[jackhill/guix/guix.git] / gnu / packages / certs.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016, 2017, 2021 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages certs)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix utils)
  #:use-module (guix download)
  #:use-module (guix git-download)
  #:use-module (guix build-system copy)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system trivial)
  #:use-module (gnu packages)
  #:use-module (gnu packages curl)
  #:use-module (gnu packages python)
  #:use-module (gnu packages perl)
  #:use-module (gnu packages tls))

(define-public desec-certbot-hook
  (let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6")
        (revision "0"))
    (package
      (name "desec-certbot-hook")
      (version
       (git-version "0" revision commit))
      (source
       (origin
         (method git-fetch)
         (uri
          (git-reference
           (url "https://github.com/desec-io/desec-certbot-hook")
           (commit commit)))
         (file-name (git-file-name name version))
         (sha256
          (base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2"))))
      (build-system copy-build-system)
      (arguments
       `(#:phases
         (modify-phases %standard-phases
           (add-after 'unpack 'patch-script
             (lambda* (#:key inputs #:allow-other-keys)
               (substitute* "hook.sh"
                 ;; The hook-script look for '.dedynauth' file in $PWD.
                 ;; But users cannot create or edit files in store.
                 ;; So we patch the hook-script to look for '.dedynauth' file,
                 ;; in /etc/desec.
                 (("\\$\\(pwd\\)")
                  "/etc/desec")
                 ;; Make absolute reference to curl program.
                 (("curl")
                  (string-append (assoc-ref inputs "curl")
                                 "/bin/curl"))))))
         #:install-plan
         '(("." "etc/desec" #:include ("hook.sh")))))
      (inputs
       (list curl))
      (synopsis "Certbot DNS challenge automatization for deSEC")
      (description "The deSEC can be used to obtain certificates with certbot
DNS ownership verification.  With the help of this hook script, you can obtain
your Let's Encrypt certificate using certbot with authorization provided by the
DNS challenge mechanism, that is, you will not need a running web server or any
port forwarding to your local machine.")
      (home-page "https://desec.io")
      (license license:expat))))

(define-public certdata2pem
  (let ((revision "1")
        (commit "4c576f350f44186d439179f63d5be19f710a73f5"))
    (package
      (name "certdata2pem")
      (version "0.0.0")                   ;no version
      (source (origin
                (method url-fetch)
                (uri (string-append
                      "https://raw.githubusercontent.com/sabotage-linux/sabotage/"
                      commit "/KEEP/certdata2pem.c"))
                (sha256
                 (base32
                  "1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6"))))
      (build-system gnu-build-system)
      (arguments
       `(#:phases (modify-phases %standard-phases
                    (delete 'configure)
                    (add-before 'build 'fix-extension
                      (lambda _
                        (substitute* "certdata2pem.c"
                          (("\\.crt")
                           ".pem"))))
                    (replace 'build
                      (lambda _
                        (invoke ,(cc-for-target) "certdata2pem.c"
                                "-o" "certdata2pem")))
                    (delete 'check)     ;no test suite
                    (replace 'install
                      (lambda* (#:key outputs #:allow-other-keys)
                        (let ((out (assoc-ref outputs "out")))
                          (install-file "certdata2pem"
                                        (string-append out "/bin"))))))))
      (home-page "https://github.com/sabotage-linux/")
      (synopsis "Utility to split TLS certificates data into multiple PEM files")
      (description "This is a C version of the certdata2pem Python utility
that was originally contributed to Debian.")
      (license license:isc))))

(define-public nss-certs
  (package
    (name "nss-certs")
    ;; XXX We used to refer to the nss package here, but that eventually caused
    ;; module cycles.  The below is a quick copy-paste job that must be kept in
    ;; sync manually.  Surely there's a better way…?
    (version "3.71")
    (source (origin
              (method url-fetch)
              (uri (let ((version-with-underscores
                          (string-join (string-split version #\.) "_")))
                     (string-append
                      "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
                      "releases/NSS_" version-with-underscores "_RTM/src/"
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
                "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"))
              ;; Create nss.pc and nss-config.
