On 2/23/19 9:38 PM, Douglas R. Reno via blfs-support wrote:
On 2/23/19 2:35 PM, Bruce Dubbs via blfs-support wrote:
On 2/23/19 1:59 PM, DJ Lucas via blfs-support wrote:
On 2/23/2019 3:54 AM, Ken Moffat wrote:
On Sat, Feb 23, 2019 at 09:32:18AM +0000, DJ Lucas via blfs-support
wrote:
On 2/23/2019 3:14 AM, Ken Moffat via blfs-support wrote:
I had a reply off-list suggesting that I try without the local cert
directory. So I renamed that, and retried. Running make-ca -g
succeeded but told me that the certs were up to date. Running
make-ca
-f succeeded, the final output was: Certificate: Global Chambersign
Root - 2008 Keyhash: 0c4c9b6c Added to p11-kit anchor directory with
trust 'C,C,'. Extracting OpenSSL certificates to
/etc/ssl/certs...Done! Extracting GNUTLS server auth certificates to
/etc/pki/tls/certs/ca-bundle.crt...Done! Extracting GNUTLS S-Mime
certificates to /etc/pki/tls/certs/email-ca-bundle.crt...Done!
Extracting GNUTLS code signing certificates to
/etc/pki/tls/certs/objsign-ca-bundle.crt...Done! Extracting Java
cacerts (JKS) to /etc/pki/tls/java/cacerts...Done! And running links
to an https: site from chroot now works. I'll keep this around for a
bit in case you are replying to my earlier reply, but I need to sort
out some food, then I'll probably go shopping and then wind down and
go to bed.
Bad cert in the /etc/ssl/local directory caused that to cascade like
that? I can't see how, but I'll have to figure it out. If you
still have
it around and it's not too much trouble (and nothing private in
/etc/ssl/local), could you tar up the contents and send, or is it
just
the example cacert.org certs?
--DJ
I don't have any current use for local certs, I was just trying to
follow the book. Maybe something in what I thought I had copied
from the book is wrong. So here is the commented-out part. KM_LOG
points to my log for this package, and apologies if I've mis-pasted
or failed to update this and wasted your time.
#install -vdm755 /etc/ssl/local >$KM_LOG 2>&1
#wget http://www.cacert.org/certs/root.crt >>$KM_LOG 2>&1
#wget http://www.cacert.org/certs/class3.crt >>$KM_LOG 2>&1
#openssl x509 -in root.crt -text -fingerprint -setalias "CAcert
Class 1 root" \
# -addtrust serverAuth -addtrust emailProtection -addtrust
codeSigning \
# > /etc/ssl/local/CAcert_Class_1_root.pem >>$KM_LOG 2>&1
#openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert
Class 3 root" \
# -addtrust serverAuth -addtrust emailProtection -addtrust
codeSigning \
# > /etc/ssl/local/CAcert_Class_3_root.pem >>$KM_LOG 2>&1
But, looking at the contents: clearly wget has failed.
-rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_1_root.pem
-rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_3_root.pem
Is there something more pertinent out there? In addition to those, I
install the US military CAs and intermediates, but that's a mess of 111
certificates and a nasty script in and of itself (I just cleaned it up
and pushed it to
http://www.linuxfromscratch.org/~dj/get-us-gov-certs.sh
if anybody needs them). I think we should just drop the example all
together, and leave the instructions in the man page. I figure for
better than 99% of our users, the Mozilla CAs are sufficient. Only a
handful of users would want to do overrides or append for local use
cases. Even Windows domains (if named properly) can use LE certs.
Any objections?
I'm not sure I understand the issue. I've used the current
instructions on my workstation, development system, and just
yesterday on my laptop without problem.
In the dependencies, we might want to add wget.
I have had a problem with p11 configuration. We now have
if [ -e /usr/lib/libnssckbi.so ]; then
readlink /usr/lib/libnssckbi.so ||
rm -fv /usr/lib/libnssckbi.so &&
ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
fi
I think this could be replaced by just:
ln -sfvn ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
-- Bruce
The problematic instructions in question reside in this block:
install -vdm755 /etc/ssl/local &&
wgethttp://www.cacert.org/certs/root.crt &&
wgethttp://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_3_root.pem
They seem to cause problems and are confusing. They also seem to be
unnecessary. All I run is 'make install && make-ca -g' when I need to
install this package. It seems those instructions were part of Ken's
problem.
Those instructions are clearly presented as an example, not as
instructions for building the package. And it is clearly stated that
wget is needed to run them.They have role="nodump" (I agree it is not
visible on the rendered book).
Recommending wget in the dependency section would create an unnecessary
circular dependency, since the CA certificates are needed by wget for
accessing https sites...
Pierre
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
