On 2/23/19 2:52 PM, Bruce Dubbs via blfs-support wrote:
On 2/23/19 2:38 PM, Douglas R. Reno via blfs-support wrote:
On 2/23/19 2:35 PM, Bruce Dubbs via blfs-support wrote:
On 2/23/19 1:59 PM, DJ Lucas via blfs-support wrote:
On 2/23/2019 3:54 AM, Ken Moffat wrote:
On Sat, Feb 23, 2019 at 09:32:18AM +0000, DJ Lucas via
blfs-support wrote:
On 2/23/2019 3:14 AM, Ken Moffat via blfs-support wrote:
I had a reply off-list suggesting that I try without the local cert
directory. So I renamed that, and retried. Running make-ca -g
succeeded but told me that the certs were up to date. Running
make-ca
-f succeeded, the final output was: Certificate: Global Chambersign
Root - 2008 Keyhash: 0c4c9b6c Added to p11-kit anchor directory
with
trust 'C,C,'. Extracting OpenSSL certificates to
/etc/ssl/certs...Done! Extracting GNUTLS server auth
certificates to
/etc/pki/tls/certs/ca-bundle.crt...Done! Extracting GNUTLS S-Mime
certificates to /etc/pki/tls/certs/email-ca-bundle.crt...Done!
Extracting GNUTLS code signing certificates to
/etc/pki/tls/certs/objsign-ca-bundle.crt...Done! Extracting Java
cacerts (JKS) to /etc/pki/tls/java/cacerts...Done! And running
links
to an https: site from chroot now works. I'll keep this around
for a
bit in case you are replying to my earlier reply, but I need to
sort
out some food, then I'll probably go shopping and then wind down
and
go to bed.
Bad cert in the /etc/ssl/local directory caused that to cascade like
that? I can't see how, but I'll have to figure it out. If you
still have
it around and it's not too much trouble (and nothing private in
/etc/ssl/local), could you tar up the contents and send, or is it
just
the example cacert.org certs?
--DJ
I don't have any current use for local certs, I was just trying to
follow the book. Maybe something in what I thought I had copied
from the book is wrong. So here is the commented-out part. KM_LOG
points to my log for this package, and apologies if I've mis-pasted
or failed to update this and wasted your time.
#install -vdm755 /etc/ssl/local >$KM_LOG 2>&1
#wget http://www.cacert.org/certs/root.crt >>$KM_LOG 2>&1
#wget http://www.cacert.org/certs/class3.crt >>$KM_LOG 2>&1
#openssl x509 -in root.crt -text -fingerprint -setalias "CAcert
Class 1 root" \
# -addtrust serverAuth -addtrust emailProtection -addtrust
codeSigning \
# > /etc/ssl/local/CAcert_Class_1_root.pem >>$KM_LOG 2>&1
#openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert
Class 3 root" \
# -addtrust serverAuth -addtrust emailProtection -addtrust
codeSigning \
# > /etc/ssl/local/CAcert_Class_3_root.pem >>$KM_LOG 2>&1
But, looking at the contents: clearly wget has failed.
-rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_1_root.pem
-rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_3_root.pem
Is there something more pertinent out there? In addition to those, I
install the US military CAs and intermediates, but that's a mess of
111
certificates and a nasty script in and of itself (I just cleaned it up
and pushed it to
http://www.linuxfromscratch.org/~dj/get-us-gov-certs.sh
if anybody needs them). I think we should just drop the example all
together, and leave the instructions in the man page. I figure for
better than 99% of our users, the Mozilla CAs are sufficient. Only a
handful of users would want to do overrides or append for local use
cases. Even Windows domains (if named properly) can use LE certs.
Any objections?
I'm not sure I understand the issue. I've used the current
instructions on my workstation, development system, and just
yesterday on my laptop without problem.
In the dependencies, we might want to add wget.
I have had a problem with p11 configuration. We now have
if [ -e /usr/lib/libnssckbi.so ]; then
readlink /usr/lib/libnssckbi.so ||
rm -fv /usr/lib/libnssckbi.so &&
ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
fi
I think this could be replaced by just:
ln -sfvn ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
-- Bruce
The problematic instructions in question reside in this block:
install -vdm755 /etc/ssl/local &&
wgethttp://www.cacert.org/certs/root.crt &&
wgethttp://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class
1 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust
codeSigning \
> /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert
Class 3 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust
codeSigning \
> /etc/ssl/local/CAcert_Class_3_root.pem
They seem to cause problems and are confusing. They also seem to be
unnecessary. All I run is 'make install && make-ca -g' when I need to
install this package. It seems those instructions were part of Ken's
problem.
What is confusing?
Create a directory.
Download two files.
Run openssl twice to create two X.509 certificates and place them in
the created directory.
The only issue I see is that a user may blindly try to run the
commands without wget installed as is is not mentioned in the
dependencies.
-- Bruce
As far as I know, they don't work. My suggestion to Ken (which worked)
was to do the following:
mv -v /etc/ssl/local{,.old}
make install
make-ca -g --force
And it works properly for him now. I think the example here should've
been placed in a Configuration Information section.
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
