Re: [blfs-dev] ca-certs: symlink to ca-bundle.crt ?

Thu, 01 Nov 2018 23:17:14 -0700 

On 2018-11-02 02:11 +0000, Ken Moffat via blfs-dev wrote:
> At last, I've found out *what* was telling me that update-leap (from
> ntp) was telling me to install Mozilla::CA because it could not find
> the system's certificates.  And no, it was not LWP-Protocol-https -
> the deps listed in update-leap are technically correct.
> 
> The item in question is HTTP::Tiny which ntp still claims is an
> external module, but has been part of core perl since at least
> 5.14.1 (the oldest log I have on this machine).  And there, the code
> says:
> 
>    # cert list copied from golang src/crypto/x509/root_unix.go
>     foreach my $ca_bundle (
>         "/etc/ssl/certs/ca-certificates.crt",     #
> Debian/Ubuntu/Gentoo etc.
>         "/etc/pki/tls/certs/ca-bundle.crt",       # Fedora/RHEL
>         "/etc/ssl/ca-bundle.pem",                 # OpenSUSE
>         "/etc/openssl/certs/ca-certificates.crt", # NetBSD
>         "/etc/ssl/cert.pem",                      # OpenBSD
>         "/usr/local/share/certs/ca-root-nss.crt", #
> FreeBSD/DragonFly
>         "/etc/pki/tls/cacert.pem",                # OpenELEC
>         "/etc/certs/ca-certificates.crt",         # Solaris 11.2+
>     ) {
>         return $ca_bundle if -e $ca_bundle;
>     }
> 
>     die qq/Couldn't find a CA bundle with which to verify the SSL
> certificate.\n/
>       . qq/Try installing Mozilla::CA from CPAN\n/;
> }
> 
> This looks very like the code I was planning to change in biber if I
> could get rid of Mozilla::CA.  So, rather than hack on core perl
> (and therefore leave it broken for people who have not made the
> change), I propose to do something like
> 
> mkdir -pv /etc/pki/tls/certs
> ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt

I agree with that.  Go standard package crypto/x509 also suffers:

> package x509
> 
> // Possible certificate files; stop after finding one.
> var certFiles = []string{
>     "/etc/ssl/certs/ca-certificates.crt",                //
> Debian/Ubuntu/Gentoo etc.
>     "/etc/pki/tls/certs/ca-bundle.crt",                  //
> Fedora/RHEL 6
>     "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
>     "/etc/pki/tls/cacert.pem",                           // OpenELEC
>     "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", //
> CentOS/RHEL 7
> }

So I've already created a symlink like that.
-- 
Xi Ruoyao <[email protected]>
School of Aerospace Science and Technology, Xidian University

-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to