tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: new certificate stuff

On Sun, Aug 27, 2023 at 10:53:58PM +0000, Taylor R Campbell wrote:
> Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
> (the crux of `postinstall fix opensslcerts') will print an error
> message and then exit with status 0.  This combination is a bug --
> need to think a bit about it, but probably better to exit nonzero than
> to suppress the error message.

Sounds good to me. Make the error message point at some docs and ask
the user to 

 - deinstall mozilla-rootcerts
 - manually copy /etc/openssl/certs.conf over


 - add a manual certs.conf and keep using their old certificate setup.

and then re-run postinstall.

> So if you unpack new _non-etc_ sets, `postinstall fix' won't
> clobber your /etc/openssl/certs directory.

This is good.


Home | Main Index | Thread Index | Old Index