Re: root certificate
Hi Chris,
Chris Marusich writes:
> Mark H Weaver writes:
>
>>;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
>>;; similar.)
>>(chdir (string-append %output "/etc/ssl/certs"))
>>(invoke (string-append perl "/bin/perl")
>>(string-append openssl "/bin/c_rehash")
>>".")
>
> I didn't know about c_rehash until now. Interesting! In the past, I've
> defined my own certificate packages as described in my own separate
> replies to this thread, and they worked even though I didn't invoke
> c_rehash. Could this simply have been because the software I use
> happens to work even when the symlinks created by c_rehash don't exist?
According to the c_rehash man page, "many programs that use OpenSSL
require directories to be set up like this in order to find
certificates." I'm not sure, but I guess that programs based on GnuTLS
do not need the symlinks.
> It looks like the ca-certificate-bundle profile hook (defined in
> guix/profiles.scm) doesn't currently invoke c_rehash. Should it?
If I understand correctly, as long as each certificate package runs
'c_rehash' individually, then running 'c_rehash' during the profile hook
should have no effect, because all of the certificates will already have
their associated hash symlinks installed.
Regards,
Mark
Re: root certificate
Mark H Weaver writes:
>;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
>;; similar.)
>(chdir (string-append %output "/etc/ssl/certs"))
>(invoke (string-append perl "/bin/perl")
>(string-append openssl "/bin/c_rehash")
>".")
I didn't know about c_rehash until now. Interesting! In the past, I've
defined my own certificate packages as described in my own separate
replies to this thread, and they worked even though I didn't invoke
c_rehash. Could this simply have been because the software I use
happens to work even when the symlinks created by c_rehash don't exist?
It looks like the ca-certificate-bundle profile hook (defined in
guix/profiles.scm) doesn't currently invoke c_rehash. Should it?
--
Chris
signature.asc
Description: PGP signature
Re: root certificate
Mark H Weaver writes: > Something like this (untested): > > (define-public my-root-cert > (package > (name "my-root-cert") > (version "0") > (source #f) > (build-system trivial-build-system) > (arguments > '(#:modules ((guix build utils)) >#:builder >(begin > (use-modules (guix build utils)) > (let ((root (assoc-ref %build-inputs "my-root-cert.pem")) Sorry, that 'root' in the line above should be 'cert'. Mark
Re: root certificate
Hi Divan,
Divan Santana writes:
> How does one import a root certificate for GuixSD?
>
> I didn't see it in the manual.
You didn't see it because we don't yet have a polished way to do this,
unfortunately. The good news is that we've already laid the groundwork
for supporting local certificate stores.
Our 'le-certs' package in gnu/packages/certs.scm is a good template for
making custom certificate packages, and can be easily adapted to your
needs.
For now, you could simply make a copy of the 'le-certs' package, but
with a different package name and different certificate inputs.
Something like this (untested):
--8<---cut here---start->8---
(define-public my-root-cert
(package
(name "my-root-cert")
(version "0")
(source #f)
(build-system trivial-build-system)
(arguments
'(#:modules ((guix build utils))
#:builder
(begin
(use-modules (guix build utils))
(let ((root (assoc-ref %build-inputs "my-root-cert.pem"))
(out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
(openssl (assoc-ref %build-inputs "openssl"))
(perl (assoc-ref %build-inputs "perl")))
(mkdir-p out)
(copy-file cert (string-append out "/" (strip-store-file-name cert)))
;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
;; similar.)
(chdir (string-append %output "/etc/ssl/certs"))
(invoke (string-append perl "/bin/perl")
(string-append openssl "/bin/c_rehash")
".")
(native-inputs
`(("openssl" ,openssl)
("perl" ,perl))) ;for 'c_rehash'
(inputs
`(("my-root-cert.pem"
,(origin
(method url-fetch)
(uri "https://example.com/certs/my-root-cert.pem";)
(sha256
(base32
""))
(home-page "https://example.com/certs/my-root-cert.pem";)
(synopsis "My self-signed root certificate")
(description "This package provides my self-signed root certificate.")
(license license:public-domain)))
--8<---cut here---end--->8---
and then you would need to add this package to the 'packages' field of
your OS configuration, and reconfigure your system.
