[jackhill/guix/guix.git] / gnu / packages / certs.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016-2017, 2021-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu packages certs)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (guix utils)
  #:use-module (guix download)
  #:use-module (guix gexp)
  #:use-module (guix git-download)
  #:use-module (guix build-system copy)
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system trivial)
  #:use-module (gnu packages)
  #:use-module (gnu packages curl)
  #:use-module (gnu packages python)
  #:use-module (gnu packages perl)
  #:use-module (gnu packages tls))

(define-public desec-certbot-hook
  (let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6")
        (revision "0"))
    (package
      (name "desec-certbot-hook")
      (version
       (git-version "0" revision commit))
      (source
       (origin
         (method git-fetch)
         (uri
          (git-reference
           (url "https://github.com/desec-io/desec-certbot-hook")
           (commit commit)))
         (file-name (git-file-name name version))
         (sha256
          (base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2"))))
      (build-system copy-build-system)
      (arguments
       `(#:phases
         (modify-phases %standard-phases
           (add-after 'unpack 'patch-script
             (lambda* (#:key inputs #:allow-other-keys)
               (substitute* "hook.sh"
                 ;; The hook-script look for '.dedynauth' file in $PWD.
                 ;; But users cannot create or edit files in store.
                 ;; So we patch the hook-script to look for '.dedynauth' file,
                 ;; in /etc/desec.
                 (("\\$\\(pwd\\)")
                  "/etc/desec")
                 ;; Make absolute reference to curl program.
                 (("curl")
                  (string-append (assoc-ref inputs "curl")
                                 "/bin/curl"))))))
         #:install-plan
         '(("." "etc/desec" #:include ("hook.sh")))))
      (inputs
       (list curl))
      (synopsis "Certbot DNS challenge automatization for deSEC")
      (description "The deSEC can be used to obtain certificates with certbot
DNS ownership verification.  With the help of this hook script, you can obtain
your Let's Encrypt certificate using certbot with authorization provided by the
DNS challenge mechanism, that is, you will not need a running web server or any
port forwarding to your local machine.")
      (home-page "https://desec.io")
      (license license:expat))))

(define-public certdata2pem
  (let ((revision "1")
        (commit "4c576f350f44186d439179f63d5be19f710a73f5"))
    (package
      (name "certdata2pem")
      (version "0.0.0")                   ;no version
      (source (origin
                (method url-fetch)
                (uri (string-append
                      "https://raw.githubusercontent.com/sabotage-linux/sabotage/"
                      commit "/KEEP/certdata2pem.c"))
                (sha256
                 (base32
                  "1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6"))))
      (build-system gnu-build-system)
      (arguments
       `(#:phases (modify-phases %standard-phases
                    (delete 'configure)
                    (add-before 'build 'fix-extension
                      (lambda _
                        (substitute* "certdata2pem.c"
                          (("\\.crt")
                           ".pem"))))
                    (replace 'build
                      (lambda _
                        (invoke ,(cc-for-target) "certdata2pem.c"
                                "-o" "certdata2pem")))
                    (delete 'check)     ;no test suite
                    (replace 'install
                      (lambda* (#:key outputs #:allow-other-keys)
                        (let ((out (assoc-ref outputs "out")))
                          (install-file "certdata2pem"
                                        (string-append out "/bin"))))))))
      (home-page "https://github.com/sabotage-linux/")
      (synopsis "Utility to split TLS certificates data into multiple PEM files")
      (description "This is a C version of the certdata2pem Python utility
that was originally contributed to Debian.")
      (license license:isc))))

(define-public nss-certs
  (package
    (name "nss-certs")
    ;; XXX We used to refer to the nss package here, but that eventually caused
    ;; module cycles.  The below is a quick copy-paste job that must be kept in
    ;; sync manually.  Surely there's a better way…?
