From 20f8d73face564deec2f21130fb465c8c3d9a8e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Tue, 18 Sep 2018 23:19:18 +0200
Subject: pull: Use /etc/ssl/certs by default if it exists and is non-empty.

Previously, on machines where /etc/ssl/certs did exist, we'd have this:

  $ unset SSL_CERT_DIR
  $ unset SSL_CERT_FILE
  $ guix pull
  Updating channel 'guix' from Git repository at 'https://git.savannah.gnu.org/git/guix.git'...
  guix pull: error: Git error: the SSL certificate is invalid

This is because we'd let OpenSSL look for certificates in its default
location, which is an empty directory in its own prefix.

* guix/scripts/pull.scm (honor-x509-certificates): New procedure.
(guix-pull): Use it instead of calling 'honor-lets-encrypt-certificates!'.
---
 guix/scripts/pull.scm | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index 04c8ef672f..10e1a99e54 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -178,6 +178,17 @@ Download and deploy the latest version of Guix.\n"))
     (build-derivations store (list drv))
     (set-tls-certificate-locations! certs)))
 
+(define (honor-x509-certificates store)
+  "Use the right X.509 certificates for Git checkouts over HTTPS."
+  (let ((file      (getenv "SSL_CERT_FILE"))
+        (directory (or (getenv "SSL_CERT_DIR") "/etc/ssl/certs")))
+    (if (or (and file (file-exists? file))
+            (and=> (stat directory #f)
+                   (lambda (st)
+                     (> (stat:nlink st) 2))))
+        (set-tls-certificate-locations! directory file)
+        (honor-lets-encrypt-certificates! store))))
+
 (define (report-git-error error)
   "Report the given Guile-Git error."
   ;; Prior to Guile-Git commit b6b2760c2fd6dfaa5c0fedb43eeaff06166b3134,
@@ -423,13 +434,7 @@ Use '~/.config/guix/channels.scm' instead."))
                 (parameterize ((%graft? (assoc-ref opts 'graft?))
                                (%repository-cache-directory cache))
                   (set-build-options-from-command-line store opts)
-
-                  ;; When certificates are already installed, use them.
-                  ;; Otherwise, use the Let's Encrypt certificates, which we
-                  ;; know Savannah uses.
-                  (let ((certs (or (getenv "SSL_CERT_DIR") "/etc/ssl/certs")))
-                    (unless (file-exists? certs)
-                      (honor-lets-encrypt-certificates! store)))
+                  (honor-x509-certificates store)
 
                   (let ((instances (latest-channel-instances store channels)))
                     (format (current-error-port)
-- 
cgit v1.2.3