diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2018-09-18 23:19:18 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2018-09-18 23:23:44 +0200 |
| commit | 20f8d73face564deec2f21130fb465c8c3d9a8e9 (patch) | |
| tree | d8ecbaa43789b8775c559c297fa4abf10959a2f1 | |
| parent | 1d2b542d34ebec498d1424af81220a00ed0d6a24 (diff) | |
| download | guix-20f8d73face564deec2f21130fb465c8c3d9a8e9.tar.gz | |
pull: Use /etc/ssl/certs by default if it exists and is non-empty.
Previously, on machines where /etc/ssl/certs did exist, we'd have this: $ unset SSL_CERT_DIR $ unset SSL_CERT_FILE $ guix pull Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'... guix pull: error: Git error: the SSL certificate is invalid This is because we'd let OpenSSL look for certificates in its default location, which is an empty directory in its own prefix. * guix/scripts/pull.scm (honor-x509-certificates): New procedure. (guix-pull): Use it instead of calling 'honor-lets-encrypt-certificates!'.
| -rw-r--r-- | guix/scripts/pull.scm | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index 04c8ef672f..10e1a99e54 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -178,6 +178,17 @@ Download and deploy the latest version of Guix.\n")) (build-derivations store (list drv)) (set-tls-certificate-locations! certs))) +(define (honor-x509-certificates store) + "Use the right X.509 certificates for Git checkouts over HTTPS." + (let ((file (getenv "SSL_CERT_FILE")) + (directory (or (getenv "SSL_CERT_DIR") "/etc/ssl/certs"))) + (if (or (and file (file-exists? file)) + (and=> (stat directory #f) + (lambda (st) + (> (stat:nlink st) 2)))) + (set-tls-certificate-locations! directory file) + (honor-lets-encrypt-certificates! store)))) + (define (report-git-error error) "Report the given Guile-Git error." ;; Prior to Guile-Git commit b6b2760c2fd6dfaa5c0fedb43eeaff06166b3134, @@ -423,13 +434,7 @@ Use '~/.config/guix/channels.scm' instead.")) (parameterize ((%graft? (assoc-ref opts 'graft?)) (%repository-cache-directory cache)) (set-build-options-from-command-line store opts) - - ;; When certificates are already installed, use them. - ;; Otherwise, use the Let's Encrypt certificates, which we - ;; know Savannah uses. - (let ((certs (or (getenv "SSL_CERT_DIR") "/etc/ssl/certs"))) - (unless (file-exists? certs) - (honor-lets-encrypt-certificates! store))) + (honor-x509-certificates store) (let ((instances (latest-channel-instances store channels))) (format (current-error-port) |