bug#26948: gnutls errors on multiple guix commands

[Ludovic Courtès]

Hi Maxim,

Maxim Cournoyer <address@hidden> skribis:

> This problem has been ongoing for some time. It prevents me from using
> things such as "guix lint" or "guix import" (seems to be related to
> certs and gnutls). I thought a guix system reconfigure (I'm on GuixSD)
> would fix it but it hasn't, even after rebooting the system.
>
> It is reminiscent of bug#25200, but there doesn't appear to be any
> dangling symlinks this time around.
>
> The nss-certs package is present in my operating system declaration, and
> the /etc/ssl/certs directory is populated ('/etc/ssl' is a symbolic link
> pointing to /run/current-system/profile/etc/ssl).
>
> SSL_CERT_DIR is set to "/etc/ssl/certs"
> SSL_CERT_FILE is set to "/etc/ssl/certs/ca-certificates.crt"
>
>
> A couple examples of how things break:
>
> * guix lint
>
> guix lint emacs
> Backtrace:address@hidden [cve]...
>            9 (primitive-load "/gnu/store/80k8kz7qk9palbn0ccw7y3fgym8&")
> In guix/ui.scm:
>    1257:8  8 (run-guix-command _ . _)
> In srfi/srfi-1.scm:
>     640:9  7 (for-each #<procedure 183c060 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
>     982:4  6 (run-checkers _ _)
> In srfi/srfi-1.scm:
>     640:9  5 (for-each #<procedure 1f252a0 at guix/scripts/lint.scm&> &)
> In guix/scripts/lint.scm:
>     805:4  4 (check-vulnerabilities _)
>     800:9  3 (_ _)
> In unknown file:
>            2 (force #<promise #<procedure 7f1db4d41f88 at guix/scrip&>)
> In guix/scripts/lint.scm:
>    789:24  1 (_)
> In ice-9/boot-9.scm:
>     837:9  0 (catch srfi-34 #<procedure 7f1db4d4d3a8 at guix/script&> &)
>
> ice-9/boot-9.scm:837:9: In procedure catch:
> ice-9/boot-9.scm:837:9: Throw to key `gnutls-error' with args 
> `(#<gnutls-error-enum Error while reading file.> 
> set-certificate-credentials-x509-trust-file!)'.

So the problem here is that $SSL_CERT_DIR or $SSL_CERT_FILE is
unreadable for some reason.  Could you ‘strace’ it to see exactly which
file cannot be opened and why?

However, I cannot reproduce it with current master:

--8<---------------cut here---------------start------------->8---
$ rm -rf ~/.cache/guix/cve
$ SSL_CERT_FILE=/sdfsfd SSL_CERT_DIR=/sdfs  guix lint emacs
gnu/packages/emacs.scm:99:2: address@hidden: TLS certificate error: ERROR: 
X.509 certificate of 'www.gnu.org' could not be verified:
  signer-not-found
  invalid


guix lint: warning: TLS certificate error: ERROR: X.509 certificate of 
'static.nvd.nist.gov' could not be verified:
  signer-not-found
  invalid

guix lint: warning: assuming no CVE vulnerabilities
--8<---------------cut here---------------end--------------->8---

This is the same story for the other ones.

Essentially, this code from (guix build download):

  (define (make-credendials-with-ca-trust-files directory)
    "Return certificate credentials with X.509 authority certificates read from
  DIRECTORY.  Those authority certificates are checked when
  'peer-certificate-status' is later called."
    (let ((cred  (make-certificate-credentials))
          (files (or (scandir directory
                              (lambda (file)
                                (string-suffix? ".pem" file)))
                     '())))
      (for-each (lambda (file)
                  (let ((file (string-append directory "/" file)))
                    ;; Protect against dangling symlinks.
                    (when (file-exists? file)
                      (set-certificate-credentials-x509-trust-file!
                       cred file
                       x509-certificate-format/pem))))
                (or files '()))
      cred))

seems to select a FILE that passes ‘file-exists?’ but that cannot be
read by ‘set-certificate-credentials-x509-trust-file!’.  I think that
can happen with unreadable files (EPERM), though I can’t reproduce it.

The ‘strace’ output should help us figure out what’s going on.

Thanks,
Ludo’.