Closed braunse closed 1 month ago
Can you try the following to see if it's from certificates in Dexador?
$ ros -s dexador -e '(print (nth-value 1 (dex:get "https://dist.ultralisp.org/")))'
Thank you for the quick answer. I looked a little deeper into it and found that it is actually related to the certificate bundle in Dexador. I was able to fix it by symlinking ~/.roswell/lisp/quicklisp/dists/quicklisp/software/dexador-20231021-git/certs/cacert.pem
to the system-wide certificate bundle /etc/ssl/ca-bundle.pem
.
When I undo this fix, I indeed get the same error:
$ ros -s dexador -e '(print (nth-value 1 (dex:get "https://dist.ultralisp.org")))'
debugger invoked on a CL+SSL::SSL-ERROR-SSL in thread
#<THREAD tid=3133 "main thread" RUNNING {10014A0003}>:
A failure in the SSL library occurred on handle #.(SB-SYS:INT-SAP #X0142A920) (SSL_get_error: 1). ERR_print_errors(): 1:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1268:
SSL_get_verify_result: 10 X509_V_ERR_CERT_HAS_EXPIRED
Type HELP for debugger help, or (SB-EXT:EXIT) to exit from SBCL.
restarts (invokable by number or by possibly-abbreviated name):
0: [RETRY-REQUEST ] Retry the same request.
1: [RETRY-INSECURE] Retry the same request without checking for SSL certificate validity.
2: [CONTINUE ] Ignore runtime option --eval "(ros:run '((:eval\"(ros:quicklisp)\")(:system \"dexador\")(:eval \"(print (nth-value 1 (dex:get \\\"https://dist.ultralisp.org\\\")))\")(:hook)(:quit)))".
3: [ABORT ] Skip rest of --eval and --load options.
4: Skip to toplevel READ/EVAL/PRINT loop.
5: [EXIT ] Exit SBCL (calling #'EXIT, killing the process).
(CL+SSL::SSL-SIGNAL-ERROR #.(SB-SYS:INT-SAP #X0142A920) #<FUNCTION CL+SSL::SSL-CONNECT> 1 -1)
source: (ERROR
(CASE ERROR-CODE
("#.+SSL-ERROR-NONE+" 'SSL-ERROR-NONE)
("#.+SSL-ERROR-SSL+" 'SSL-ERROR-SSL)
("#.+SSL-ERROR-WANT-READ+" 'SSL-ERROR-WANT-READ)
("#.+SSL-ERROR-WANT-WRITE+" 'SSL-ERROR-WANT-WRITE)
("#.+SSL-ERROR-WANT-X509-LOOKUP+" 'SSL-ERROR-WANT-X509-LOOKUP)
("#.+SSL-ERROR-ZERO-RETURN+" 'SSL-ERROR-ZERO-RETURN)
("#.+SSL-ERROR-WANT-CONNECT+" 'SSL-ERROR-WANT-CONNECT)
("#.+SSL-ERROR-SYSCALL+" 'SSL-ERROR-ZERO-RETURN)
(T 'SSL-ERROR/HANDLE))
:HANDLE HANDLE :RET ERROR-CODE :PRINTED-QUEUE PRINTED-QUEUE :QUEUE
QUEUE)
0] 5
I would have expected Qlot and/or Dexador to default to the system-wide certificate store, and to honor the $SSL_CERT_DIR
and $SSL_CERT_FILE
environment variables. Is there any switch or configuration knob to tell Qlot which certificates to trust? I did not see anything in the Qlot source, but I'm not familiar with it.
I would have expected Qlot and/or Dexador to default to the system-wide certificate store, and to honor the $SSL_CERT_DIR and $SSL_CERT_FILE environment variables.
Hmm. Apparently it does. Looks like removing ~/.roswell/lisp/quicklisp/dists/quicklisp/software/dexador-20231021-git/certs/cacert.pem
makes dexador to fall back to system cert store.
This probably had fixed in https://github.com/fukamachi/dexador/pull/179.
Describe the bug
When I try to use the Ultralisp dist in my qlfile, the
qlot install
command fails on my WSL2 system with the following error message:I can access
https://dist.ultralisp.org
withcurl
with no issues, confirming that the certificate has not, in fact, expired:Curl transcript
I have also verified that the system clock is set correctly.
The same error does not happen for me on a bare-metal installation of the same base operating system.
Reproducible steps
The following bash commands reproduce the failure on my system.
Error messages
Stack Trace
Versions:
ros install fukamachi/qlot
I can also reproduce the error with Qlot 1.5.0 installed from source with SBCL 2.4.1 installed from system packages.