[jackhill/guix/guix.git] / gnu / packages / certs.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016, 2017, 2021 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages certs)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix utils)
  #:use-module (guix download)
  #:use-module (guix git-download)
  #:use-module (guix build-system copy)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system trivial)
  #:use-module (gnu packages)
  #:use-module (gnu packages nss)
  #:use-module (gnu packages curl)
  #:use-module (gnu packages python)
  #:use-module (gnu packages perl)
  #:use-module (gnu packages tls))

(define-public desec-certbot-hook
  (let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6")
        (revision "0"))
    (package
      (name "desec-certbot-hook")
      (version
       (git-version "0" revision commit))
      (source
       (origin
         (method git-fetch)
         (uri
          (git-reference
           (url "https://github.com/desec-io/desec-certbot-hook")
           (commit commit)))
         (file-name (git-file-name name version))
         (sha256
          (base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2"))))
      (build-system copy-build-system)
      (arguments
       `(#:phases
         (modify-phases %standard-phases
           (add-after 'unpack 'patch-script
             (lambda* (#:key inputs #:allow-other-keys)
               (substitute* "hook.sh"
                 ;; The hook-script look for '.dedynauth' file in $PWD.
                 ;; But users cannot create or edit files in store.
                 ;; So we patch the hook-script to look for '.dedynauth' file,
                 ;; in /etc/desec.
                 (("\\$\\(pwd\\)")
                  "/etc/desec")
                 ;; Make absolute reference to curl program.
                 (("curl")
                  (string-append (assoc-ref inputs "curl")
                                 "/bin/curl"))))))
         #:install-plan
         '(("." "etc/desec" #:include ("hook.sh")))))
      (inputs
       (list curl))
      (synopsis "Certbot DNS challenge automatization for deSEC")
      (description "The deSEC can be used to obtain certificates with certbot
DNS ownership verification.  With the help of this hook script, you can obtain
your Let's Encrypt certificate using certbot with authorization provided by the
DNS challenge mechanism, that is, you will not need a running web server or any
port forwarding to your local machine.")
      (home-page "https://desec.io")
      (license license:expat))))

(define-public certdata2pem
  (let ((revision "1")
        (commit "4c576f350f44186d439179f63d5be19f710a73f5"))
    (package
      (name "certdata2pem")
      (version "0.0.0")                   ;no version
      (source (origin
                (method url-fetch)
                (uri (string-append
                      "https://raw.githubusercontent.com/sabotage-linux/sabotage/"
                      commit "/KEEP/certdata2pem.c"))
                (sha256
                 (base32
                  "1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6"))))
      (build-system gnu-build-system)
      (arguments
       `(#:phases (modify-phases %standard-phases
                    (delete 'configure)
                    (add-before 'build 'fix-extension
                      (lambda _
                        (substitute* "certdata2pem.c"
                          (("\\.crt")
                           ".pem"))))
                    (replace 'build
                      (lambda _
                        (invoke ,(cc-for-target) "certdata2pem.c"
                                "-o" "certdata2pem")))
                    (delete 'check)     ;no test suite
                    (replace 'install
                      (lambda* (#:key outputs #:allow-other-keys)
                        (let ((out (assoc-ref outputs "out")))
                          (install-file "certdata2pem"
                                        (string-append out "/bin"))))))))
      (home-page "https://github.com/sabotage-linux/")
      (synopsis "Utility to split TLS certificates data into multiple PEM files")
      (description "This is a C version of the certdata2pem Python utility
that was originally contributed to Debian.")
      (license license:isc))))

(define-public nss-certs
  (package
    (name "nss-certs")
    (version (package-version nss))
    (source (package-source nss))
    (build-system gnu-build-system)
    (outputs '("out"))
    (native-inputs
     (list certdata2pem openssl))
    (inputs '())
    (propagated-inputs '())
    (arguments
     `(#:modules ((guix build gnu-build-system)
                  (guix build utils)
                  (rnrs io ports)
                  (srfi srfi-26))
       #:phases
       (modify-phases
           (map (cut assq <> %standard-phases)
                '(set-paths install-locale unpack))
         (add-after 'unpack 'install
           (lambda _
             (let ((certsdir (string-append %output "/etc/ssl/certs/")))
               (with-directory-excursion "nss/lib/ckfw/builtins/"
                 (unless (file-exists? "blacklist.txt")
                   (call-with-output-file "blacklist.txt" (const #t)))
                 ;; Extract selected single certificates from blob.
                 (invoke "certdata2pem")
                 ;; Copy .pem files into the output.
