guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

/etc/ssl/certs and the certificate bundle


From: Ludovic Courtès
Subject: /etc/ssl/certs and the certificate bundle
Date: Mon, 02 Mar 2015 23:12:40 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux)

Mark H Weaver <address@hidden> skribis:

> address@hidden (Ludovic Courtès) writes:
>
>> Mark H Weaver <address@hidden> skribis:
>>
>>> No, it's not worse than it was before.  Sorry if I gave that impression.
>>> The only issue is that we might need to generate a single-file
>>> certificate bundle for now, because I haven't found a way to get 'git'
>>> to check certificates on GuixSD without a single-file cert bundle, at
>>> least not when curl is build with GnuTLS.
>>
>> It seems like adding this single-file bundle would be the simplest
>> short-term option.  How would we create that file exactly?
>
> The single-file bundle is just a concatenation of all the individual PEM
> data, starting with "-----BEGIN CERTIFICATE-----" and ending with
> "-----END CERTIFICATE-----", including those delimiters.
>
> The only caveat is that the individual PEM files are not required to
> have a newline after the "-----END CERTIFICATE-----", but in the
> single-file cert bundle, we must ensure that the newline is present.
> See <https://bugs.debian.org/635570>.

OK, I’ve implemented this for GuixSD in commit 993300f.  Thanks to you
and Andreas for your help.

> In order to support multiple packages containing CA certs, it would be
> good to handle creation of the single-file cert bundle in the profile
> generation code, analogous to our handling of info "dir" files.  This
> would allow us to create additional cert packages (e.g. one for
> CAcert.org).
>
> I think it belongs in the profile generation code for the benefit of
> users running Guix packages on top of another distro, where they might
> not have root access.  They can simply set GIT_SSL_CAINFO and
> SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt
>
> What do you think?

It’s a good but as of yet unimplemented idea.

Although I now realize we could perhaps simple move the
‘certificate-bundle’ procedure to (guix profile), add the certificate
package to the system profile, and make /etc/ssl a symlink to
/run/current-system/profile/etc/ssl.

However there’s the complication that all the files of ‘nss-certs’ would
still be there in addition to the bundle.  Hmm.

Thoughts?

Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]