    (version "3.71")
    (source (origin
              (method url-fetch)
              (uri (let ((version-with-underscores
                          (string-join (string-split version #\.) "_")))
                     (string-append
                      "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
                      "releases/NSS_" version-with-underscores "_RTM/src/"
                      "nss-" version ".tar.gz")))
              (sha256
               (base32
                "0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"))
              ;; Create nss.pc and nss-config.
              (patches (search-patches "nss-3.56-pkgconfig.patch"
                                       "nss-getcwd-nonnull.patch"
                                       "nss-increase-test-timeout.patch"))
              (modules '((guix build utils)))
              (snippet
               '(begin
                  ;; Delete the bundled copy of these libraries.
                  (delete-file-recursively "nss/lib/zlib")
                  (delete-file-recursively "nss/lib/sqlite")))))
    (build-system gnu-build-system)
    (outputs '("out"))
    (native-inputs
     (list certdata2pem openssl))
    (inputs '())
    (propagated-inputs '())
    (arguments
     (list #:modules '((guix build gnu-build-system)
                       (guix build utils)
                       (rnrs io ports)
                       (srfi srfi-26))
           #:phases
           #~(modify-phases
                 (map (cut assq <> %standard-phases)
                      '(set-paths install-locale unpack))
               (add-after 'unpack 'install
                 (lambda _
                   (let ((certsdir (string-append #$output
                                                  "/etc/ssl/certs/")))
                     (with-directory-excursion "nss/lib/ckfw/builtins/"
                       (unless (file-exists? "blacklist.txt")
                         (call-with-output-file "blacklist.txt" (const #t)))
                       ;; Extract selected single certificates from blob.
                       (invoke "certdata2pem")
                       ;; Copy .pem files into the output.
                       (for-each (cut install-file <> certsdir)
                                 (find-files "." ".*\\.pem$")))
                     (invoke "openssl" "rehash" certsdir)))))))
    (synopsis "CA certificates from Mozilla")
    (description
     "This package provides certificates for Certification Authorities (CA)
taken from the NSS package and thus ultimately from the Mozilla project.")
    (home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
    (license license:mpl2.0)))

(define-public le-certs
  (package
    (name "le-certs")
    (version "1")
    (source #f)
    (build-system trivial-build-system)
    (arguments
     '(#:modules ((guix build utils))
       #:builder
       (begin
         (use-modules (guix build utils))
         (let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
               (root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
               (intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
               (intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
               (backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
               (backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
               (out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
               (openssl (assoc-ref %build-inputs "openssl"))
               (perl (assoc-ref %build-inputs "perl")))
           (mkdir-p out)
           (for-each
             (lambda (cert)
               (copy-file cert (string-append out "/"
                                              (strip-store-file-name cert))))
             (list root-rsa root-ecdsa
                   intermediate-rsa intermediate-ecdsa
                   backup-rsa backup-ecdsa))

           ;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
           ;; similar.)
           (chdir (string-append %output "/etc/ssl/certs"))
           (invoke (string-append perl "/bin/perl")
                   (string-append openssl "/bin/c_rehash")
                   ".")))))
    (native-inputs
     (list openssl perl))                           ;for 'c_rehash'
    (inputs
     `(; The Let's Encrypt root certificate, "ISRG Root X1".
       ("isrgrootx1.pem"
        ,(origin
           (method url-fetch)
           (uri "https://letsencrypt.org/certs/isrgrootx1.pem")
           (sha256
            (base32
             "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
      ; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
      ; Let's Encrypt describes it as "Active, limited availability"
      ("isrgrootx2.pem"
        ,(origin
           (method url-fetch)
           (uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
           (sha256
            (base32
             "04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
      ;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
      ;; RSA certificate.
      ("letsencryptauthorityr3.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
          (sha256
           (base32
            "0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
      ;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
      ;; ECDSA certificate.
