On November 1, 2018 9:11:49 PM CDT, Ken Moffat via blfs-dev <blfs-dev@lists.linuxfromscratch.org> wrote: >At last, I've found out *what* was telling me that update-leap (from >ntp) was telling me to install Mozilla::CA because it could not find >the system's certificates. And no, it was not LWP-Protocol-https - >the deps listed in update-leap are technically correct. > >The item in question is HTTP::Tiny which ntp still claims is an >external module, but has been part of core perl since at least >5.14.1 (the oldest log I have on this machine). And there, the code >says: > > # cert list copied from golang src/crypto/x509/root_unix.go > foreach my $ca_bundle ( > "/etc/ssl/certs/ca-certificates.crt", # >Debian/Ubuntu/Gentoo etc. > "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL > "/etc/ssl/ca-bundle.pem", # OpenSUSE > "/etc/openssl/certs/ca-certificates.crt", # NetBSD > "/etc/ssl/cert.pem", # OpenBSD > "/usr/local/share/certs/ca-root-nss.crt", # >FreeBSD/DragonFly > "/etc/pki/tls/cacert.pem", # OpenELEC > "/etc/certs/ca-certificates.crt", # Solaris 11.2+ > ) { > return $ca_bundle if -e $ca_bundle; > } > > die qq/Couldn't find a CA bundle with which to verify the SSL >certificate.\n/ > . qq/Try installing Mozilla::CA from CPAN\n/; >} > >This looks very like the code I was planning to change in biber if I >could get rid of Mozilla::CA. So, rather than hack on core perl >(and therefore leave it broken for people who have not made the >change), I propose to do something like > >mkdir -pv /etc/pki/tls/certs >ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt > >(on the certs page : we already create /etc/pki/) > >And if that works (far too late for me to test it at the moment) I >think we can just drop Mozilla::CA. > >I'm sure DJ will understand why I want to drop Mozilla::CA, but for >everyone else - Mozilla update their certificates regularly (in >particular, dropping trust), plus clever people can add other >certificates locally. The Mozilla::CA perl module was last updated >in January, so it is well out of date and only gets used as a >fallback because that is convenient for CPAN - really, we should >always prefer the system's certificates. > >Or, am I again "too far out, and not waving but drowning" ? If so, >please advise soonest. > >ĸen >-- > Is it about a bicycle ? >-- >http://lists.linuxfromscratch.org/listinfo/blfs-dev >FAQ: http://www.linuxfromscratch.org/blfs/faq.html >Unsubscribe: See the above information page > > >-- >This message has been scanned for viruses and dangerous content by >E.F.A. Project, and is believed to be clean. > >Click here to report this message as spam. >https://efa.lucasit.com/cgi-bin/learn-msg.cgi?id=B197560F2F.A872B&token=b7aede92365022cb069729f85ce4a84e
Nope, sounds about perfect. I have a slight preference to /etc/ssl/ca-bundle.pem without looking at it on a live system, but wherever works if it's clean. Just as long as you don't put a regular cert in /etc/ssl/certs/ (Debian's setup), all good. -- DJ -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page