Re: [blfs-dev] Certificate updating

2018-09-02 Thread Brendan L via blfs-dev 
On Sun, Sep 2, 2018 at 4:13 AM, DJ Lucas  wrote:
>
> Finally added this in git version. Sorry it took me so long.
>

No problem, by the way I also had to add the same to
update-pciids.service and update-usbids.service.

>
> Please open yet another bug report with Debian to get that part fixed
> properly. :-) I'm kidding. Debian has had a slightly broken setup for
> several years now, not that we didn't at one time either, but I imagine it's
> a much more difficult problem to solve for them - quite a few more packages
> - coordination would be a royal pain.
>
> Anyway, with current make-ca, you don't want it there before the script
> completes (so the directory is overwritten each time). I can't do this for
> LFS proper, but if you can commit to never running 'openssl c-rehash' on the
> directory manually, a suitable workaround is to simply add the following
> line to the end of the /usr/sbin/make-ca script (or really, anywhere after
> c_rehash is run in that script):
> ls -s ../ca-bundle.crt "${DESTDIR}${CERTDIR}/ca-certificates.crt"
>
> I'll be ditching c_rehash in the next version of that script (0.9), but
> p11-kit does the same thing with the directory in our use case (overwrite).
> Same workaround should be good, however, it must be moved to just before the
> last "fi" in the 0.9 version of make-ca, which should land in the
> development BLFS in a couple of days.
>
> HTH
>
>

Thanks for the info, that should definitely help with my use case.
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] Certificate updating

2018-09-02 Thread DJ Lucas via blfs-dev 



On 02/13/2018 03:35 PM, Brendan L wrote:

Hey, I think I've spotted an issue with the update-pki.service file in
the make-ca package.  On my system the update would always fail, when
looking at my logs it was because it would try to run before I had a
network connection.  My solution after reading this:

https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

Change this:

After=local-fs.target
Before=shutdown.target

To this:

After=local-fs.target network-online.target
Before=shutdown.target
Wants=network-online.target


Finally added this in git version. Sorry it took me so long.



Another issue I have, and might be something blfs doesn't support, is
when updating the certificates it deletes my
/etc/ssl/certs/ca-certificates.crt link to ca-bundle.crt.  I need that
link because steam requires it.  Not a huge deal, just annoying to
have to remember to recreate it when it's deleted.


Please open yet another bug report with Debian to get that part fixed 
properly. :-) I'm kidding. Debian has had a slightly broken setup for 
several years now, not that we didn't at one time either, but I imagine 
it's a much more difficult problem to solve for them - quite a few more 
packages - coordination would be a royal pain.


Anyway, with current make-ca, you don't want it there before the script 
completes (so the directory is overwritten each time). I can't do this 
for LFS proper, but if you can commit to never running 'openssl 
c-rehash' on the directory manually, a suitable workaround is to simply 
add the following line to the end of the /usr/sbin/make-ca script (or 
really, anywhere after c_rehash is run in that script):

ls -s ../ca-bundle.crt "${DESTDIR}${CERTDIR}/ca-certificates.crt"

I'll be ditching c_rehash in the next version of that script (0.9), but 
p11-kit does the same thing with the directory in our use case 
(overwrite). Same workaround should be good, however, it must be moved 
to just before the last "fi" in the 0.9 version of make-ca, which should 
land in the development BLFS in a couple of days.


HTH

--DJ

--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] Certificate updating

2018-02-14 Thread DJ Lucas 
On February 13, 2018 3:35:18 PM CST, Brendan L  wrote:
>Hey, I think I've spotted an issue with the update-pki.service file in
>the make-ca package.  On my system the update would always fail, when
>looking at my logs it was because it would try to run before I had a
>network connection.  My solution after reading this:
>
>https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
>
>Change this:
>
>After=local-fs.target
>Before=shutdown.target
>
>To this:
>
>After=local-fs.target network-online.target
>Before=shutdown.target
>Wants=network-online.target
>
>Another issue I have, and might be something blfs doesn't support, is
>when updating the certificates it deletes my
>/etc/ssl/certs/ca-certificates.crt link to ca-bundle.crt.  I need that
>link because steam requires it.  Not a huge deal, just annoying to
>have to remember to recreate it when it's deleted.
>-- 
>http://lists.linuxfromscratch.org/listinfo/blfs-dev
>FAQ: http://www.linuxfromscratch.org/blfs/faq.html
>Unsubscribe: See the above information page
>
>
>-- 
>This message has been scanned for viruses and dangerous content by 
>E.F.A. Project, and is believed to be clean.
>
>Click here to report this message as spam.
>https://efa.lucasit.com/cgi-bin/learn-msg.cgi?id=87C1360ABB.A8E1D=d3ea6769710ba086c9c504c56c970160

I'll get a look at it tonight. Thanks for the report.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page