItrHOjhG3c6WuBjjm2IvitmIa+X820295WrzNAa
U9E5+YtybC6JzS1IYkFMu+BBk35xZ+2j7PQ6T0ezQI7pEK/hWtuPmADtsYYVbvW5
8YXKzGrFgFtUBXTqB6GrHc5AKrayua9VvxM4zVEnBuw82Xpo+9L54dPGNbUpU7v3
8puKgC6baQF+rXJhm0+f/aB/KVdLERqcVixwSeRAHH8+EJt+pCc=
=60B2
-----END PGP SIGNATURE-----

Christopher Baines wrote 5 years ago
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 39615@debbugs.gnu.org)
87wo8mzu6t.fsf@cbaines.net
Tobias Geerinckx-Rice <me@tobias.gr> writes:

Toggle quote (12 lines)
> Christopher Baines 写道:
>> However, while this change might avoid the problem with guix pull in
>> the
>> future, I still a bit stuck. I got this from a fresh install of Guix
>> on
>> the Overdrive machine I have (aarch64-linux).
>
> I guess I've found my purpose this week and it's ‘mirroring old shit’.
>
> This is not at all a solution, but you can ‘guix download’ the old
> .pem files here[0] and hopefully be on your merry way.

Awesome, I've managed to download them and guix pull no longer fails
with that error which is great :)
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAl5JHWpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF
ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE
9Xe2nQ//cnGx+NDuQsSnrCpgmoudP4/bt0bGHWOS+IqPRG8TqfDB8GhhphVy32zP
XRnI5auB6CQ5+Ds8uCsiihtL/zMokJEkn5Vjz0D31HjbRqdCuTSmaz0lxDGGcnTf
vEMCcvmM2zLhkIdXF38QBAEM9TFwUYesBziks8z8STDN1HTxSLxbTsr7B5e1eh0N
abidXX2RcZrFHmTyDghGGOGy9nVSNhVGbcoNLd7gB9ChEk6tHgU+xIdjcvksoSbu
0rIVWrfco5rkvv6qmc3ZpvVt5ZbrF7vj1lJ4GsojkKW9meWttQAzeXAaw/1aMLbX
cJol2yLBztNyfEqc+dQdB+k7s5fcPEmZKW3qMU5E3kEDUK5RcRJqSGqT0fI5P8we
iQsn/Obu+U56T6us0uUp8tz8QmBDUIEkuOfb2MlW1Uq55TywjvpXz5u8N/oVazdB
KhC+PvgvxP6kgjrOCYmGNZHRBHvbVZEAl1P/p4oW6ru4fGO3qZlkdOhAQeTqZcUU
C/ErPQfsDYK/fMeABCxFs+Im+2/mEI0PZBgr2DzB7ZEbJEvVw0MMDRE2obFBIEsz
K957CDonoICiVmzNV3rsfSJHQ3ho83glvNerU6Xv63pWdrHZpCIMWhXsJ5cCj6rZ
j0m6CnDMiiOdkKRiiBPhMxrN76aX1UI+hjtIjyJ6irBoWwqiOg0=
=4gf5
-----END PGP SIGNATURE-----

?
Your comment

This issue is archived.

To comment on this conversation send an email to 39615@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 39615
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help