pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: R certificate issue

On 07/24/17 12:58, Jason Bacon wrote:
On 07/20/17 10:47, Jason Bacon wrote:
On 06/16/17 01:38, wrote:
I think we need to should teach curl to look in the right place.
It appears it has an option --with-ca-fallback=yes which might have the
expected behaviour, as it comes with the description:

checking whether to use builtin CA store of SSL library...

(So something like ``CONFIGURE_ARGS+= --with-ca-fallback=yes'' in curl's
makefile, and verifying that this line changes from 'no' to 'yes')

it looks like it will use openssl's code and certificates to validate if
an earlier option doesn't work.

And being a functional change, bump PKGREVISION :-)

If that fails we can pass it a CA_PATH, pkgsrc/*/mozilla-rootcerts
SSLDIR might contain the right logic for where the certificates are
expected to be.

Neither --with-ca-fallback=yes (verified in config.log) nor --with-ca-path=/etc/ssl/certs (in place of --with-ca-path=${SSLCERTS}) seemed to have any effect.

I can work around it using --with-ca-bundle=/etc/ssl/certs/ca-bundle.crt.

I'm curious why --with-ca-path doesn't work. I verified the change in config.log.

$ ./configure --with-ssl=/home/bacon/Pkgsrc/pkg-2017Q1 --with-ca-path=/etc/ssl/certs --with-zlib=/home/bacon/Pkgsrc/pkg-2017Q1 --enable-ipv6 --without-libssh2 --without-gssapi --disable-ldap --without-librtmp --with-libidn --without-nghttp2 --prefix=/home/bacon/Pkgsrc/pkg-2017Q1 --build=x86_64-redhat-linux --host=x86_64-redhat-linux --mandir=/home/bacon/Pkgsrc/pkg-2017Q1/man

Note to posterity:

Found the answer to my question here:

--with-ca-path must point to a directory containing individual PEM files, while CentOS /etc/ssl/certs contains only bundles (multiple PEM files concatenated).

My solution for now is extracting the cert bundles from /etc/ssl/certs, dumping the individual PEM files into the default pkgsrc cert path (${SSLCERTS} == ${PREFIX}/etc/openssl/certs) after bootstrap.

Found a rather elegant approach to this here:

This is a one-time fix per pkgsrc installation and avoids the need to mess with the pkgsrc cert logic.

If anyone can think of a clean way to make this unnecessary, that would be great, but I'm content with the status quo for now.

Better yet...

cd security/mozilla-rootcerts-openssl && bmake install NOT_FOR_UNPRIVILEGED=no

I had overlooked this pkg initially when searching for something to populate the ${SSLCERTS} dir because the use of ${MYETCDIR} in PLIST thwarted my "grep etc/openssl/certs" command.

The NOT_FOR_UNPRIVILEGED=no is needed to install as a non-root user, which will not work if using built-in openssl, because it wants to install in /etc in that case.

Hope some of this noise proves useful to someone...

Earth is a beta site.

Home | Main Index | Thread Index | Old Index