On November 1, 2018 9:11:49 PM CDT, Ken Moffat via blfs-dev
<blfs-dev@lists.linuxfromscratch.org> wrote:
>At last, I've found out *what* was telling me that update-leap (from
>ntp) was telling me to install Mozilla::CA because it could not find
>the system's certificates. And no, it was not LWP-Protocol-https -
>the deps listed in update-leap are technically correct.
>
>The item in question is HTTP::Tiny which ntp still claims is an
>external module, but has been part of core perl since at least
>5.14.1 (the oldest log I have on this machine). And there, the code
>says:
>
> # cert list copied from golang src/crypto/x509/root_unix.go
> foreach my $ca_bundle (
> "/etc/ssl/certs/ca-certificates.crt", #
>Debian/Ubuntu/Gentoo etc.
> "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL
> "/etc/ssl/ca-bundle.pem", # OpenSUSE
> "/etc/openssl/certs/ca-certificates.crt", # NetBSD
> "/etc/ssl/cert.pem", # OpenBSD
> "/usr/local/share/certs/ca-root-nss.crt", #
>FreeBSD/DragonFly
> "/etc/pki/tls/cacert.pem", # OpenELEC
> "/etc/certs/ca-certificates.crt", # Solaris 11.2+
> ) {
> return $ca_bundle if -e $ca_bundle;
> }
>
> die qq/Couldn't find a CA bundle with which to verify the SSL
>certificate.\n/
> . qq/Try installing Mozilla::CA from CPAN\n/;
>}
>
>This looks very like the code I was planning to change in biber if I
>could get rid of Mozilla::CA. So, rather than hack on core perl
>(and therefore leave it broken for people who have not made the
>change), I propose to do something like
>
>mkdir -pv /etc/pki/tls/certs
>ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt
>
>(on the certs page : we already create /etc/pki/)
>
>And if that works (far too late for me to test it at the moment) I
>think we can just drop Mozilla::CA.
>
>I'm sure DJ will understand why I want to drop Mozilla::CA, but for
>everyone else - Mozilla update their certificates regularly (in
>particular, dropping trust), plus clever people can add other
>certificates locally. The Mozilla::CA perl module was last updated
>in January, so it is well out of date and only gets used as a
>fallback because that is convenient for CPAN - really, we should
>always prefer the system's certificates.
>
>Or, am I again "too far out, and not waving but drowning" ? If so,
>please advise soonest.
>
>ĸen
>--
> Is it about a bicycle ?
>--
>http://lists.linuxfromscratch.org/listinfo/blfs-dev
>FAQ: http://www.linuxfromscratch.org/blfs/faq.html
>Unsubscribe: See the above information page
>
>
>--
>This message has been scanned for viruses and dangerous content by
>E.F.A. Project, and is believed to be clean.
>
>Click here to report this message as spam.
>https://efa.lucasit.com/cgi-bin/learn-msg.cgi?id=B197560F2F.A872B&token=b7aede92365022cb069729f85ce4a84e
Nope, sounds about perfect. I have a slight preference to
/etc/ssl/ca-bundle.pem without looking at it on a live system, but wherever
works if it's clean. Just as long as you don't put a regular cert in
/etc/ssl/certs/ (Debian's setup), all good.
-- DJ
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
