pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: R certificate issue



On 07/20/17 10:47, Jason Bacon wrote:
On 06/16/17 01:38, coypu%sdf.org@localhost wrote:
I think we need to should teach curl to look in the right place.
It appears it has an option --with-ca-fallback=yes which might have the
expected behaviour, as it comes with the description:

checking whether to use builtin CA store of SSL library...

(So something like ``CONFIGURE_ARGS+= --with-ca-fallback=yes'' in curl's
makefile, and verifying that this line changes from 'no' to 'yes')

it looks like it will use openssl's code and certificates to validate if
an earlier option doesn't work.

And being a functional change, bump PKGREVISION :-)

If that fails we can pass it a CA_PATH, pkgsrc/*/mozilla-rootcerts
SSLDIR might contain the right logic for where the certificates are
expected to be.
Neither --with-ca-fallback=yes (verified in config.log) nor 
--with-ca-path=/etc/ssl/certs (in place of --with-ca-path=${SSLCERTS}) 
seemed to have any effect.
I can work around it using --with-ca-bundle=/etc/ssl/certs/ca-bundle.crt.

I'm curious why --with-ca-path doesn't work. I verified the change in config.log.
  $ ./configure --with-ssl=/home/bacon/Pkgsrc/pkg-2017Q1 
--with-ca-path=/etc/ssl/certs 
--with-zlib=/home/bacon/Pkgsrc/pkg-2017Q1 --enable-ipv6 
--without-libssh2 --without-gssapi --disable-ldap --without-librtmp 
--with-libidn --without-nghttp2 --prefix=/home/bacon/Pkgsrc/pkg-2017Q1 
--build=x86_64-redhat-linux --host=x86_64-redhat-linux 
--mandir=/home/bacon/Pkgsrc/pkg-2017Q1/man
Note to posterity:

Found the answer to my question here:

    https://curl.haxx.se/docs/sslcerts.html

--with-ca-path must point to a directory containing individual PEM files, while CentOS /etc/ssl/certs contains only bundles (multiple PEM files concatenated).
My solution for now is extracting the cert bundles from /etc/ssl/certs, 
dumping the individual PEM files into the default pkgsrc cert path 
(${SSLCERTS} == ${PREFIX}/etc/openssl/certs) after bootstrap.
Found a rather elegant approach to this here:

https://stackoverflow.com/questions/23644473/how-can-i-split-a-ca-certificate-bundle-into-separate-files

This is a one-time fix per pkgsrc installation and avoids the need to mess with the pkgsrc cert logic.
If anyone can think of a clean way to make this unnecessary, that would 
be great, but I'm content with the status quo for now.
--
Earth is a beta site.



Home | Main Index | Thread Index | Old Index