Next: Name Service Switch, Previous: Setuid Programs, Up: System Configuration [Contents][Index]
Web servers available over HTTPS (that is, HTTP over the transport-layer security mechanism, TLS) send client programs an X.509 certificate that the client can then use to authenticate the server. To do that, clients verify that the server’s certificate is signed by a so-called certificate authority (CA). But to verify the CA’s signature, clients must have first acquired the CA’s certificate.
Web browsers such as GNU IceCat include their own set of CA certificates, such that they are able to verify CA signatures out-of-the-box.
However, most other programs that can talk HTTPS—wget
,
git
, w3m
, etc.—need to be told where CA
certificates can be found.
In Guix, this is done by adding a package that provides certificates
to the packages
field of the operating-system
declaration
(see operating-system
Reference). Guix includes one such package,
nss-certs
, which is a set of CA certificates provided as part of
Mozilla’s Network Security Services.
Note that it is not part of %base-packages
, so you need to
explicitly add it. The /etc/ssl/certs directory, which is where
most applications and libraries look for certificates by default, points
to the certificates installed globally.
Unprivileged users, including users of Guix on a foreign distro,
can also install their own certificate package in
their profile. A number of environment variables need to be defined so
that applications and libraries know where to find them. Namely, the
OpenSSL library honors the SSL_CERT_DIR
and SSL_CERT_FILE
variables. Some applications add their own environment variables; for
instance, the Git version control system honors the certificate bundle
pointed to by the GIT_SSL_CAINFO
environment variable. Thus, you
would typically run something like:
guix install nss-certs export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs" export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt" export GIT_SSL_CAINFO="$SSL_CERT_FILE"
As another example, R requires the CURL_CA_BUNDLE
environment
variable to point to a certificate bundle, so you would have to run
something like this:
guix install nss-certs export CURL_CA_BUNDLE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
For other applications you may want to look up the required environment variable in the relevant documentation.
Next: Name Service Switch, Previous: Setuid Programs, Up: System Configuration [Contents][Index]