On 2/23/2019 3:54 AM, Ken Moffat wrote: > On Sat, Feb 23, 2019 at 09:32:18AM +0000, DJ Lucas via blfs-support wrote: >> On 2/23/2019 3:14 AM, Ken Moffat via blfs-support wrote: >>> I had a reply off-list suggesting that I try without the local cert >>> directory. So I renamed that, and retried. Running make-ca -g >>> succeeded but told me that the certs were up to date. Running make-ca >>> -f succeeded, the final output was: Certificate: Global Chambersign >>> Root - 2008 Keyhash: 0c4c9b6c Added to p11-kit anchor directory with >>> trust 'C,C,'. Extracting OpenSSL certificates to >>> /etc/ssl/certs...Done! Extracting GNUTLS server auth certificates to >>> /etc/pki/tls/certs/ca-bundle.crt...Done! Extracting GNUTLS S-Mime >>> certificates to /etc/pki/tls/certs/email-ca-bundle.crt...Done! >>> Extracting GNUTLS code signing certificates to >>> /etc/pki/tls/certs/objsign-ca-bundle.crt...Done! Extracting Java >>> cacerts (JKS) to /etc/pki/tls/java/cacerts...Done! And running links >>> to an https: site from chroot now works. I'll keep this around for a >>> bit in case you are replying to my earlier reply, but I need to sort >>> out some food, then I'll probably go shopping and then wind down and >>> go to bed. >> Bad cert in the /etc/ssl/local directory caused that to cascade like >> that? I can't see how, but I'll have to figure it out. If you still have >> it around and it's not too much trouble (and nothing private in >> /etc/ssl/local), could you tar up the contents and send, or is it just >> the example cacert.org certs? >> --DJ >> > I don't have any current use for local certs, I was just trying to > follow the book. Maybe something in what I thought I had copied > from the book is wrong. So here is the commented-out part. KM_LOG > points to my log for this package, and apologies if I've mis-pasted > or failed to update this and wasted your time. > > > #install -vdm755 /etc/ssl/local >$KM_LOG 2>&1 > #wget http://www.cacert.org/certs/root.crt >>$KM_LOG 2>&1 > #wget http://www.cacert.org/certs/class3.crt >>$KM_LOG 2>&1 > #openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" > \ > # -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning > \ > # > /etc/ssl/local/CAcert_Class_1_root.pem >>$KM_LOG 2>&1 > #openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 > root" \ > # -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning > \ > # > /etc/ssl/local/CAcert_Class_3_root.pem >>$KM_LOG 2>&1 > > But, looking at the contents: clearly wget has failed. > > -rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_1_root.pem > -rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_3_root.pem > Is there something more pertinent out there? In addition to those, I install the US military CAs and intermediates, but that's a mess of 111 certificates and a nasty script in and of itself (I just cleaned it up and pushed it to http://www.linuxfromscratch.org/~dj/get-us-gov-certs.sh if anybody needs them). I think we should just drop the example all together, and leave the instructions in the man page. I figure for better than 99% of our users, the Mozilla CAs are sufficient. Only a handful of users would want to do overrides or append for local use cases. Even Windows domains (if named properly) can use LE certs.
Any objections? --DJ -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
