[Bug 594501] New: update-ca-certificates doesn't generate /etc/ssl/cert.pem
http://bugzilla.novell.com/show_bug.cgi?id=594501 http://bugzilla.novell.com/show_bug.cgi?id=594501#c0 Summary: update-ca-certificates doesn't generate /etc/ssl/cert.pem Classification: openSUSE Product: openSUSE 11.3 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: lnussel@novell.com ReportedBy: vuntz@novell.com QAContact: qa@suse.de Found By: --- Blocker: --- The manpage says this: "update-ca-certificates updates the directory /etc/ssl/certs to hold SSL certificates and generates /etc/ssl/cert.pem, a concatenated single-file list of certificates." But /etc/ssl/cert.pem is not created. Having such a file would make certificate validation work in epiphany again :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c1
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c2
Vincent Untz
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c3
--- Comment #3 from Ludwig Nussel
Hrm, I guess I'm misunderstanding something: why is it wrong to prefer the file over /etc/ssl/certs if both are updated with update-ca-certificates?
It's not directly wrong but I'd still recommend not using it. openssl for example doesn't need to load all certificates into memory when using the directory so the directory should be preferred.
Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)
Is ca-certificates-mozilla installed?
As for epiphany: it's a build time option. Right now, we pass --without-ca-file to configure since we don't have any file to use, so it's not related to bug 594434. By default, it was checking for the existence of a file, so the build was failing, but I can force a path and it won't check the existence during the build. So if /etc/ssl/ca-bundle.pem is the right thing to use, then that's I need to know to fix the epiphany part.
Does epiphany use openssl or gnutls? In case of openssl just make it call SSL_CTX_set_default_verify_paths(). gnutls unfortunately doesn't support directories itself so the cheap solution there indeed is to use the bundle file (won't work on older openSUSE though) or just load /etc/ssl/certs/*.pem manually. libpurple does that. OTOH if we'd make all gnutls programs use the bundle I could switch /etc/ssl/certs to use certificiates with openssl trust bits. gnutls currently doesn't support such trusted certificates so the system certificates are restricted to ones trusted for "serverAuth" only. See also https://bugzilla.redhat.com/show_bug.cgi?id=466626#c18 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c4
--- Comment #4 from Vincent Untz
(In reply to comment #2)
Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)
Is ca-certificates-mozilla installed?
Yes. Anything I can do to debug?
As for epiphany: it's a build time option. Right now, we pass --without-ca-file to configure since we don't have any file to use, so it's not related to bug 594434. By default, it was checking for the existence of a file, so the build was failing, but I can force a path and it won't check the existence during the build. So if /etc/ssl/ca-bundle.pem is the right thing to use, then that's I need to know to fix the epiphany part.
Does epiphany use openssl or gnutls? In case of openssl just make it call SSL_CTX_set_default_verify_paths(). gnutls unfortunately doesn't support directories itself so the cheap solution there indeed is to use the bundle file (won't work on older openSUSE though) or just load /etc/ssl/certs/*.pem manually. libpurple does that.
Epiphany uses libsoup, which uses gnutls. It's okay if it doesn't work on old versions of openSUSE, so I guess I'll be happy with the bundle. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c5
--- Comment #5 from Ludwig Nussel
(In reply to comment #3)
(In reply to comment #2)
Anyway, in all cases, I don't have any pem file in /etc/ssl, do I don't have /etc/ssl/ca-bundle.pem either ;-)
Is ca-certificates-mozilla installed?
Yes. Anything I can do to debug?
As for epiphany: it's a build time option. Right now, we pass --without-ca-file
Provided the package installed correctly and it's files are present in /usr/share/ca-certificates/mozilla/ a call to "update-ca-certificates -f" should restore the symlinks in /etc/ssl/certs and generate the bundle. If that doesn't help some strategic print commands in the script are needed :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c6
--- Comment #6 from Vincent Untz
Provided the package installed correctly and it's files are present in /usr/share/ca-certificates/mozilla/ a call to "update-ca-certificates -f" should restore the symlinks in /etc/ssl/certs and generate the bundle. If that doesn't help some strategic print commands in the script are needed :-)
There are files in /usr/share/ca-certificates/mozilla/, but "update-ca-certificates -f" doesn't generate a bundle. Looking at the code, I don't even see which part is supposed to generate a bundle, so, hrm, where should I put my print statements? :-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c7
--- Comment #7 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c8
--- Comment #8 from Vincent Untz
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c9
--- Comment #9 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c10
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=594501
http://bugzilla.novell.com/show_bug.cgi?id=594501#c11
--- Comment #11 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com