tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: new certificate stuff
On Sun, Aug 27, 2023 at 10:53:58PM +0000, Taylor R Campbell wrote:
> > Date: Sat, 26 Aug 2023 19:15:01 +0200
> > From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
> >
> > On Sat, Aug 26, 2023 at 04:48:59PM +0000, Taylor R Campbell wrote:
> > > [...]
> > > If you currently use security/mozilla-rootcerts or
> > > security/ca-certificates (or security/mozilla-rootcerts-openssl) to
> > > populate /etc/openssl/certs, and you want to continue to use it, you
> > > will have to put the line `manual' in /etc/openssl/certs.conf before
> > > you next run postinstall(8).
> >
> > Will postinstall remove any certificate in /etc/openssl/certs/
> > if there is no certs.conf ? I have server certificates here, in addition
> > to some local (private) CA roots.
>
> Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
> (the crux of `postinstall fix opensslcerts') will print an error
> message and then exit with status 0. This combination is a bug --
> need to think a bit about it, but probably better to exit nonzero than
> to suppress the error message.
Yes, it's fine to error out in this case
>
> So if you unpack new _non-etc_ sets, `postinstall fix' won't
> clobber your /etc/openssl/certs directory.
>
> The etc.tgz set, however, will have /etc/openssl/certs.conf. So if
> you naively unpack etc.tgz, `postinstall fix' will clobber your
> /etc/openssl/certs directory.
As it will clobber others /etc/ files, so that's fine.
>
> That said, I think if you use etcupdate(8), it will interactively
> prompt you before creating the new /etc/openssl/certs.conf. (Have
> made a note to add this in my etcmerge(8) tool to do a three-way merge
> for updating (x)etc sets too.)
>
> I'm open to other suggestions about how to handle the transition from
> manually maintained /etc/openssl/certs on (say) 9.x with no certs.conf
> or certctl(8) to 10.0 with new default certs.conf and certctl(8),
> provided that
>
> (a) new installations get /etc/openssl/certs populated out of the box,
>
> and
>
> (b) on _future_ updates (like 10.0 to 10.1, where both releases have
> certctl(8) and a default certs.conf), /etc/openssl/certs gets
> updated too (unless you set `manual' in /etc/openssl/certs.conf).
Maybe postinstall should check the /etc/openssl/certs.conf existance,
and fail the 'fix opensslcerts' asking for it to be manually created;
as we do for e.g. uid/gid if some are missing ?
--
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
NetBSD: 26 ans d'experience feront toujours la difference
--
Home |
Main Index |
Thread Index |
Old Index