              (patches (search-patches "nss-3.56-pkgconfig.patch"
                                       "nss-getcwd-nonnull.patch"
                                       "nss-increase-test-timeout.patch"))
              (modules '((guix build utils)))
              (snippet
               '(begin
                  ;; Delete the bundled copy of these libraries.
                  (delete-file-recursively "nss/lib/zlib")
                  (delete-file-recursively "nss/lib/sqlite")))))
    (build-system gnu-build-system)
    (outputs '("out"))
    (native-inputs
     (list certdata2pem openssl))
    (inputs '())
    (propagated-inputs '())
    (arguments
     `(#:modules ((guix build gnu-build-system)
                  (guix build utils)
                  (rnrs io ports)
                  (srfi srfi-26))
       #:phases
       (modify-phases
           (map (cut assq <> %standard-phases)
                '(set-paths install-locale unpack))
         (add-after 'unpack 'install
           (lambda _
             (let ((certsdir (string-append %output "/etc/ssl/certs/")))
               (with-directory-excursion "nss/lib/ckfw/builtins/"
                 (unless (file-exists? "blacklist.txt")
                   (call-with-output-file "blacklist.txt" (const #t)))
                 ;; Extract selected single certificates from blob.
                 (invoke "certdata2pem")
                 ;; Copy .pem files into the output.
                 (for-each (cut install-file <> certsdir)
                           (find-files "." ".*\\.pem$")))
               (invoke "openssl" "rehash" certsdir)))))))
    (synopsis "CA certificates from Mozilla")
    (description
     "This package provides certificates for Certification Authorities (CA)
taken from the NSS package and thus ultimately from the Mozilla project.")
    (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
    (license license:mpl2.0)))

(define-public le-certs
  (package
    (name "le-certs")
    (version "1")
    (source #f)
    (build-system trivial-build-system)
    (arguments
     '(#:modules ((guix build utils))
       #:builder
       (begin
         (use-modules (guix build utils))
         (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
               (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
               (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
               (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
               (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
               (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
               (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
               (openssl (assoc-ref %build-inputs "openssl"))
               (perl (assoc-ref %build-inputs "perl")))
           (mkdir-p out)
           (for-each
             (lambda (cert)
               (copy-file cert (string-append out "/"
                                              (strip-store-file-name cert))))
             (list root-rsa root-ecdsa
                   intermediate-rsa intermediate-ecdsa
                   backup-rsa backup-ecdsa))

           ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
           ;; similar.)
           (chdir (string-append %output "/etc/ssl/certs"))
           (invoke (string-append perl "/bin/perl")
                   (string-append openssl "/bin/c_rehash")
                   ".")))))
    (native-inputs
     (list openssl perl))                           ;for 'c_rehash'
    (inputs
     `(; The Let's Encrypt root certificate, "ISRG Root X1".
       ("isrgrootx1.pem"
        ,(origin
           (method url-fetch)
           (uri "https://letsencrypt.org/certs/isrgrootx1.pem")
           (sha256
            (base32
             "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
      ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
      ; Let's Encrypt describes it as "Active, limited availability"
      ("isrgrootx2.pem"
        ,(origin
           (method url-fetch)
           (uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
           (sha256
            (base32
             "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
      ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
      ;; RSA certificate.
      ("letsencryptauthorityr3.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
          (sha256
           (base32
            "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
      ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
      ;; ECDSA certificate.
      ("letsencryptauthoritye1.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
          (sha256
           (base32
            "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
      ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
      ;; RSA certificate.  This will be used for disaster recovery and will only be
      ;; used should Let's Encrypt lose the ability to issue with "Let’s
      ;; Encrypt Authority R3".
      ("letsencryptauthorityr4.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
          (sha256
           (base32
            "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
      ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
      ;; ECDSA certificate.  This will be used for disaster recovery and will
      ;; only be used should Let's Encrypt lose the ability to issue with "Let’s
      ;; Encrypt Authority E1".
      ("letsencryptauthoritye2.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
          (sha256
           (base32
            "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
    (home-page "https://letsencrypt.org/certificates/")
    (synopsis "Let's Encrypt root and intermediate certificates")
    (description "This package provides a certificate store containing only the
Let's Encrypt root and intermediate certificates.  It is intended to be used
within Guix.")