However, it would be good to provide a way to more easily create custom
certificate packages from a set of .pem files, perhaps by changing the
above package definition into a procedure that accepts a list of root
certificates and dynamically creates a certificate package. If you'd
like to work on this, I'd be glad to discuss it further.
Regards,
Mark
Re: root certificate
Hi Divan,
Divan Santana writes:
> Joshua Branson writes:
>
>> Divan Santana writes:
>>
>>> Hi Guix :)
>>>
>>> How does one import a root certificate for GuixSD?
>>
>> This probably isn't helpful, but what is a root certificate?
>
> https://en.wikipedia.org/wiki/Root_certificate
>
> In cryptography and computer security, a root certificate is a public
> key certificate that identifies a root certificate authority (CA).[1]
> Root certificates are self-signed and form the basis of an X.509-based
> public key infrastructure (PKI).
>
> So in my case, I have a root CA certificate for our organisition and
> many internal sites have a certificate issued from this CA.
I intended to write a blog post about this very subject for the Guix
blog, but I haven't gotten around to it yet. In short, to do what you
want, you can create package definitions like the following, and then
add them to the "packages" field of your operating system declaration:
--8<---cut here---start->8---
(define-module (my packages)
#:use-module (guix packages)
#:use-module (guix licenses)
#:use-module (guix build-system trivial)
#:use-module (guix gexp))
;; This example aggregates many certificates from a local directory, but
;; the same principle could be used to aggregate certificates from, say,
;; a remote Git repository that your company maintains.
(define-public my-ca-certificates
(package
(name "my-ca-certificates")
(version "1")
(source (local-file "/path/to/directory/containing/my/certs"
#:recursive? #t))
(home-page "https://www.example.com";)
(license agpl3+)
(build-system trivial-build-system)
(arguments
`(#:modules
((guix build utils))
#:builder
(begin
(use-modules (guix build utils)
(srfi srfi-1)
(srfi srfi-26)
(ice-9 ftw))
(let* ((ca-certificates (assoc-ref %build-inputs "source"))
(crt-suffix ".crt")
(is-certificate? (cut string-suffix? crt-suffix <>))
(certificates (filter is-certificate?
(scandir ca-certificates)))
(out (assoc-ref %outputs "out"))
(certificate-directory (string-append out
"/etc/ssl/certs"))
(openssl (string-append (assoc-ref %build-inputs
"openssl")
"/bin/openssl")))
(mkdir-p certificate-directory)
;; When this package is installed into a profile, any files in the
;; package output's etc/ssl/certs directory ending in ".pem" will
;; also be put into a ca-certificates.crt bundle. In the case of a
;; system profile, this bundle will be made available to the system
;; at activation time. See the profile hooks defined in (guix
;; profiles) and the etc-service-type define in (gnu services) for
;; details.
(for-each
;; Ensure the certificate is in an appropriate format.
(lambda (certificate)
(invoke
openssl "x509"
"-in" (string-append ca-certificates "/" certificate)
"-outform" "PEM"
"-out" (string-append
certificate-directory "/"
(basename certificate crt-suffix) ".pem")))
certificates)
#t
(inputs
`(("openssl" ,openssl)))
(synopsis "My certificate authority certificates")
(description synopsis)))
(define-public my-ca-certificate
(package
(name "my-ca-certificate")
(version "1")
;; You might also be able to set the source to #f and just embed the
;; certificate directly into the builder below.
(source (plain-file (string-append name ".pem") "\
-BEGIN CERTIFICATE-
Put your cert here.
-END CERTIFICATE-
"))
(home-page "https://www.example.com";)
(license agpl3+)
(build-system trivial-build-system)
(arguments
`(#:modules
((guix build utils))
#:builder
(begin
(use-modules (guix build utils))
(let* ((my-certificate (assoc-ref %build-inputs "source"))
(out (assoc-ref %outputs "out"))
(cert-dir (string-append out "/etc/ssl/certs")))
(mkdir-p cert-dir)
(copy-file my-certificate (string-append cert-dir "/" ,name ".pem"))
#t
(synopsis "My certificate authority certificate")
(description synopsis)))
--8<---cut here---end--->8---
When you add a package like the above to your operating system
declaration's "packages" field and reconfigure your system, you will
install the certificates system-wide.
