tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: new certificate stuff

> Date: Mon, 28 Aug 2023 10:41:32 +0200
> From: Manuel Bouyer <>
> Maybe postinstall should check the /etc/openssl/certs.conf existance,
> and fail the 'fix opensslcerts' asking for it to be manually created;
> as we do for e.g. uid/gid if some are missing ?

I split it into two postinstall items:

- opensslcertsconf: handles missing /etc/openssl/certs.conf, in case
  you neglect to apply etcupdate or equivalent to bring in new config

  If you appear to be managing /etc/openssl/certs manually already,
  this sets `manual' in certs.conf; otherwise it copies the default
  one from /usr/share/examples/certctl/certs.conf.

- opensslcertsrehash: handles regenerating the /etc/openssl/certs
  cache from config.

  I also added a check operation so that this complains if and only if
  `certctl rehash' would create something different from what is
  currently in /etc/openssl/certs (or if it doesn't seem to be managed
  by certctl(8), but /etc/openssl/certs.conf doesn't set `manual').

Please let me know if you have any trouble with upgrades!

I'm trying to make sure this will provide a seamless fresh install and
upgrade path so that if you were already managing /etc/openssl/certs,
it stays that way, but if you weren't, certctl(8) takes over and makes
the Mozilla trust anchors available.  And I'd like to get this into 10

Home | Main Index | Thread Index | Old Index