    (license license:public-domain)))
Commit	Line	Data
cf053a4f AE	1	;;; GNU Guix --- Functional package management for GNU
cf053a4f AE	2	;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
41ce4601	3	;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
30cc14f1	4	;;; Copyright © 2016, 2017, 2021 Ludovic Courtès <ludo@gnu.org>
0a6bd107	5	;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
3c747a08	6	;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
18c38c18	7	;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
1001baa1	8	;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
acfa55a5	9	;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
cf053a4f AE	10	;;;
	11	;;; This file is part of GNU Guix.
	12	;;;
	13	;;; GNU Guix is free software; you can redistribute it and/or modify it
	14	;;; under the terms of the GNU General Public License as published by
	15	;;; the Free Software Foundation; either version 3 of the License, or (at
	16	;;; your option) any later version.
	17	;;;
	18	;;; GNU Guix is distributed in the hope that it will be useful, but
	19	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	20	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	21	;;; GNU General Public License for more details.
	22	;;;
	23	;;; You should have received a copy of the GNU General Public License
	24	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	25
	26	(define-module (gnu packages certs)
	27	#:use-module ((guix licenses) #:prefix license:)
	28	#:use-module (guix packages)
11a7bfbc	29	#:use-module (guix utils)
cf053a4f	30	#:use-module (guix download)
acfa55a5 RG	31	#:use-module (guix git-download)
acfa55a5 RG	32	#:use-module (guix build-system copy)
6e6e2414	33	#:use-module (guix build-system gnu)
cf053a4f AE	34	#:use-module (guix build-system trivial)
cf053a4f AE	35	#:use-module (gnu packages)
acfa55a5	36	#:use-module (gnu packages curl)
cc2b77df	37	#:use-module (gnu packages python)
c643e6ca	38	#:use-module (gnu packages perl)
cc2b77df	39	#:use-module (gnu packages tls))
cf053a4f	40
acfa55a5 RG	41	(define-public desec-certbot-hook
	42	(let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6")
	43	(revision "0"))
	44	(package
	45	(name "desec-certbot-hook")
	46	(version
	47	(git-version "0" revision commit))
	48	(source
	49	(origin
	50	(method git-fetch)
	51	(uri
	52	(git-reference
	53	(url "https://github.com/desec-io/desec-certbot-hook")
	54	(commit commit)))
	55	(file-name (git-file-name name version))
	56	(sha256
	57	(base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2"))))
	58	(build-system copy-build-system)
	59	(arguments
	60	`(#:phases
	61	(modify-phases %standard-phases
	62	(add-after 'unpack 'patch-script
	63	(lambda* (#:key inputs #:allow-other-keys)
	64	(substitute* "hook.sh"
	65	;; The hook-script look for '.dedynauth' file in $PWD.
	66	;; But users cannot create or edit files in store.
	67	;; So we patch the hook-script to look for '.dedynauth' file,
	68	;; in /etc/desec.
	69	(("\\$\\(pwd\\)")
	70	"/etc/desec")
	71	;; Make absolute reference to curl program.
	72	(("curl")
	73	(string-append (assoc-ref inputs "curl")
	74	"/bin/curl"))))))
	75	#:install-plan
	76	'(("." "etc/desec" #:include ("hook.sh")))))
	77	(inputs
8394619b	78	(list curl))
acfa55a5 RG	79	(synopsis "Certbot DNS challenge automatization for deSEC")
	80	(description "The deSEC can be used to obtain certificates with certbot
	81	DNS ownership verification. With the help of this hook script, you can obtain
	82	your Let's Encrypt certificate using certbot with authorization provided by the
	83	DNS challenge mechanism, that is, you will not need a running web server or any
	84	port forwarding to your local machine.")
