bin/59778: postinstall: opensslcertsrehash limited to DEST_DIR=/

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/59778: postinstall: opensslcertsrehash limited to DEST_DIR=/
From: cryintothebluesky%gmail.com@localhost
Date: Thu, 20 Nov 2025 07:30:01 +0000 (UTC)

>Number:         59778
>Category:       bin
>Synopsis:       postinstall: opensslcertsrehash limited to DEST_DIR=/
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 20 07:30:00 +0000 2025
>Originator:     Sad Clouds
>Release:        10.1_STABLE
>Organization:
>Environment:
NetBSD rp3 10.1_STABLE NetBSD 10.1_STABLE (GENERIC64) #0: Mon Nov 17 17:11:27 UTC 2025  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm
>Description:
I have two NetBSD root partition - primary and secondary. These are used as boot environments, if an upgrade goes wrong on the primary, I can boot into secondary and repair files on the primary.

When I perform OS upgrades, I boot into the primary boot environment and upgrade the secondary, then boot into the secondary and upgrade the primary. Everything works apart from the postinstall script:

postinstall checks failed: opensslcertsrehash
To fix, run:
    sh /mnt/usr/sbin/postinstall -s sets/etc.tar.xz -d /mnt fix opensslcertsrehash
Note that this may overwrite local changes.
*** All done
rp3# sh /mnt/usr/sbin/postinstall -s sets/etc.tar.xz -d /mnt fix opensslcertsrehash
Note: Creating temporary directory /tmp/_postinstall.1716.0/etc.tgz
Note: Extracting files from sets/etc.tar.xz
Source directory: /tmp/_postinstall.1716.0/etc.tgz
 (extracted from: sets/etc.tar.xz)
Target directory: /mnt
opensslcertsrehash fix:
        opensslcertsrehash limited to DEST_DIR=/
postinstall fixes passed:
postinstall fixes failed: opensslcertsrehash

I get the comment in the postinstall script which executes "certctl rehash" - "This runs openssl(1), which is not available as a build-time tool." However in some cases (like mine) it is the same machine architecture just a different root hierarchy located on the primary or secondary partition.

I can work around this manually, but can I make a suggestion for a small enhancement. It would be quite easy to check at runtime if certctl is either not available or not executable and only then fail with the above error message. Alternatively, call certctl unconditionally and return error if that fails.
>How-To-Repeat:

>Fix:

Prev by Date: Re: kern/59776: 11.0_BETA Kernel from 15.11.25 crashes on MVME17x Board
Next by Date: Re: bin/59778: postinstall: opensslcertsrehash limited to DEST_DIR=/
Previous by Thread: kern/59776: 11.0_BETA Kernel from 15.11.25 crashes on MVME17x Board
Next by Thread: Re: bin/59778: postinstall: opensslcertsrehash limited to DEST_DIR=/
Indexes:

Home | Main Index | Thread Index | Old Index