http://bugzilla.opensuse.org/show_bug.cgi?id=911202 Bug ID: 911202 Summary: update-ca-certificates does not give feedback and lacks documentation Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: All OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: adaugherity@tamu.edu QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/7.1.2 Safari/537.85.11 Build Identifier: Even when run with the -v option for verbose, it only lists the scripts run, but not the certificates handled, or even the number of certificates added/removed. /usr/share/doc/packages/ca-certificates/README does not clearly explain that user CA certificates should be installed into /etc/pki/trust/anchors, or what the "openssl trusted format" used by /etc/pki/trust is. "By default p11-kit looks into /usr/share/pki/trust/ resp /etc/pki/trust/ but there could be other plugins that serve as source for certificates as well" is poor grammar and unclear. Only by combining that with "Packages are expected to install their CA certificates in /usr/share/pki/trust/anchors" and a lot of trial and error was I able to infer that I should install my certs in /etc/pki/trust/anchors. Additionally, the change in the handling of /etc/ssl/certs (its being a symlink now, and needing to run update-ca-certificates, etc.) is not mentioned in the openSUSE release notes. I only discovered this from the SLES 12 release notes. Reproducible: Always Steps to Reproduce: 1. Add or remove a CA certificate file to /etc/pki/trust/anchors as inferred from the documentation. 2. Run 'update-ca-certificates'. Actual Results: # update-ca-certificates [No output.] # update-ca-certificates -v running /usr/lib/ca-certificates/update.d/50java.run ... creating /var/lib/ca-certificates/java-cacerts ... running /usr/lib/ca-certificates/update.d/70openssl.run ... creating /var/lib/ca-certificates/openssl ... running /usr/lib/ca-certificates/update.d/80etc_ssl.run ... running /usr/lib/ca-certificates/update.d/99certbundle.run ... creating /var/lib/ca-certificates/ca-bundle.pem ... Expected Results: The Debian version of update-ca-certificates, which this is supposedly based on, outputs this: # update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. With -v, it outputs the c_rehash output also. The Debian version does not rename the certs based on subject; since the SUSE version does, these should be listed, at least in verbose mode, e.g.: /etc/pki/trust/anchors/datanet.pem => /etc/ssl/certs/Organizational_CA.pem Certificates in /etc/ssl/certs are renamed based on the subject line of the input cert ('openssl x509 -noout -subject -in myCA.pem'), which can be confusing if the filename does not match the file in /etc/pki/trust/anchors. This is not documented anywhere, and combined with the lack of feedback, I thought my CA cert was being rejected, which in fact it was listed differently. (It had a subject "OU=Organizational CA, O=DATANET" and my filename was datanet.pem, but it gets stored in /etc/ssl/certs/Organizational_CA.pem.) This whole issue also applies to SLES 12 (except for missing release notes, which SLES 12 does have), which ships the same version of update-ca-certificates. -- You are receiving this mail because: You are on the CC list for the bug.