[Bug 594501] New: update-ca-certificates doesn't generate /etc/ssl/cert.pem
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c0 Summary: update-ca-certificates doesn't generate /etc/ssl/cert.pem Classification: openSUSE Product: openSUSE 11.3 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: lnussel@novell.com ReportedBy: vuntz@novell.com QAContact: qa@suse.de Found By: --- Blocker: --- The manpage says this: "update-ca-certificates updates the directory /etc/ssl/certs to hold SSL certificates and generates /etc/ssl/cert.pem, a concatenated single-file list of certificates." But /etc/ssl/cert.pem is not created. Having such a file would make certificate validation work in epiphany again :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |vuntz@novell.com --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2010-04-08 09:15:48 CEST --- I need to fix the documentation instead :-) I've intentionally changed the file name to /etc/ssl/ca-bundle.pem as /etc/ssl/cert.pem seems to be compiled into several programs. They then prefer the file over the directory /etc/ssl/certs which is the wrong way around. We didn't have any bundle file before so epiphany not working is due to bug 594434 I guess? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c2 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|vuntz@novell.com | --- Comment #2 from Vincent Untz <vuntz@novell.com> 2010-04-08 08:31:33 UTC --- Hrm, I guess I'm misunderstanding something: why is it wrong to prefer the file over /etc/ssl/certs if both are updated with update-ca-certificates? Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-) As for epiphany: it's a build time option. Right now, we pass --without-ca-file to configure since we don't have any file to use, so it's not related to bug 594434. By default, it was checking for the existence of a file, so the build was failing, but I can force a path and it won't check the existence during the build. So if /etc/ssl/ca-bundle.pem is the right thing to use, then that's I need to know to fix the epiphany part. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c3 --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2010-04-08 11:13:41 CEST --- (In reply to comment #2)
Hrm, I guess I'm misunderstanding something: why is it wrong to prefer the file over /etc/ssl/certs if both are updated with update-ca-certificates?
It's not directly wrong but I'd still recommend not using it. openssl for example doesn't need to load all certificates into memory when using the directory so the directory should be preferred.
Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)
Is ca-certificates-mozilla installed?
As for epiphany: it's a build time option. Right now, we pass --without-ca-file to configure since we don't have any file to use, so it's not related to bug 594434. By default, it was checking for the existence of a file, so the build was failing, but I can force a path and it won't check the existence during the build. So if /etc/ssl/ca-bundle.pem is the right thing to use, then that's I need to know to fix the epiphany part.
Does epiphany use openssl or gnutls? In case of openssl just make it call SSL_CTX_set_default_verify_paths(). gnutls unfortunately doesn't support directories itself so the cheap solution there indeed is to use the bundle file (won't work on older openSUSE though) or just load /etc/ssl/certs/*.pem manually. libpurple does that. OTOH if we'd make all gnutls programs use the bundle I could switch /etc/ssl/certs to use certificiates with openssl trust bits. gnutls currently doesn't support such trusted certificates so the system certificates are restricted to ones trusted for "serverAuth" only. See also https://bugzilla.redhat.com/show_bug.cgi?id=466626#c18 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c4 --- Comment #4 from Vincent Untz <vuntz@novell.com> 2010-04-08 10:06:17 UTC --- (In reply to comment #3)
(In reply to comment #2)
Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)
Is ca-certificates-mozilla installed?
Yes. Anything I can do to debug?
As for epiphany: it's a build time option. Right now, we pass --without-ca-file to configure since we don't have any file to use, so it's not related to bug 594434. By default, it was checking for the existence of a file, so the build was failing, but I can force a path and it won't check the existence during the build. So if /etc/ssl/ca-bundle.pem is the right thing to use, then that's I need to know to fix the epiphany part.
Does epiphany use openssl or gnutls? In case of openssl just make it call SSL_CTX_set_default_verify_paths(). gnutls unfortunately doesn't support directories itself so the cheap solution there indeed is to use the bundle file (won't work on older openSUSE though) or just load /etc/ssl/certs/*.pem manually. libpurple does that.
Epiphany uses libsoup, which uses gnutls. It's okay if it doesn't work on old versions of openSUSE, so I guess I'll be happy with the bundle. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c5 --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2010-04-08 13:43:58 CEST --- (In reply to comment #4)
(In reply to comment #3)
(In reply to comment #2)
Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)
Is ca-certificates-mozilla installed?
Yes. Anything I can do to debug?
As for epiphany: it's a build time option. Right now, we pass --without-ca-file
Provided the package installed correctly and it's files are present in /usr/share/ca-certificates/mozilla/ a call to "update-ca-certificates -f" should restore the symlinks in /etc/ssl/certs and generate the bundle. If that doesn't help some strategic print commands in the script are needed :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c6 --- Comment #6 from Vincent Untz <vuntz@novell.com> 2010-04-08 12:09:53 UTC --- (In reply to comment #5)
Provided the package installed correctly and it's files are present in /usr/share/ca-certificates/mozilla/ a call to "update-ca-certificates -f" should restore the symlinks in /etc/ssl/certs and generate the bundle. If that doesn't help some strategic print commands in the script are needed :-)
There are files in /usr/share/ca-certificates/mozilla/, but "update-ca-certificates -f" doesn't generate a bundle. Looking at the code, I don't even see which part is supposed to generate a bundle, so, hrm, where should I put my print statements? :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c7 --- Comment #7 from Ludwig Nussel <lnussel@novell.com> 2010-04-08 14:28:14 CEST --- The actual bundle is generated by /etc/ca-certificates/update.d/certbundle.run -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c8 --- Comment #8 from Vincent Untz <vuntz@novell.com> 2010-04-08 13:04:23 UTC --- Aha! I don't have this file :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c9 --- Comment #9 from Ludwig Nussel <lnussel@novell.com> 2010-04-08 15:09:51 CEST --- argl. It's not packaged. Do'h! will fix. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c10 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #10 from Ludwig Nussel <lnussel@novell.com> 2010-04-08 15:20:38 CEST --- sr#37368 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c11 --- Comment #11 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (594501) was mentioned in https://build.opensuse.org/request/show/37898 Factory / ca-certificates -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com