bug#39615: LetsEncrypt root certificate hash changed
Tobias Geerinckx-Rice writes: > Christopher Baines 写道: >> However, while this change might avoid the problem with guix pull in >> the >> future, I still a bit stuck. I got this from a fresh install of Guix >> on >> the Overdrive machine I have (aarch64-linux). > > I guess I've found my purpose this week and it's ‘mirroring old shit’. > > This is not at all a solution, but you can ‘guix download’ the old > .pem files here[0] and hopefully be on your merry way. Awesome, I've managed to download them and guix pull no longer fails with that error which is great :) signature.asc Description: PGP signature
bug#39615: LetsEncrypt root certificate hash changed
Chris, Guix, Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道: This is not at all a solution, but you can ‘guix download’ the old .pem files here[0] and hopefully be on your merry way. Actually: this shouldn't be necessary now, since I've copied these files to berlin (and created gcroots) which ought to serve them as substitutes. Kind regards, T G-R signature.asc Description: PGP signature
bug#39615: LetsEncrypt root certificate hash changed
Chris, Christopher Baines 写道: However, while this change might avoid the problem with guix pull in the future, I still a bit stuck. I got this from a fresh install of Guix on the Overdrive machine I have (aarch64-linux). I guess I've found my purpose this week and it's ‘mirroring old shit’. This is not at all a solution, but you can ‘guix download’ the old .pem files here[0] and hopefully be on your merry way. I'm hoping that I'll be able to install git and the Guix dependencies, download the repository, and then get a newer version of Guix that way, but I'm guessing this will still be a problem for other aarch64-linux machines unless there's a substitute out there somewhere. Indeed, and not just aarch64… Kind regards, T G-R [0]: https://www.tobias.gr/guix signature.asc Description: PGP signature
bug#39615: LetsEncrypt root certificate hash changed
Chris, Christopher Baines 写道: ~$ guix pull building /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv... building /gnu/store/dhlb62lpf1ggcrax62hm7l7rlcf5c4fi-letsencryptauthorityx3.pem.drv... downloading from https://letsencrypt.org/certs/isrgrootx1.pem... -sha256 hash mismatch for /gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem: expected hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac actual hash: 1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92 Thanks! I ran into this issue myself and updated the hashes in 505b2631a9c35bbaa5ba6771ad4f646086f23cad. One'd assume this to be caused by a tweaked expiry date somewhere, but the ‘contents’ of both old and new PEM files is actually the same: Certificate: Data: Version: 3 (0x2) Serial Number: 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Validity Not Before: Jun 4 11:04:38 2015 GMT Not After : Jun 4 11:04:38 2035 GMT Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c: 87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7: 75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86: 6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31: 9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff: 12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f: 7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2: 4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23: 53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74: b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c: fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e: cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25: 0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf: 10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4: 63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c: 76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10: e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02: 07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb: 0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4: 2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12: 1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47: 37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41: 29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40: 1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7: 12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f: 05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50: 13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30: d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b: 98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b: a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86: 3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d: 19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db: e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88: ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5: 33:43:4f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E Signature Algorithm: sha256WithRSAEncryption 55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08: ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73: 10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea: 17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86: 9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95: d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae: fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e: 8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33: 89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7: 4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33: 23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2: 6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d: 8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72: ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac: 28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
bug#39615: LetsEncrypt root certificate hash changed
~$ guix pull building /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv... building /gnu/store/dhlb62lpf1ggcrax62hm7l7rlcf5c4fi-letsencryptauthorityx3.pem.drv... downloading from https://letsencrypt.org/certs/isrgrootx1.pem... -sha256 hash mismatch for /gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem: expected hash: 0zycy85ff9ga53z1q03df89ka9iihb9p8bjhw056rq2y4rn3b6ac actual hash: 1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92 hash mismatch for store item '/gnu/store/ahiiz5x04rqr214sw840ifz0d3jzmnsb-isrgrootx1.pem' build of /gnu/store/1r2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv failed View build log at '/var/log/guix/drvs/1r/2cj292vvjvhbb92bri568p7dia7cp1-isrgrootx1.pem.drv.bz2'. cannot build derivation `/gnu/store/lv78345x77bv6103l9ssqkx4l3v7z0xj-le-certs-0.drv': 1 dependencies couldn't be built guix pull: error: build of `/gnu/store/lv78345x77bv6103l9ssqkx4l3v7z0xj-le-certs-0.drv' failed signature.asc Description: PGP signature