Hi,
Wiktor Żelazny <[email protected]> writes:
> On Thu, Sep 30, 2021 at 12:08:53PM +0200, Konrad Hinsen wrote:
>
>> guix environment --pure \
>> --ad-hoc python nss-certs -- \
>> python3 -c 'import urllib.request;
>> print(urllib.request.urlopen("http://wwwbis.sidc.be/DATA/uset/Wlight/2003/11/UPH20031109112104.FTS";))'
>>
>> but this doesn't work - same error as initially.
>
> Hi Konrad,
>
> For some reason, it works for me with
>
> --ad-hoc python nss-certs guix -- \
>
> . I’m neither sure if this is going to work on all machines (it works
> when isolated with
>
> guix environment -C -N
>
> , so there’s some hope), nor whether this solution is acceptable to you.
> Perhaps, it’s abusing Guix. Maybe somebody more knowledgeable will
> comment on this.
The key thing here is whether the certs are required by OpenSSL vs
GnuTLS. The former honors SSL_CERT_DIR, while the later does not (I
opened an issue because I think it'd be nice to have them both honor it
the same here: [0]). GnuTLS on Guix gets its certifications from the
hard coded location /etc/ssl/certs/. This need to be bound in the
container; on a Guix System, it's also not enough to simply pass
/etc/ssl/certs/ as is, as these are symlinks to the store; you must also
expose the store or bind the etc/ssl/certs/ directory of the nss-certs
package directly.
I hope that helps!
Maxim
[0] https://issues.guix.gnu.org/46779