                 (for-each (cut install-file <> certsdir)
                           (find-files "." ".*\\.pem$")))
               (invoke "openssl" "rehash" certsdir)))))))
    (synopsis "CA certificates from Mozilla")
    (description
     "This package provides certificates for Certification Authorities (CA)
taken from the NSS package and thus ultimately from the Mozilla project.")
    (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
    (license license:mpl2.0)))

(define-public le-certs
  (package
    (name "le-certs")
    (version "1")
    (source #f)
    (build-system trivial-build-system)
    (arguments
     '(#:modules ((guix build utils))
       #:builder
       (begin
         (use-modules (guix build utils))
         (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
               (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
               (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
               (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
               (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
               (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
               (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
               (openssl (assoc-ref %build-inputs "openssl"))
               (perl (assoc-ref %build-inputs "perl")))
           (mkdir-p out)
           (for-each
             (lambda (cert)
               (copy-file cert (string-append out "/"
                                              (strip-store-file-name cert))))
             (list root-rsa root-ecdsa
                   intermediate-rsa intermediate-ecdsa
                   backup-rsa backup-ecdsa))

           ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
           ;; similar.)
           (chdir (string-append %output "/etc/ssl/certs"))
           (invoke (string-append perl "/bin/perl")
                   (string-append openssl "/bin/c_rehash")
                   ".")))))
    (native-inputs
     (list openssl perl))                           ;for 'c_rehash'
    (inputs
     `(; The Let's Encrypt root certificate, "ISRG Root X1".
       ("isrgrootx1.pem"
        ,(origin
           (method url-fetch)
           (uri "https://letsencrypt.org/certs/isrgrootx1.pem")
           (sha256
            (base32
             "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
      ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
      ; Let's Encrypt describes it as "Active, limited availability"
      ("isrgrootx2.pem"
        ,(origin
           (method url-fetch)
           (uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
           (sha256
            (base32
             "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
      ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
      ;; RSA certificate.
      ("letsencryptauthorityr3.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
          (sha256
           (base32
            "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
      ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
      ;; ECDSA certificate.
      ("letsencryptauthoritye1.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
          (sha256
           (base32
            "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
      ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
      ;; RSA certificate.  This will be used for disaster recovery and will only be
      ;; used should Let's Encrypt lose the ability to issue with "Let’s
      ;; Encrypt Authority R3".
      ("letsencryptauthorityr4.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
          (sha256
           (base32
            "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
      ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
      ;; ECDSA certificate.  This will be used for disaster recovery and will
      ;; only be used should Let's Encrypt lose the ability to issue with "Let’s
      ;; Encrypt Authority E1".
      ("letsencryptauthoritye2.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
          (sha256
           (base32
            "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
    (home-page "https://letsencrypt.org/certificates/")
    (synopsis "Let's Encrypt root and intermediate certificates")
    (description "This package provides a certificate store containing only the
Let's Encrypt root and intermediate certificates.  It is intended to be used
within Guix.")
    (license license:public-domain)))
Commit	Line	Data
cf053a4f AE	1	;;; GNU Guix --- Functional package management for GNU
cf053a4f AE	2	;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
41ce4601	3	;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
30cc14f1	4	;;; Copyright © 2016, 2017, 2021 Ludovic Courtès <ludo@gnu.org>
0a6bd107	5	;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
3c747a08	6	;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
18c38c18	7	;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
1001baa1	8	;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
acfa55a5	9	;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
cf053a4f AE	10	;;;
	11	;;; This file is part of GNU Guix.
	12	;;;
	13	;;; GNU Guix is free software; you can redistribute it and/or modify it
	14	;;; under the terms of the GNU General Public License as published by
	15	;;; the Free Software Foundation; either version 3 of the License, or (at
	16	;;; your option) any later version.
	17	;;;
	18	;;; GNU Guix is distributed in the hope that it will be useful, but
	19	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	20	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	21	;;; GNU General Public License for more details.
	22	;;;
	23	;;; You should have received a copy of the GNU General Public License
	24	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	25
	26	(define-module (gnu packages certs)
	27	#:use-module ((guix licenses) #:prefix license:)
	28	#:use-module (guix packages)
11a7bfbc	29	#:use-module (guix utils)
cf053a4f	30	#:use-module (guix download)
acfa55a5 RG	31	#:use-module (guix git-download)
acfa55a5 RG	32	#:use-module (guix build-system copy)
6e6e2414	33	#:use-module (guix build-system gnu)
cf053a4f AE	34	#:use-module (guix build-system trivial)
cf053a4f AE	35	#:use-module (gnu packages)
18c38c18	36	#:use-module (gnu packages nss)
acfa55a5	37	#:use-module (gnu packages curl)
cc2b77df	38	#:use-module (gnu packages python)
c643e6ca	39	#:use-module (gnu packages perl)
cc2b77df	40	#:use-module (gnu packages tls))
cf053a4f	41
acfa55a5 RG	42	(define-public desec-certbot-hook
	43	(let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6")
	44	(revision "0"))
	45	(package
	46	(name "desec-certbot-hook")
	47	(version
	48	(git-version "0" revision commit))
	49	(source
	50	(origin
	51	(method git-fetch)
	52	(uri
	53	(git-reference
	54	(url "https://github.com/desec-io/desec-certbot-hook")
	55	(commit commit)))
	56	(file-name (git-file-name name version))
	57	(sha256
	58	(base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2"))))
	59	(build-system copy-build-system)
	60	(arguments
	61	`(#:phases
	62	(modify-phases %standard-phases
	63	(add-after 'unpack 'patch-script
	64	(lambda* (#:key inputs #:allow-other-keys)
	65	(substitute* "hook.sh"
	66	;; The hook-script look for '.dedynauth' file in $PWD.