In GuixSD, when you build a new system generation, there is a profile
hook that essentially collects all the certificates that you
Re: root certificate
I would look at the nss-certs package and make a package definition using nss-certs as a template or even inheriting from it. I have now had a quick look at nss-certs and it is too complex for me to change without sitting down with it for a while. So I think I would then go on to use the simple build system or what it is called. Because what you need is basically copy a file to somewhere your browsers can see it? To learn those paths I'd still look at nss-certs. I see (let ((certsdir (string-append %output "/etc/ssl/certs/")) in there. That's probably your path. To use this definition with guix: put it in for example /home/username/guix-modules/certs.scm and then add this directory to your $GUIX_PACKAGE_PATH. I do the following in my .profile export GUIX_PACKAGE_PATH="$HOME/guix-modules:$GUIX_PACKAGE_PATH" I'm traveling and so might not respond quickly. HTH Tonton pgpb2w8PVvSlP.pgp Description: OpenPGP digital signature
Re: root certificate
myg...@gmail.com writes: > On 06/11/2018 at 12:59 Joshua Branson writes: > >> Divan Santana writes: >> >>> Hi Guix :) >>> >>> How does one import a root certificate for GuixSD? >> >> This probably isn't helpful, but what is a root certificate? >> >>> >>> I didn't see it in the manual. >>> >>> (Hopefully I didn't miss it. I need to read up on using info within Emacs >>> better.) >>> -- >>> Divan > > Hello Divan, > > If you want to a bundle of standard CA certificates install "nss-certs". > It is probably already be installed as a system package since most of > the example GuixSd configs include it. But I have encountered at least > one situation where I needed to also install in as a user package, > e.g. 'guix package -i nss-certs'. > > For details please see ... > > (guix) Application Setup > > ... or ... > > https://www.gnu.org/software/guix/manual/guix.html So in my case, I have a root CA certificate for our organisition and many internal sites have a certificate issued from this CA. I want to import this self signed root CA so all sites with certs issued by this org CA is trusted OS wide. To do this on Arch one can: #+begin_src sh wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem http://http://fqdn/pub/org-ca.crt trust extract-compat #+end_src Debian Family #+begin_src sh mkdir /usr/share/ca-certificates/extra wget -O /usr/share/ca-certificates/extra/fnb-ca.crt http://http://fqdn/pub/org-ca.crt dpkg-reconfigure ca-certificates #+end_src I was hoping one could do the above within the system manifest file config.scm ? Else perhaps we do: wget -O /etc/ca-certificates/trust-source/anchors/fnb-ca.pem http://http://fqdn/pub/org-ca.crt trust extract-compat Doing a command like this would make most of the apps(curl/wget/browser) on the system trust these sites. -- Divan
Re: root certificate
Joshua Branson writes: > Divan Santana writes: > >> Hi Guix :) >> >> How does one import a root certificate for GuixSD? > > This probably isn't helpful, but what is a root certificate? https://en.wikipedia.org/wiki/Root_certificate In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA).[1] Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI). So in my case, I have a root CA certificate for our organisition and many internal sites have a certificate issued from this CA. >> I didn't see it in the manual. >> >> (Hopefully I didn't miss it. I need to read up on using info within Emacs >> better.) >> -- >> Divan -- Divan
Re: root certificate
On 06/11/2018 at 12:59 Joshua Branson writes: > Divan Santana writes: > >> Hi Guix :) >> >> How does one import a root certificate for GuixSD? > > This probably isn't helpful, but what is a root certificate? > >> >> I didn't see it in the manual. >> >> (Hopefully I didn't miss it. I need to read up on using info within Emacs >> better.) >> -- >> Divan Hello Divan, If you want to a bundle of standard CA certificates install "nss-certs". It is probably already be installed as a system package since most of the example GuixSd configs include it. But I have encountered at least one situation where I needed to also install in as a user package, e.g. 'guix package -i nss-certs'. For details please see ... (guix) Application Setup ... or ... https://www.gnu.org/software/guix/manual/guix.html HTH - George
Re: root certificate
Divan Santana writes: > Hi Guix :) > > How does one import a root certificate for GuixSD? This probably isn't helpful, but what is a root certificate? > > I didn't see it in the manual. > > (Hopefully I didn't miss it. I need to read up on using info within Emacs > better.) > -- > Divan
