[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificates in pure and containerized environments
From: |
Maxim Cournoyer |
Subject: |
Re: Certificates in pure and containerized environments |
Date: |
Tue, 05 Oct 2021 13:42:32 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Wiktor Żelazny <wz@freeshell.de> writes:
> On Thu, Sep 30, 2021 at 12:08:53PM +0200, Konrad Hinsen wrote:
>
>> guix environment --pure \
>> --ad-hoc python nss-certs -- \
>> python3 -c 'import urllib.request;
>> print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS"))'
>>
>> but this doesn't work - same error as initially.
>
> Hi Konrad,
>
> For some reason, it works for me with
>
> --ad-hoc python nss-certs guix -- \
>
> . I’m neither sure if this is going to work on all machines (it works
> when isolated with
>
> guix environment -C -N
>
> , so there’s some hope), nor whether this solution is acceptable to you.
> Perhaps, it’s abusing Guix. Maybe somebody more knowledgeable will
> comment on this.
The key thing here is whether the certs are required by OpenSSL vs
GnuTLS. The former honors SSL_CERT_DIR, while the later does not (I
opened an issue because I think it'd be nice to have them both honor it
the same here: [0]). GnuTLS on Guix gets its certifications from the
hard coded location /etc/ssl/certs/. This need to be bound in the
container; on a Guix System, it's also not enough to simply pass
/etc/ssl/certs/ as is, as these are symlinks to the store; you must also
expose the store or bind the etc/ssl/certs/ directory of the nss-certs
package directly.
I hope that helps!
Maxim
[0] https://issues.guix.gnu.org/46779