      ("letsencryptauthoritye1.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
          (sha256
           (base32
            "1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
      ;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
      ;; RSA certificate.  This will be used for disaster recovery and will only be
      ;; used should Let's Encrypt lose the ability to issue with "Let’s
      ;; Encrypt Authority R3".
      ("letsencryptauthorityr4.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
          (sha256
           (base32
            "09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
      ;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
      ;; ECDSA certificate.  This will be used for disaster recovery and will
      ;; only be used should Let's Encrypt lose the ability to issue with "Let’s
      ;; Encrypt Authority E1".
      ("letsencryptauthoritye2.pem"
       ,(origin
          (method url-fetch)
          (uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
          (sha256
           (base32
            "1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
    (home-page "https://letsencrypt.org/certificates/")
    (synopsis "Let's Encrypt root and intermediate certificates")
    (description "This package provides a certificate store containing only the
Let's Encrypt root and intermediate certificates.  It is intended to be used
within Guix.")
    (license license:public-domain)))
Commit	Line	Data
cf053a4f AE	1	;;; GNU Guix --- Functional package management for GNU
cf053a4f AE	2	;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
41ce4601	3	;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
5389c5ea	4	;;; Copyright © 2016-2017, 2021-2022 Ludovic Courtès <ludo@gnu.org>
0a6bd107	5	;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
3c747a08	6	;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
18c38c18	7	;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
1001baa1	8	;;; Copyright © 2021 Efraim Flashner <efraim@flashner.co.il>
acfa55a5	9	;;; Copyright © 2021 Raghav Gururajan <rg@raghavgururajan.name>
cf053a4f AE	10	;;;
	11	;;; This file is part of GNU Guix.
	12	;;;
	13	;;; GNU Guix is free software; you can redistribute it and/or modify it
	14	;;; under the terms of the GNU General Public License as published by
	15	;;; the Free Software Foundation; either version 3 of the License, or (at
	16	;;; your option) any later version.
	17	;;;
	18	;;; GNU Guix is distributed in the hope that it will be useful, but
	19	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	20	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	21	;;; GNU General Public License for more details.
	22	;;;
	23	;;; You should have received a copy of the GNU General Public License
	24	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	25
	26	(define-module (gnu packages certs)
	27	#:use-module ((guix licenses) #:prefix license:)
	28	#:use-module (guix packages)
11a7bfbc	29	#:use-module (guix utils)
cf053a4f	30	#:use-module (guix download)
555ddf0d	31	#:use-module (guix gexp)
acfa55a5 RG	32	#:use-module (guix git-download)
acfa55a5 RG	33	#:use-module (guix build-system copy)
6e6e2414	34	#:use-module (guix build-system gnu)
cf053a4f AE	35	#:use-module (guix build-system trivial)
cf053a4f AE	36	#:use-module (gnu packages)
acfa55a5	37	#:use-module (gnu packages curl)
cc2b77df	38	#:use-module (gnu packages python)
c643e6ca	39	#:use-module (gnu packages perl)
cc2b77df	40	#:use-module (gnu packages tls))
cf053a4f	41
acfa55a5 RG	42	(define-public desec-certbot-hook
	43	(let ((commit "68da7abc0793602fd336962a7e2348b57c5d6fd6")
	44	(revision "0"))
	45	(package
	46	(name "desec-certbot-hook")
	47	(version
	48	(git-version "0" revision commit))
	49	(source
	50	(origin
	51	(method git-fetch)
	52	(uri
	53	(git-reference
	54	(url "https://github.com/desec-io/desec-certbot-hook")
	55	(commit commit)))
	56	(file-name (git-file-name name version))
	57	(sha256
	58	(base32 "0qjqk6i85b1y7fgzcx74r4gn2i4dkjza34hkzp6kyn9hrb8f2gv2"))))
	59	(build-system copy-build-system)
	60	(arguments
	61	`(#:phases
	62	(modify-phases %standard-phases
	63	(add-after 'unpack 'patch-script
	64	(lambda* (#:key inputs #:allow-other-keys)
	65	(substitute* "hook.sh"
	66	;; The hook-script look for '.dedynauth' file in $PWD.