	67	;; But users cannot create or edit files in store.
	68	;; So we patch the hook-script to look for '.dedynauth' file,
	69	;; in /etc/desec.
	70	(("\\$\\(pwd\\)")
	71	"/etc/desec")
	72	;; Make absolute reference to curl program.
	73	(("curl")
	74	(string-append (assoc-ref inputs "curl")
	75	"/bin/curl"))))))
	76	#:install-plan
	77	'(("." "etc/desec" #:include ("hook.sh")))))
	78	(inputs
8394619b	79	(list curl))
acfa55a5 RG	80	(synopsis "Certbot DNS challenge automatization for deSEC")
	81	(description "The deSEC can be used to obtain certificates with certbot
	82	DNS ownership verification. With the help of this hook script, you can obtain
	83	your Let's Encrypt certificate using certbot with authorization provided by the
	84	DNS challenge mechanism, that is, you will not need a running web server or any
	85	port forwarding to your local machine.")
	86	(home-page "https://desec.io")
	87	(license license:expat))))
	88
30cc14f1	89	(define-public certdata2pem
9e804e38 MC	90	(let ((revision "1")
	91	(commit "4c576f350f44186d439179f63d5be19f710a73f5"))
	92	(package
	93	(name "certdata2pem")
	94	(version "0.0.0") ;no version
	95	(source (origin
	96	(method url-fetch)
	97	(uri (string-append
1001baa1	98	"https://raw.githubusercontent.com/sabotage-linux/sabotage/"
9e804e38 MC	99	commit "/KEEP/certdata2pem.c"))
	100	(sha256
	101	(base32
	102	"1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6"))))
	103	(build-system gnu-build-system)
	104	(arguments
	105	`(#:phases (modify-phases %standard-phases
	106	(delete 'configure)
f87b9872 MO	107	(add-before 'build 'fix-extension
	108	(lambda _
	109	(substitute* "certdata2pem.c"
	110	(("\\.crt")
	111	".pem"))))
9e804e38 MC	112	(replace 'build
9e804e38 MC	113	(lambda _
11a7bfbc EF	114	(invoke ,(cc-for-target) "certdata2pem.c"
11a7bfbc EF	115	"-o" "certdata2pem")))
9e804e38 MC	116	(delete 'check) ;no test suite
	117	(replace 'install
	118	(lambda* (#:key outputs #:allow-other-keys)
	119	(let ((out (assoc-ref outputs "out")))
	120	(install-file "certdata2pem"
	121	(string-append out "/bin"))))))))
	122	(home-page "https://github.com/sabotage-linux/")
	123	(synopsis "Utility to split TLS certificates data into multiple PEM files")
	124	(description "This is a C version of the certdata2pem Python utility
	125	that was originally contributed to Debian.")
	126	(license license:isc))))
6e6e2414 AE	127
6e6e2414 AE	128	(define-public nss-certs
745ad37a	129	(package
6e6e2414	130	(name "nss-certs")
8f78f61c MC	131	(version (package-version nss))
8f78f61c MC	132	(source (package-source nss))
6e6e2414 AE	133	(build-system gnu-build-system)
	134	(outputs '("out"))
	135	(native-inputs
8394619b	136	(list certdata2pem openssl))
6e6e2414 AE	137	(inputs '())
	138	(propagated-inputs '())
	139	(arguments
	140	`(#:modules ((guix build gnu-build-system)
	141	(guix build utils)
41ce4601	142	(rnrs io ports)
9e804e38	143	(srfi srfi-26))
6e6e2414	144	#:phases
3c747a08 TGR	145	(modify-phases
	146	(map (cut assq <> %standard-phases)
	147	'(set-paths install-locale unpack))
	148	(add-after 'unpack 'install
6e6e2414	149	(lambda _
9e804e38	150	(let ((certsdir (string-append %output "/etc/ssl/certs/")))
79878c64	151	(with-directory-excursion "nss/lib/ckfw/builtins/"
9e804e38 MC	152	(unless (file-exists? "blacklist.txt")
	153	(call-with-output-file "blacklist.txt" (const #t)))
	154	;; Extract selected single certificates from blob.
