help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificates in pure and containerized environments


From: Maxim Cournoyer
Subject: Re: Certificates in pure and containerized environments
Date: Tue, 05 Oct 2021 13:42:32 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)

Hi,

Wiktor Żelazny <wz@freeshell.de> writes:

> On Thu, Sep 30, 2021 at 12:08:53PM +0200, Konrad Hinsen wrote:
>
>>    guix environment --pure \
>>            --ad-hoc python nss-certs -- \
>>            python3 -c 'import urllib.request; 
>> print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS";))'
>>
>> but this doesn't work - same error as initially.
>
> Hi Konrad,
>
> For some reason, it works for me with
>
>    --ad-hoc python nss-certs guix -- \
>
> . I’m neither sure if this is going to work on all machines (it works
> when isolated with
>
>    guix environment -C -N
>
> , so there’s some hope), nor whether this solution is acceptable to you.
> Perhaps, it’s abusing Guix. Maybe somebody more knowledgeable will
> comment on this.

The key thing here is whether the certs are required by OpenSSL vs
GnuTLS.  The former honors SSL_CERT_DIR, while the later does not (I
opened an issue because I think it'd be nice to have them both honor it
the same here: [0]).  GnuTLS on Guix gets its certifications from the
hard coded location /etc/ssl/certs/.  This need to be bound in the
container; on a Guix System, it's also not enough to simply pass
/etc/ssl/certs/ as is, as these are symlinks to the store; you must also
expose the store or bind the etc/ssl/certs/ directory of the nss-certs
package directly.

I hope that helps!

Maxim

[0]  https://issues.guix.gnu.org/46779



reply via email to

[Prev in Thread] Current Thread [Next in Thread]