guile-gnutls does not set up search paths for the certificates

Open

Details

2 participants

Ludovic Courtès
Tomas Volf

Owner: unassigned

Submitted by: Tomas Volf

Severity: normal

Debbugs page

Tomas Volf wrote 1 months ago

Recipients:(address . bug-guix@gnu.org)

Message-ID:87ikpzhq1q.fsf@wolfsden.cz

When trying to use (web client) Guile module, one gets the following

error:

Toggle snippet (24 lines)$ guix shell -CN guile guile-gnutls nss-certs -- guile -c '((@ (web client) http-get) "https://gnu.org")'
Backtrace:
In ice-9/boot-9.scm:
  1752:10  7 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
           6 (apply-smob/0 #<thunk 7f625f6c1300>)
In ice-9/boot-9.scm:
    724:2  5 (call-with-prompt _ _ #<procedure default-prompt-handle?>)
In ice-9/eval.scm:
    619:8  4 (_ #(#(#<directory (guile-user) 7f625f6c4c80>)))
In ice-9/command-line.scm:
   185:19  3 (_ #<input: string 7f625f6be850>)
In unknown file:
           2 (eval ((@ (web client) http-get) "https://gnu.org") #<d?>)
In web/client.scm:
    576:0  1 (http-get "https://gnu.org" #:body _ # _ #:port _ # #<?> ?)
    286:6  0 (tls-wrap #<closed: file 7f6256da2c40> _ # _)

web/client.scm:286:6: In procedure tls-wrap:
X.509 certificate of 'gnu.org' could not be verified:
  signer-not-found invalid

It seems that guile-gnutls fails to find the certificates, which is

unexpected. Adding `curl' into the list of packages works around the

problem:

Toggle snippet (3 lines)

$ guix shell -CN guile guile-gnutls nss-certs curl -- guile -c '((@ (web client) http-get) "https://gnu.org")'

We can see the difference boils down to different search paths:

Toggle snippet (6 lines)

$ guix shell -CN guile guile-gnutls nss-certs --search-paths

export PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${PATH:+:}$PATH"

export GUILE_LOAD_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"

export GUILE_LOAD_COMPILED_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"

and

Toggle snippet (9 lines)

$ guix shell -CN guile guile-gnutls nss-certs curl --search-paths

export PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/bin${PATH:+:}$PATH"

export SSL_CERT_DIR="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs"

export SSL_CERT_FILE="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs/ca-certificates.crt"

export CURL_CA_BUNDLE="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/etc/ssl/certs/ca-certificates.crt"

export GUILE_LOAD_PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"

export GUILE_LOAD_COMPILED_PATH="/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/lib/guile/3.0/site-ccache:/gnu/store/6zbi90idpfww3y4k7bcnm38lwilnxiql-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"

I think guile-gnutls should also declare the SSL_* variables, since it

needs the certificates for vast majority of things one could want to do

with it..

Have a nice day,

Tomas

There are only two hard things in Computer Science:

cache invalidation, naming things and off-by-one errors.

Ludovic Courtès wrote 3 weeks ago

Recipients:(name . Tomas Volf)(address . ~@wolfsden.cz)(address . 75902@debbugs.gnu.org)

Message-ID:87bjv2x6j0.fsf@gnu.org

Hi,

Tomas Volf <~@wolfsden.cz> skribis:

Toggle quote (7 lines)

> We can see the difference boils down to different search paths:

> $ guix shell -CN guile guile-gnutls nss-certs --search-paths

> export PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${PATH:+:}$PATH"

> export GUILE_LOAD_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"

> export GUILE_LOAD_COMPILED_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"

GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.

Instead it’s up to applications to set up their certificate search path.

See for example the discussion at https://issues.guix.gnu.org/46779.

Thanks,

Ludo’.

Tomas Volf wrote 3 weeks ago

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 75902@debbugs.gnu.org)

Message-ID:87v7ta69ra.fsf@wolfsden.cz

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (17 lines)> Hi,
>
> Tomas Volf <~@wolfsden.cz> skribis:
>
>> We can see the difference boils down to different search paths:
>>
>> $ guix shell -CN guile guile-gnutls nss-certs --search-paths
>> export PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/bin${PATH:+:}$PATH"
>> export GUILE_LOAD_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"
>> export
>> GUILE_LOAD_COMPILED_PATH="/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/lib/guile/3.0/site-ccache:/gnu/store/gg2qybb41rpcl0fs4ay98s2q3m2mcbyz-profile/share/guile/site/3.0${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"
>
> GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.
> Instead it’s up to applications to set up their certificate search path.
>
> See for example the discussion at <https://issues.guix.gnu.org/46779>.

Thank you for the link. However after reading through it, and basing on

your sentence above, is the guile-gnutls not in a position to be

considered "application" that should configure the certificate search

path?

Or to put this in other words, when I want to use guile-gnutls from

REPL, what is the "application" that should configure the the search

path, if not guile-gnutls itself?

Have a nice day,

Tomas

There are only two hard things in Computer Science:

cache invalidation, naming things and off-by-one errors.

Ludovic Courtès wrote 3 weeks ago

Recipients:(name . Tomas Volf)(address . ~@wolfsden.cz)(address . 75902@debbugs.gnu.org)

Message-ID:875xl3d2w2.fsf@gnu.org

Hi,

Tomas Volf <~@wolfsden.cz> skribis:

Toggle quote (10 lines)>> GnuTLS (and thus Guile-GnuTLS) does not honor an environment variable.
>> Instead it’s up to applications to set up their certificate search path.
>>
>> See for example the discussion at <https://issues.guix.gnu.org/46779>.
>
> Thank you for the link.  However after reading through it, and basing on
> your sentence above, is the guile-gnutls not in a position to be
> considered "application" that should configure the certificate search
> path?

Well yes, we can do anything we want. My take on this is that bindings

should remain close to the library they’re wrapping, generally speaking,

to avoid bad surprises.

I think certificate search should either but up to actual applications

(like Guix), as is the case now, or changed in GnuTLS proper. Doing it

in guile-gnutls just because we can easily do so doesn’t sound like a

good idea to me.

WDYT?

Ludo’.

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 75902@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 75902

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date