	155	(invoke "certdata2pem")
287a8c90	156	;; Copy .pem files into the output.
9e804e38	157	(for-each (cut install-file <> certsdir)
287a8c90	158	(find-files "." ".*\\.pem$")))
9e804e38	159	(invoke "openssl" "rehash" certsdir)))))))
6e6e2414 AE	160	(synopsis "CA certificates from Mozilla")
6e6e2414 AE	161	(description
745ad37a RW	162	"This package provides certificates for Certification Authorities (CA)
	163	taken from the NSS package and thus ultimately from the Mozilla project.")
	164	(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
	165	(license license:mpl2.0)))
0a6bd107 LF	166
	167	(define-public le-certs
	168	(package
	169	(name "le-certs")
15de49e6	170	(version "1")
0a6bd107 LF	171	(source #f)
	172	(build-system trivial-build-system)
	173	(arguments
	174	'(#:modules ((guix build utils))
	175	#:builder
	176	(begin
	177	(use-modules (guix build utils))
15de49e6 LF	178	(let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
	179	(root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
	180	(intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
	181	(intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
	182	(backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
	183	(backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
6f0f5514 LC	184	(out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
	185	(openssl (assoc-ref %build-inputs "openssl"))
	186	(perl (assoc-ref %build-inputs "perl")))
0a6bd107 LF	187	(mkdir-p out)
	188	(for-each
	189	(lambda (cert)
	190	(copy-file cert (string-append out "/"
	191	(strip-store-file-name cert))))
15de49e6 LF	192	(list root-rsa root-ecdsa
	193	intermediate-rsa intermediate-ecdsa
	194	backup-rsa backup-ecdsa))
6f0f5514 LC	195
	196	;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
	197	;; similar.)
	198	(chdir (string-append %output "/etc/ssl/certs"))
4530e854 MW	199	(invoke (string-append perl "/bin/perl")
	200	(string-append openssl "/bin/c_rehash")
	201	".")))))
6f0f5514	202	(native-inputs
8394619b	203	(list openssl perl)) ;for 'c_rehash'
0a6bd107 LF	204	(inputs
	205	`(; The Let's Encrypt root certificate, "ISRG Root X1".
	206	("isrgrootx1.pem"
	207	,(origin
	208	(method url-fetch)
	209	(uri "https://letsencrypt.org/certs/isrgrootx1.pem")
	210	(sha256
	211	(base32
505b2631	212	"1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
15de49e6 LF	213	; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
	214	; Let's Encrypt describes it as "Active, limited availability"
	215	("isrgrootx2.pem"
0a6bd107 LF	216	,(origin
0a6bd107 LF	217	(method url-fetch)
15de49e6	218	(uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
0a6bd107 LF	219	(sha256
0a6bd107 LF	220	(base32
15de49e6 LF	221	"04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
	222	;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
	223	;; RSA certificate.
	224	("letsencryptauthorityr3.pem"
	225	,(origin
	226	(method url-fetch)
	227	(uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
	228	(sha256
	229	(base32
	230	"0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
	231	;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
	232	;; ECDSA certificate.
	233	("letsencryptauthoritye1.pem"
	234	,(origin
	235	(method url-fetch)
	236	(uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
	237	(sha256
	238	(base32
	239	"1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
	240	;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
	241	;; RSA certificate. This will be used for disaster recovery and will only be
	242	;; used should Let's Encrypt lose the ability to issue with "Let’s
	243	;; Encrypt Authority R3".
	244	("letsencryptauthorityr4.pem"
	245	,(origin
	246	(method url-fetch)
	247	(uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
	248	(sha256
	249	(base32
	250	"09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
	251	;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
	252	;; ECDSA certificate. This will be used for disaster recovery and will
	253	;; only be used should Let's Encrypt lose the ability to issue with "Let’s
	254	;; Encrypt Authority E1".
	255	("letsencryptauthoritye2.pem"
	256	,(origin
	257	(method url-fetch)
	258	(uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
	259	(sha256
	260	(base32
	261	"1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
0a6bd107 LF	262	(home-page "https://letsencrypt.org/certificates/")
	263	(synopsis "Let's Encrypt root and intermediate certificates")
	264	(description "This package provides a certificate store containing only the
	265	Let's Encrypt root and intermediate certificates. It is intended to be used
	266	within Guix.")
	267	(license license:public-domain)))