Re: new certificate stuff

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: new certificate stuff
From: Martin Husemann <martin%duskware.de@localhost>
Date: Mon, 28 Aug 2023 09:40:50 +0200

On Sun, Aug 27, 2023 at 10:53:58PM +0000, Taylor R Campbell wrote:
> Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
> (the crux of `postinstall fix opensslcerts') will print an error
> message and then exit with status 0.  This combination is a bug --
> need to think a bit about it, but probably better to exit nonzero than
> to suppress the error message.

Sounds good to me. Make the error message point at some docs and ask
the user to 

 - deinstall mozilla-rootcerts
 - manually copy /etc/openssl/certs.conf over

or

 - add a manual certs.conf and keep using their old certificate setup.

and then re-run postinstall.

> So if you unpack new _non-etc_ sets, `postinstall fix' won't
> clobber your /etc/openssl/certs directory.

This is good.

Martin

References:
- Re: new certificate stuff
  - From: Manuel Bouyer
- Re: new certificate stuff
  - From: Taylor R Campbell

Prev by Date: Re: new certificate stuff
Next by Date: Re: new certificate stuff
Previous by Thread: Re: new certificate stuff
Next by Thread: Re: new certificate stuff
Indexes:

Home | Main Index | Thread Index | Old Index