On Sat, Feb 23, 2019 at 03:14:43PM -0600, Bruce Dubbs via blfs-support wrote: > On 2/23/19 2:55 PM, Douglas R. Reno via blfs-support wrote: > > > > On 2/23/19 2:52 PM, Bruce Dubbs via blfs-support wrote: > > > On 2/23/19 2:38 PM, Douglas R. Reno via blfs-support wrote: > > > > > > > > On 2/23/19 2:35 PM, Bruce Dubbs via blfs-support wrote: > > > > > On 2/23/19 1:59 PM, DJ Lucas via blfs-support wrote: > > > > > > > > > > > > On 2/23/2019 3:54 AM, Ken Moffat wrote: > > > > > > > On Sat, Feb 23, 2019 at 09:32:18AM +0000, DJ Lucas > > > > > > > via blfs-support wrote:
> > > > > > > > > > > > > > But, looking at the contents: clearly wget has failed. > > > > > > > > > > > > > > -rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_1_root.pem > > > > > > > -rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_3_root.pem > > > > > > > > > > > > > Is there something more pertinent out there? In addition to those, I > > > > > > install the US military CAs and intermediates, but > > > > > > that's a mess of 111 > > > > > > certificates and a nasty script in and of itself (I just cleaned it > > > > > > up > > > > > > and pushed it to > > > > > > http://www.linuxfromscratch.org/~dj/get-us-gov-certs.sh > > > > > > if anybody needs them). I think we should just drop the example all > > > > > > together, and leave the instructions in the man page. I figure for > > > > > > better than 99% of our users, the Mozilla CAs are sufficient. Only a > > > > > > handful of users would want to do overrides or append for local use > > > > > > cases. Even Windows domains (if named properly) can use LE certs. > > > > > > > > > > > > Any objections? > > > > > > > > > > I'm not sure I understand the issue. I've used the current > > > > > instructions on my workstation, development system, and just > > > > > yesterday on my laptop without problem. > > > > > > > > > > In the dependencies, we might want to add wget. > > > > > As the person who had this problem, and who initially thought I could build p11-kit after make-ca (until I realised I was running make-ca at hte end of the install amd didm't have the trust program) by the time I hit this I had built: which sqlite libunistring libidn2 wget libtasn1 p11-kit And as shown above, the files had a length of zero. DOH! My fault. Adding >> to capture output in the log is why I got all the details in the log and that was INSTEAD of writing them to the pem file. Sorry for wasting everyone's time. > > > > > > > > > > I have had a problem with p11 configuration. We now have > > > > > > > > > > if [ -e /usr/lib/libnssckbi.so ]; then > > > > > readlink /usr/lib/libnssckbi.so || > > > > > rm -fv /usr/lib/libnssckbi.so && > > > > > ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so > > > > > fi > > > > > > > > > > I think this could be replaced by just: > > > > > > > > > > ln -sfvn ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so > > > > > > > > > > -- Bruce > > > > > > > > The problematic instructions in question reside in this block: > > > > > > > > install -vdm755 /etc/ssl/local && > > > > wgethttp://www.cacert.org/certs/root.crt && > > > > wgethttp://www.cacert.org/certs/class3.crt && > > > > openssl x509 -in root.crt -text -fingerprint -setalias "CAcert > > > > Class 1 root" \ > > > > -addtrust serverAuth -addtrust emailProtection > > > > -addtrust codeSigning \ > > > > > /etc/ssl/local/CAcert_Class_1_root.pem && > > > > openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert > > > > Class 3 root" \ > > > > -addtrust serverAuth -addtrust emailProtection > > > > -addtrust codeSigning \ > > > > > /etc/ssl/local/CAcert_Class_3_root.pem > > > > > > > > They seem to cause problems and are confusing. They also seem to > > > > be unnecessary. All I run is 'make install && make-ca -g' when I > > > > need to install this package. It seems those instructions were > > > > part of Ken's problem. > > > > > > What is confusing? > > > > > > Create a directory. > > > Download two files. > > > Run openssl twice to create two X.509 certificates and place them in > > > the created directory. > > > > > > The only issue I see is that a user may blindly try to run the > > > commands without wget installed as is is not mentioned in the > > > dependencies. > > > > > > -- Bruce > > > > > > > > As far as I know, they don't work. My suggestion to Ken (which worked) > > was to do the following: > > > > > > mv -v /etc/ssl/local{,.old} > > > > make install > > > > make-ca -g --force > > > > > > And it works properly for him now. I think the example here should've > > been placed in a Configuration Information section. > > Why force on an initial install? Otherwise, putting the section being > discussed in the configuration section is fine with me. > > -- Bruce > > > -- > http://lists.linuxfromscratch.org/listinfo/blfs-support > FAQ: http://www.linuxfromscratch.org/blfs/faq.html > Unsubscribe: See the above information page -- The beauty of reading a page of de Selby is that it leads one inescapably to the conclusion that one is not, of all nincompoops, the greates. -- du Garbandier -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
