[opensuse-factory] ca-certificates not required, unusable package manager by default
Hi: Something must hard require ca-certificates for the package manager to be functional by default, It is libcrypto that ends *using* the package, but any application that calls SSL_CTX_set_default_verify_paths will need it. before just sticking a "Requires: ca-certificates" to the libopenssl package I want to know if this is intentional to force calling applications to require the package in question or is simply an oversight. reprodduce with zypper --root=/var/lib/machines/tumbleweed ar -c https://download.opensuse.org/tumbleweed/repo/oss tumbleweed zypper --root=/var/lib/machines/tumbleweed refresh zypper --root=/var/lib/machines/tumbleweed install --no-recommends systemd shadow zypper openSUSE-release vim systemd-nspawn -M tumbleweed passwd root systemd-nspawn -M tumbleweed -b zypper ref Download (curl) error for 'https://download.opensuse.org/tumbleweed/repo/oss/repodata/repomd.xml': Error code: Curl error 60 Error message: SSL certificate problem: unable to get local issuer certificate Abort, retry, ignore? [a/r/i/...? shows all options] (a) Cheers. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10/25/18 6:15 PM, Cristian Rodríguez wrote:
Something must hard require ca-certificates for the package manager to be functional by default, It is libcrypto that ends *using* the package, but any application that calls SSL_CTX_set_default_verify_paths will need it.
I also noticed a change with that: Basically it broke my Python scripts using libldap setting a separate trusted CA cert via env var LDAPTLS_CACERT (see ldap.conf(5), section "ENVIRONMENT VARIABLES"). As a work-around I'm now setting the trusted CA cert within the Python script via ldap_setoption(). I consider this a serious bug. Unfortunately my attempts to track this down did not end with concrete results. Not even enough to write a bug report. Ciao, Michael.
Cristian Rodríguez schrieb:
Something must hard require ca-certificates for the package manager to be functional by default, It is libcrypto that ends *using* the package, but any application that calls SSL_CTX_set_default_verify_paths will need it. before just sticking a "Requires: ca-certificates" to the libopenssl package I want to know if this is intentional to force calling applications to require the package in question or is simply an oversight.
ca-certificates doesn't include any certificates. So requiring it won't have the desired effect. ca-certificates recommends ca-certificates-mozilla which includes the recommended set of root CA certs. But then libopenssl1_1* already recommends ca-certificates-mozilla too so noop again. ca-certificates-mozilla is not hard required anywhere as appliances or containers may want to operate with a different set of CA certs. IOW if you install with --no-recommends you better know what you are doing. Looks like you spent some thought on deciding that "systemd shadow zypper openSUSE-release vim" is sufficient for your use case, intentionally left out ca-certificates-mozilla and yet used https for the repo. You have to decide what you want :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10/26/18 9:51 AM, Ludwig Nussel wrote:
Cristian Rodríguez schrieb:
Something must hard require ca-certificates for the package manager to be functional by default,
IOW if you install with --no-recommends you better know what you are doing. Looks like you spent some thought on deciding that "systemd shadow zypper openSUSE-release vim" is sufficient for your use case, intentionally left out ca-certificates-mozilla and yet used https for the repo. You have to decide what you want :-)
In my case I'm using HTTPS with zypper but without the hundreds of "trusted" certs in ca-certificates-mozilla. I'd be glad if there would be a global easy-to-use option for a trusted root CA file somewhere in /etc/zypp/zypp*.conf. Ciao, Michael.
On Fri, Oct 26, 2018 at 01:52:49PM +0200, Michael Ströder wrote:
On 10/26/18 9:51 AM, Ludwig Nussel wrote:
Cristian Rodríguez schrieb:
Something must hard require ca-certificates for the package manager to be functional by default,
IOW if you install with --no-recommends you better know what you are doing. Looks like you spent some thought on deciding that "systemd shadow zypper openSUSE-release vim" is sufficient for your use case, intentionally left out ca-certificates-mozilla and yet used https for the repo. You have to decide what you want :-)
In my case I'm using HTTPS with zypper but without the hundreds of "trusted" certs in ca-certificates-mozilla.
I'd be glad if there would be a global easy-to-use option for a trusted root CA file somewhere in /etc/zypp/zypp*.conf.
You could have root-cert packages with single certs only you want, see e.g. ca-certicates-cacert as example. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Cristian Rodríguez -
Ludwig Nussel -
Marcus Meissner -
Michael Ströder