	67	;; But users cannot create or edit files in store.
	68	;; So we patch the hook-script to look for '.dedynauth' file,
	69	;; in /etc/desec.
	70	(("\\$\\(pwd\\)")
	71	"/etc/desec")
	72	;; Make absolute reference to curl program.
	73	(("curl")
	74	(string-append (assoc-ref inputs "curl")
	75	"/bin/curl"))))))
	76	#:install-plan
	77	'(("." "etc/desec" #:include ("hook.sh")))))
	78	(inputs
8394619b	79	(list curl))
acfa55a5 RG	80	(synopsis "Certbot DNS challenge automatization for deSEC")
	81	(description "The deSEC can be used to obtain certificates with certbot
	82	DNS ownership verification. With the help of this hook script, you can obtain
	83	your Let's Encrypt certificate using certbot with authorization provided by the
	84	DNS challenge mechanism, that is, you will not need a running web server or any
	85	port forwarding to your local machine.")
	86	(home-page "https://desec.io")
	87	(license license:expat))))
	88
30cc14f1	89	(define-public certdata2pem
9e804e38 MC	90	(let ((revision "1")
	91	(commit "4c576f350f44186d439179f63d5be19f710a73f5"))
	92	(package
	93	(name "certdata2pem")
	94	(version "0.0.0") ;no version
	95	(source (origin
	96	(method url-fetch)
	97	(uri (string-append
1001baa1	98	"https://raw.githubusercontent.com/sabotage-linux/sabotage/"
9e804e38 MC	99	commit "/KEEP/certdata2pem.c"))
	100	(sha256
	101	(base32
	102	"1rywp29q4l1cs2baplkbcravxqs4kw2cys4yifhfznbc210pskq6"))))
	103	(build-system gnu-build-system)
	104	(arguments
	105	`(#:phases (modify-phases %standard-phases
	106	(delete 'configure)
f87b9872 MO	107	(add-before 'build 'fix-extension
	108	(lambda _
	109	(substitute* "certdata2pem.c"
	110	(("\\.crt")
	111	".pem"))))
9e804e38 MC	112	(replace 'build
9e804e38 MC	113	(lambda _
11a7bfbc EF	114	(invoke ,(cc-for-target) "certdata2pem.c"
11a7bfbc EF	115	"-o" "certdata2pem")))
9e804e38 MC	116	(delete 'check) ;no test suite
	117	(replace 'install
	118	(lambda* (#:key outputs #:allow-other-keys)
	119	(let ((out (assoc-ref outputs "out")))
	120	(install-file "certdata2pem"
	121	(string-append out "/bin"))))))))
	122	(home-page "https://github.com/sabotage-linux/")
	123	(synopsis "Utility to split TLS certificates data into multiple PEM files")
	124	(description "This is a C version of the certdata2pem Python utility
	125	that was originally contributed to Debian.")
	126	(license license:isc))))
6e6e2414 AE	127
6e6e2414 AE	128	(define-public nss-certs
745ad37a	129	(package
6e6e2414	130	(name "nss-certs")
ceb9c6c5 TGR	131	;; XXX We used to refer to the nss package here, but that eventually caused
	132	;; module cycles. The below is a quick copy-paste job that must be kept in
	133	;; sync manually. Surely there's a better way…?
	134	(version "3.71")
	135	(source (origin
	136	(method url-fetch)
	137	(uri (let ((version-with-underscores
	138	(string-join (string-split version #\.) "_")))
	139	(string-append
	140	"https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
	141	"releases/NSS_" version-with-underscores "_RTM/src/"
	142	"nss-" version ".tar.gz")))
	143	(sha256
	144	(base32
	145	"0ly2l3dv6z5hlxs72h5x6796ni3x1bq60saavaf42ddgv4ax7b4r"))
	146	;; Create nss.pc and nss-config.