	85	(home-page "https://desec.io")
	86	(license license:expat))))
	87
30cc14f1	88	(define-public certdata2pem
9e804e38 MC	89	(let ((revision "1")
	90	(commit "4c576f350f44186d439179f63d5be19f710a73f5"))
	91	(package
	92	(name "certdata2pem")
	93	(version "0.0.0") ;no version
	94	(source (origin
	95	(method url-fetch)
	96	(uri (string-append
1001baa1	97	"https://raw.githubusercontent.com/sabotage-linux/sabotage/"
9e804e38 MC	98	commit "/KEEP/certdata2pem.c"))
	99	(sha256
	100	(base32
	101	"1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6"))))
	102	(build-system gnu-build-system)
	103	(arguments
	104	`(#:phases (modify-phases %standard-phases
	105	(delete 'configure)
f87b9872 MO	106	(add-before 'build 'fix-extension
	107	(lambda _
	108	(substitute* "certdata2pem.c"
	109	(("\\.crt")
	110	".pem"))))
9e804e38 MC	111	(replace 'build
9e804e38 MC	112	(lambda _
11a7bfbc EF	113	(invoke ,(cc-for-target) "certdata2pem.c"
11a7bfbc EF	114	"-o" "certdata2pem")))
9e804e38 MC	115	(delete 'check) ;no test suite
	116	(replace 'install
	117	(lambda* (#:key outputs #:allow-other-keys)
	118	(let ((out (assoc-ref outputs "out")))
	119	(install-file "certdata2pem"
	120	(string-append out "/bin"))))))))
	121	(home-page "https://github.com/sabotage-linux/")
	122	(synopsis "Utility to split TLS certificates data into multiple PEM files")
	123	(description "This is a C version of the certdata2pem Python utility
	124	that was originally contributed to Debian.")
	125	(license license:isc))))
6e6e2414 AE	126
6e6e2414 AE	127	(define-public nss-certs
745ad37a	128	(package
6e6e2414	129	(name "nss-certs")
ceb9c6c5 TGR	130	;; XXX We used to refer to the nss package here, but that eventually caused
	131	;; module cycles. The below is a quick copy-paste job that must be kept in
	132	;; sync manually. Surely there's a better way…?
	133	(version "3.71")
	134	(source (origin
	135	(method url-fetch)
	136	(uri (let ((version-with-underscores
	137	(string-join (string-split version #\.) "_")))
	138	(string-append
	139	"https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
	140	"releases/NSS_" version-with-underscores "_RTM/src/"
	141	"nss-" version ".tar.gz")))
	142	(sha256
	143	(base32
	144	"0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"))
	145	;; Create nss.pc and nss-config.
	146	(patches (search-patches "nss-3.56-pkgconfig.patch"
	147	"nss-getcwd-nonnull.patch"
	148	"nss-increase-test-timeout.patch"))
	149	(modules '((guix build utils)))
	150	(snippet
	151	'(begin
	152	;; Delete the bundled copy of these libraries.
	153	(delete-file-recursively "nss/lib/zlib")
	154	(delete-file-recursively "nss/lib/sqlite")))))
6e6e2414 AE	155	(build-system gnu-build-system)
	156	(outputs '("out"))
	157	(native-inputs
8394619b	158	(list certdata2pem openssl))
6e6e2414 AE	159	(inputs '())
	160	(propagated-inputs '())
	161	(arguments
	162	`(#:modules ((guix build gnu-build-system)
	163	(guix build utils)
41ce4601	164	(rnrs io ports)
9e804e38	165	(srfi srfi-26))
6e6e2414	166	#:phases
3c747a08 TGR	167	(modify-phases
	168	(map (cut assq <> %standard-phases)
	169	'(set-paths install-locale unpack))
	170	(add-after 'unpack 'install
6e6e2414	171	(lambda _
9e804e38	172	(let ((certsdir (string-append %output "/etc/ssl/certs/")))
79878c64	173	(with-directory-excursion "nss/lib/ckfw/builtins/"
9e804e38 MC	174	(unless (file-exists? "blacklist.txt")
	175	(call-with-output-file "blacklist.txt" (const #t)))
	176	;; Extract selected single certificates from blob.
	177	(invoke "certdata2pem")
287a8c90	178	;; Copy .pem files into the output.
