Re: new certificate stuff

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: new certificate stuff
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Mon, 28 Aug 2023 10:41:32 +0200

On Sun, Aug 27, 2023 at 10:53:58PM +0000, Taylor R Campbell wrote:
> > Date: Sat, 26 Aug 2023 19:15:01 +0200
> > From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
> > 
> > On Sat, Aug 26, 2023 at 04:48:59PM +0000, Taylor R Campbell wrote:
> > > [...]
> > > If you currently use security/mozilla-rootcerts or
> > > security/ca-certificates (or security/mozilla-rootcerts-openssl) to
> > > populate /etc/openssl/certs, and you want to continue to use it, you
> > > will have to put the line `manual' in /etc/openssl/certs.conf before
> > > you next run postinstall(8).
> > 
> > Will postinstall remove any certificate in /etc/openssl/certs/
> > if there is no certs.conf ? I have server certificates here, in addition
> > to some local (private) CA roots.
> 
> Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash'
> (the crux of `postinstall fix opensslcerts') will print an error
> message and then exit with status 0.  This combination is a bug --
> need to think a bit about it, but probably better to exit nonzero than
> to suppress the error message.

Yes, it's fine to error out in this case

> 
> So if you unpack new _non-etc_ sets, `postinstall fix' won't
> clobber your /etc/openssl/certs directory.
> 
> The etc.tgz set, however, will have /etc/openssl/certs.conf.  So if
> you naively unpack etc.tgz, `postinstall fix' will clobber your
> /etc/openssl/certs directory.

As it will clobber others /etc/ files, so that's fine.

> 
> That said, I think if you use etcupdate(8), it will interactively
> prompt you before creating the new /etc/openssl/certs.conf.  (Have
> made a note to add this in my etcmerge(8) tool to do a three-way merge
> for updating (x)etc sets too.)
> 
> I'm open to other suggestions about how to handle the transition from
> manually maintained /etc/openssl/certs on (say) 9.x with no certs.conf
> or certctl(8) to 10.0 with new default certs.conf and certctl(8),
> provided that
> 
> (a) new installations get /etc/openssl/certs populated out of the box,
> 
> and
> 
> (b) on _future_ updates (like 10.0 to 10.1, where both releases have
>     certctl(8) and a default certs.conf), /etc/openssl/certs gets
>     updated too (unless you set `manual' in /etc/openssl/certs.conf).

Maybe postinstall should check the /etc/openssl/certs.conf existance,
and fail the 'fix opensslcerts' asking for it to be manually created;
as we do for e.g. uid/gid if some are missing ?

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Follow-Ups:
- Re: new certificate stuff
  - From: Taylor R Campbell
- Re: new certificate stuff
  - From: Greg Troxel

References:
- Re: new certificate stuff
  - From: Manuel Bouyer
- Re: new certificate stuff
  - From: Taylor R Campbell

Prev by Date: Re: new certificate stuff
Next by Date: Re: new certificate stuff
Previous by Thread: Re: new certificate stuff
Next by Thread: Re: new certificate stuff
Indexes:

Home | Main Index | Thread Index | Old Index