	147	(patches (search-patches "nss-3.56-pkgconfig.patch"
	148	"nss-getcwd-nonnull.patch"
	149	"nss-increase-test-timeout.patch"))
	150	(modules '((guix build utils)))
	151	(snippet
	152	'(begin
	153	;; Delete the bundled copy of these libraries.
	154	(delete-file-recursively "nss/lib/zlib")
	155	(delete-file-recursively "nss/lib/sqlite")))))
6e6e2414 AE	156	(build-system gnu-build-system)
	157	(outputs '("out"))
	158	(native-inputs
8394619b	159	(list certdata2pem openssl))
6e6e2414 AE	160	(inputs '())
	161	(propagated-inputs '())
	162	(arguments
555ddf0d BK	163	(list #:modules '((guix build gnu-build-system)
	164	(guix build utils)
	165	(rnrs io ports)
	166	(srfi srfi-26))
	167	#:phases
	168	#~(modify-phases
	169	(map (cut assq <> %standard-phases)
	170	'(set-paths install-locale unpack))
	171	(add-after 'unpack 'install
	172	(lambda _
	173	(let ((certsdir (string-append #$output
	174	"/etc/ssl/certs/")))
	175	(with-directory-excursion "nss/lib/ckfw/builtins/"
	176	(unless (file-exists? "blacklist.txt")
	177	(call-with-output-file "blacklist.txt" (const #t)))
	178	;; Extract selected single certificates from blob.
	179	(invoke "certdata2pem")
	180	;; Copy .pem files into the output.
	181	(for-each (cut install-file <> certsdir)
	182	(find-files "." ".*\\.pem$")))
	183	(invoke "openssl" "rehash" certsdir)))))))
6e6e2414 AE	184	(synopsis "CA certificates from Mozilla")
6e6e2414 AE	185	(description
745ad37a RW	186	"This package provides certificates for Certification Authorities (CA)
	187	taken from the NSS package and thus ultimately from the Mozilla project.")
	188	(home-page "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS")
	189	(license license:mpl2.0)))
0a6bd107 LF	190
	191	(define-public le-certs
	192	(package
	193	(name "le-certs")
15de49e6	194	(version "1")
0a6bd107 LF	195	(source #f)
	196	(build-system trivial-build-system)
	197	(arguments
	198	'(#:modules ((guix build utils))
	199	#:builder
	200	(begin
	201	(use-modules (guix build utils))
15de49e6 LF	202	(let ((root-rsa (assoc-ref %build-inputs "isrgrootx1.pem"))
	203	(root-ecdsa (assoc-ref %build-inputs "isrgrootx2.pem"))
	204	(intermediate-rsa (assoc-ref %build-inputs "letsencryptauthorityr3.pem"))
	205	(intermediate-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye1.pem"))
	206	(backup-rsa (assoc-ref %build-inputs "letsencryptauthorityr4.pem"))
	207	(backup-ecdsa (assoc-ref %build-inputs "letsencryptauthoritye2.pem"))
6f0f5514 LC	208	(out (string-append (assoc-ref %outputs "out") "/etc/ssl/certs"))
	209	(openssl (assoc-ref %build-inputs "openssl"))
	210	(perl (assoc-ref %build-inputs "perl")))
0a6bd107 LF	211	(mkdir-p out)
	212	(for-each
	213	(lambda (cert)
	214	(copy-file cert (string-append out "/"
	215	(strip-store-file-name cert))))
15de49e6 LF	216	(list root-rsa root-ecdsa
	217	intermediate-rsa intermediate-ecdsa
	218	backup-rsa backup-ecdsa))
6f0f5514 LC	219
	220	;; Create hash symlinks suitable for OpenSSL ('SSL_CERT_DIR' and
	221	;; similar.)