9e804e38	179	(for-each (cut install-file <> certsdir)
287a8c90	180	(find-files "." ".*\\.pem$")))
9e804e38	181	(invoke "openssl" "rehash" certsdir)))))))
6e6e2414 AE	182	(synopsis "CA certificates from Mozilla")
6e6e2414 AE	183	(description
745ad37a RW	184	"This package provides certificates for Certification Authorities (CA)
	185	taken from the NSS package and thus ultimately from the Mozilla project.")
	186	(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
	187	(license license:mpl2.0)))
0a6bd107 LF	188
	189	(define-public le-certs
	190	(package
	191	(name "le-certs")
15de49e6	192	(version "1")
0a6bd107 LF	193	(source #f)
	194	(build-system trivial-build-system)
	195	(arguments
	196	'(#:modules ((guix build utils))
	197	#:builder
	198	(begin
	199	(use-modules (guix build utils))
15de49e6 LF	200	(let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
	201	(root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
	202	(intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
	203	(intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
	204	(backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
	205	(backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
6f0f5514 LC	206	(out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
	207	(openssl (assoc-ref %build-inputs "openssl"))
	208	(perl (assoc-ref %build-inputs "perl")))
0a6bd107 LF	209	(mkdir-p out)
	210	(for-each
	211	(lambda (cert)
	212	(copy-file cert (string-append out "/"
	213	(strip-store-file-name cert))))
15de49e6 LF	214	(list root-rsa root-ecdsa
	215	intermediate-rsa intermediate-ecdsa
	216	backup-rsa backup-ecdsa))
6f0f5514 LC	217
	218	;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
	219	;; similar.)
	220	(chdir (string-append %output "/etc/ssl/certs"))
4530e854 MW	221	(invoke (string-append perl "/bin/perl")
	222	(string-append openssl "/bin/c_rehash")
	223	".")))))
6f0f5514	224	(native-inputs
8394619b	225	(list openssl perl)) ;for 'c_rehash'
0a6bd107 LF	226	(inputs
	227	`(; The Let's Encrypt root certificate, "ISRG Root X1".
	228	("isrgrootx1.pem"
	229	,(origin
	230	(method url-fetch)
	231	(uri "https://letsencrypt.org/certs/isrgrootx1.pem")
	232	(sha256
	233	(base32
505b2631	234	"1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
15de49e6 LF	235	; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
	236	; Let's Encrypt describes it as "Active, limited availability"
	237	("isrgrootx2.pem"
0a6bd107 LF	238	,(origin
0a6bd107 LF	239	(method url-fetch)
15de49e6	240	(uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
0a6bd107 LF	241	(sha256
0a6bd107 LF	242	(base32
15de49e6 LF	243	"04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
	244	;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
	245	;; RSA certificate.
	246	("letsencryptauthorityr3.pem"
	247	,(origin
	248	(method url-fetch)
	249	(uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
	250	(sha256
	251	(base32
	252	"0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
	253	;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
	254	;; ECDSA certificate.
	255	("letsencryptauthoritye1.pem"
	256	,(origin
	257	(method url-fetch)
	258	(uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
	259	(sha256
	260	(base32
	261	"1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
	262	;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
	263	;; RSA certificate. This will be used for disaster recovery and will only be
	264	;; used should Let's Encrypt lose the ability to issue with "Let’s
	265	;; Encrypt Authority R3".
	266	("letsencryptauthorityr4.pem"
	267	,(origin
	268	(method url-fetch)
	269	(uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
	270	(sha256
	271	(base32
	272	"09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
	273	;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
	274	;; ECDSA certificate. This will be used for disaster recovery and will
	275	;; only be used should Let's Encrypt lose the ability to issue with "Let’s
	276	;; Encrypt Authority E1".
	277	("letsencryptauthoritye2.pem"
	278	,(origin
	279	(method url-fetch)
	280	(uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
	281	(sha256
	282	(base32
	283	"1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
0a6bd107 LF	284	(home-page "https://letsencrypt.org/certificates/")
	285	(synopsis "Let's Encrypt root and intermediate certificates")
	286	(description "This package provides a certificate store containing only the
	287	Let's Encrypt root and intermediate certificates. It is intended to be used
	288	within Guix.")
	289	(license license:public-domain)))