Hi Maxim,
Maxim Cournoyer <[email protected]> writes:
> Hi everyone,
>
> I'm closing this, on the assumption that the original issue is no more:
> gnutls is now configured to use p11-kit by default, which itself is
> configured to use the nss-certs as a default trust store [0], [1].
>
> [0] 38e7132dcfd ("gnu: gnutls: Use p11-kit to provide the default.")
> [1] 2314a89ccc1 ("gnu: p11-kit: Add nss-certs to default trust path.")
>
> In practice, this means gnutls always have access to the nss-certs,
> unless a user went out of their way to configure p11-kit on their system
> to do otherwise.
I do not think this is true. The original reproducer still does not
work, even with the two commits above included.
--8<---------------cut here---------------start------------->8---
$ guix describe
Generation 2 Mar 18 2026 22:28:15 (current)
guix b2ec280
repository URL: https://git.guix.gnu.org/guix.git
branch: master
commit: b2ec280cb702248730e7f705971faf170e59d00b
$ guix shell -CN guile guile-gnutls nss-certs -- guile -c '((@ (web client)
http-get) "https://gnu.org";)'
Backtrace:
In ice-9/boot-9.scm:
1784:12 7 (with-exception-handler _ _ #:unwind? _ # _)
In unknown file:
6 (apply-smob/0 #<thunk 7f7c604a4340>)
In ice-9/boot-9.scm:
733:2 5 (call-with-prompt _ _ #<procedure default-prompt-handle…>)
In ice-9/eval.scm:
619:8 4 (_ #(#(#<directory (guile-user) 7f7c604a7c80>)))
In ice-9/command-line.scm:
187:19 3 (_ #<input: custom-port 7f7c6048e3f0>)
In unknown file:
2 (eval ((@ (web client) http-get) "https://gnu.org";) #<d…>)
In web/client.scm:
573:0 1 (http-get "https://gnu.org"; #:body _ # _ #:port #<unde…> …)
283:6 0 (tls-wrap #<closed: file 7f7c6050ed20> _ # _)
web/client.scm:283:6: In procedure tls-wrap:
X.509 certificate of 'gnu.org' could not be verified:
signer-not-found invalid
--8<---------------cut here---------------end--------------->8---
So this does not seem to be fixed just yet.
Tomas
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