	222	(chdir (string-append %output "/etc/ssl/certs"))
4530e854 MW	223	(invoke (string-append perl "/bin/perl")
	224	(string-append openssl "/bin/c_rehash")
	225	".")))))
6f0f5514	226	(native-inputs
8394619b	227	(list openssl perl)) ;for 'c_rehash'
0a6bd107 LF	228	(inputs
	229	`(; The Let's Encrypt root certificate, "ISRG Root X1".
	230	("isrgrootx1.pem"
	231	,(origin
	232	(method url-fetch)
	233	(uri "https://letsencrypt.org/certs/isrgrootx1.pem")
	234	(sha256
	235	(base32
505b2631	236	"1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92"))))
15de49e6 LF	237	; Upcoming ECDSA Let's Encrypt root certificate, "ISRG Root X2"
	238	; Let's Encrypt describes it as "Active, limited availability"
	239	("isrgrootx2.pem"
0a6bd107 LF	240	,(origin
0a6bd107 LF	241	(method url-fetch)
15de49e6	242	(uri "https://letsencrypt.org/certs/isrg-root-x2.pem")
0a6bd107 LF	243	(sha256
0a6bd107 LF	244	(base32
15de49e6 LF	245	"04xh8912nwkghqydbqvvmslpqbcafgxgjh9qnn0z2vgy24g8hgd1"))))
	246	;; "Let’s Encrypt Authority R3", the active Let's Encrypt intermediate
	247	;; RSA certificate.
	248	("letsencryptauthorityr3.pem"
	249	,(origin
	250	(method url-fetch)
	251	(uri "https://letsencrypt.org/certs/lets-encrypt-r3.pem")
	252	(sha256
	253	(base32
	254	"0clxry49rx6qd3pgbzknpgzywbg3j96zy0227wwjnwivqj7inzhp"))))
	255	;; "Let’s Encrypt Authority E1", the active Let's Encrypt intermediate
	256	;; ECDSA certificate.
	257	("letsencryptauthoritye1.pem"
	258	,(origin
	259	(method url-fetch)
	260	(uri "https://letsencrypt.org/certs/lets-encrypt-e1.pem")
	261	(sha256
	262	(base32
	263	"1zwrc6dlk1qig0z23x6x7fib14rrw41ccbf2ds0rw75zccc59xx0"))))
	264	;; "Let’s Encrypt Authority R4", the backup Let's Encrypt intermediate
	265	;; RSA certificate. This will be used for disaster recovery and will only be
	266	;; used should Let's Encrypt lose the ability to issue with "Let’s
	267	;; Encrypt Authority R3".
	268	("letsencryptauthorityr4.pem"
	269	,(origin
	270	(method url-fetch)
	271	(uri "https://letsencrypt.org/certs/lets-encrypt-r4.pem")
	272	(sha256
	273	(base32
	274	"09bzxzbwb9x2xxan3p1fyj1pi2p5yks0879gwz5f28y9mzq8vmd8"))))
	275	;; "Let’s Encrypt Authority E2", the backup Let's Encrypt intermediate
	276	;; ECDSA certificate. This will be used for disaster recovery and will
	277	;; only be used should Let's Encrypt lose the ability to issue with "Let’s
	278	;; Encrypt Authority E1".
	279	("letsencryptauthoritye2.pem"
	280	,(origin
	281	(method url-fetch)
	282	(uri "https://letsencrypt.org/certs/lets-encrypt-e2.pem")
	283	(sha256
	284	(base32
	285	"1wfmsa29lyi9dkh6xdcamb2rhkp5yl2ppnsgrzcrjl5c7gbqh9ml"))))))
0a6bd107 LF	286	(home-page "https://letsencrypt.org/certificates/")
	287	(synopsis "Let's Encrypt root and intermediate certificates")
	288	(description "This package provides a certificate store containing only the
	289	Let's Encrypt root and intermediate certificates. It is intended to be used
	290	within Guix.")
	291	(license license:public-domain)))