Web servers available over HTTPS (that is, HTTP over the transport-layer security mechanism, TLS) send client programs an X.509 certificate that the client can then use to authenticate the server. To do that, clients verify that the server’s certificate is signed by a so-called certificate authority (CA). But to verify the CA’s signature, clients must have first acquired the CA’s certificate.
Web browsers such as GNU IceCat include their own set of CA certificates, such that they are able to verify CA signatures out-of-the-box.
However, most other programs that can talk HTTPS—
w3m, etc.—need to be told where CA
certificates can be found.
In GuixSD, this is done by adding a package that provides certificates
packages field of the
(see operating-system Reference). GuixSD includes one such package,
nss-certs, which is a set of CA certificates provided as part of
Mozilla’s Network Security Services.
Note that it is not part of %base-packages, so you need to explicitly add it. The /etc/ssl/certs directory, which is where most applications and libraries look for certificates by default, points to the certificates installed globally.
Unprivileged users, including users of Guix on a foreign distro,
can also install their own certificate package in
their profile. A number of environment variables need to be defined so
that applications and libraries know where to find them. Namely, the
OpenSSL library honors the
variables. Some applications add their own environment variables; for
instance, the Git version control system honors the certificate bundle
pointed to by the
GIT_SSL_CAINFO environment variable. Thus, you
would typically run something like:
$ guix package -i nss-certs $ export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs" $ export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt" $ export GIT_SSL_CAINFO="$SSL_CERT_FILE"
As another example, R requires the
variable to point to a certificate bundle, so you would have to run
something like this:
$ guix package -i nss-certs $ export CURL_CA_BUNDLE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
For other applications you may want to look up the required environment variable in the relevant documentation.