bug#61557: vdirsyncer fails to verify certificates

help-debbugs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#61557: vdirsyncer fails to verify certificates

From:	Ethan Blanton
Subject:	bug#61557: vdirsyncer fails to verify certificates
Date:	Thu, 16 Feb 2023 15:29:23 -0500

Package: vdirsyncer
Version: 0.19.0

I am using Guix on a foreign distro of Debian GNU/Linux 11 (bullseye).

I have the following manifest installed in particular profile:

(specifications->manifest
 (list "go"
       "sbcl"
       "khal"
       "mutt"
       "nss-certs"
       "protobuf"
       "vdirsyncer"))

Since vdirsyncer updated to 0.19.0, I cannot sync with any remote host
using CalDAV or HTTPS iCalendar files.  This is reproducible with my
private servers, Microsoft Outlook 365 calendars, Google Calendars,
and others.  I have moset recently verified it with Guix 312f1f4 and a
vdirsyncer producing
/gnu/store/9aa2bj3likla61zqbsim1a1c99k3jk93-vdirsyncer-0.19.0 (I don't
know how to give a more precise or useful install, please let me know
if I should, and how I would), but I have narrowed the breaking change
down to Guix revision f635f725778f86abaa77f674f8f670f74bffd7be.
Revision ed18b697c4783f139e23731f5bd0b0ed197997bb, which is vdirsyncer
0.18.0, works as expected.

The lightly redacted error that vdirsyncer produces is:

error: Unknown error occurred for [config entry]/calendarname: Cannot connect 
to host cloud.kb8ojh.net:443 ssl:True [SSLCertVerificationError: (1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local 
issuer certificate
(_ssl.c:1129)')]

An example configuration that causes this is:

[storage samplecalendar_public]
type = "http"
url = 
"https://calendar.google.com/calendar/ical/[redacted]group.calendar.google.com/public/basic.ics";

[storage localcalendar_public]
type = "filesystem"
path = "~/.calendars/public"
fileext = ".ics"

[pair public_calendar]
a = "samplecalendar_public"
b = "localcalendar public"
collections = [ "from a" ]

It appears that the root cause is in Python aiohttp, as starting the
python3 interpreter invoked by the vdirsyncer binary in the installed
profile with the GUIX_PYTHONPATH provided, then attempting to fetch an
HTTPS URL using aiohttp, will fail with an SSL error.  I cannot tell
if the root configuration problem is in vdirsyncer and its
dependencies or in aiohttp, so I am reporting it against vdirsyncer,
which I can confirm is broken.

I have tried installing various certificate packages and other
packages that seemed like they might be related (such as nss-certs,
nss itself, gnutls, etc.), but not found anything that seemed to
resolve the issue.

This bug that I have reported upstream is related, but I think the
problem is with the Guix packaging and/or dependencies, not with
vdirsyncer itself:

https://github.com/pimutils/vdirsyncer/issues/1034

Ethan

[Prev in Thread]

Current Thread

[Next in Thread]

bug#61557: vdirsyncer fails to verify certificates, Ethan Blanton <=
- bug#61557: bug database indexing problem for bug #61557, Ethan Blanton, 2023/02/24
  - Re: bug#61557: bug database indexing problem for bug #61557, Michael Albinus, 2023/02/25

Prev by Date: bug#61216: Disabling unprivileged BPF by default in our kernels
Next by Date: Multiple mails sent to address@hidden but no response
Previous by thread: bug#61216: Disabling unprivileged BPF by default in our kernels
Next by thread: bug#61557: bug database indexing problem for bug #61557
Index(es):
- Date
- Thread