Re: new certificate stuff

To: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: new certificate stuff
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Sun, 27 Aug 2023 22:53:58 +0000

> Date: Sat, 26 Aug 2023 19:15:01 +0200
> From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
> 
> On Sat, Aug 26, 2023 at 04:48:59PM +0000, Taylor R Campbell wrote:
> > [...]
> > If you currently use security/mozilla-rootcerts or
> > security/ca-certificates (or security/mozilla-rootcerts-openssl) to
> > populate /etc/openssl/certs, and you want to continue to use it, you
> > will have to put the line `manual' in /etc/openssl/certs.conf before
> > you next run postinstall(8).
> 
> Will postinstall remove any certificate in /etc/openssl/certs/
> if there is no certs.conf ? I have server certificates here, in addition
> to some local (private) CA roots.

Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
(the crux of `postinstall fix opensslcerts') will print an error
message and then exit with status 0.  This combination is a bug --
need to think a bit about it, but probably better to exit nonzero than
to suppress the error message.

So if you unpack new _non-etc_ sets, `postinstall fix' won't
clobber your /etc/openssl/certs directory.

The etc.tgz set, however, will have /etc/openssl/certs.conf.  So if
you naively unpack etc.tgz, `postinstall fix' will clobber your
/etc/openssl/certs directory.

That said, I think if you use etcupdate(8), it will interactively
prompt you before creating the new /etc/openssl/certs.conf.  (Have
made a note to add this in my etcmerge(8) tool to do a three-way merge
for updating (x)etc sets too.)

I'm open to other suggestions about how to handle the transition from
manually maintained /etc/openssl/certs on (say) 9.x with no certs.conf
or certctl(8) to 10.0 with new default certs.conf and certctl(8),
provided that

(a) new installations get /etc/openssl/certs populated out of the box,

and

(b) on _future_ updates (like 10.0 to 10.1, where both releases have
    certctl(8) and a default certs.conf), /etc/openssl/certs gets
    updated too (unless you set `manual' in /etc/openssl/certs.conf).

Follow-Ups:
- Re: new certificate stuff
  - From: Greg Troxel
- Re: new certificate stuff
  - From: Greg Troxel
- Re: new certificate stuff
  - From: Manuel Bouyer
- Re: new certificate stuff
  - From: Martin Husemann

References:
- Re: new certificate stuff
  - From: Manuel Bouyer

Prev by Date: Re: new certificate stuff
Next by Date: Re: new certificate stuff
Previous by Thread: Re: new certificate stuff
Next by Thread: Re: new certificate stuff
Indexes:

Home | Main Index | Thread Index | Old Index