Re: [blfs-dev] Certificate updating
On Sun, Sep 2, 2018 at 4:13 AM, DJ Lucas wrote: > > Finally added this in git version. Sorry it took me so long. > No problem, by the way I also had to add the same to update-pciids.service and update-usbids.service. > > Please open yet another bug report with Debian to get that part fixed > properly. :-) I'm kidding. Debian has had a slightly broken setup for > several years now, not that we didn't at one time either, but I imagine it's > a much more difficult problem to solve for them - quite a few more packages > - coordination would be a royal pain. > > Anyway, with current make-ca, you don't want it there before the script > completes (so the directory is overwritten each time). I can't do this for > LFS proper, but if you can commit to never running 'openssl c-rehash' on the > directory manually, a suitable workaround is to simply add the following > line to the end of the /usr/sbin/make-ca script (or really, anywhere after > c_rehash is run in that script): > ls -s ../ca-bundle.crt "${DESTDIR}${CERTDIR}/ca-certificates.crt" > > I'll be ditching c_rehash in the next version of that script (0.9), but > p11-kit does the same thing with the directory in our use case (overwrite). > Same workaround should be good, however, it must be moved to just before the > last "fi" in the 0.9 version of make-ca, which should land in the > development BLFS in a couple of days. > > HTH > > Thanks for the info, that should definitely help with my use case. -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-dev] Certificate updating
On 02/13/2018 03:35 PM, Brendan L wrote: Hey, I think I've spotted an issue with the update-pki.service file in the make-ca package. On my system the update would always fail, when looking at my logs it was because it would try to run before I had a network connection. My solution after reading this: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ Change this: After=local-fs.target Before=shutdown.target To this: After=local-fs.target network-online.target Before=shutdown.target Wants=network-online.target Finally added this in git version. Sorry it took me so long. Another issue I have, and might be something blfs doesn't support, is when updating the certificates it deletes my /etc/ssl/certs/ca-certificates.crt link to ca-bundle.crt. I need that link because steam requires it. Not a huge deal, just annoying to have to remember to recreate it when it's deleted. Please open yet another bug report with Debian to get that part fixed properly. :-) I'm kidding. Debian has had a slightly broken setup for several years now, not that we didn't at one time either, but I imagine it's a much more difficult problem to solve for them - quite a few more packages - coordination would be a royal pain. Anyway, with current make-ca, you don't want it there before the script completes (so the directory is overwritten each time). I can't do this for LFS proper, but if you can commit to never running 'openssl c-rehash' on the directory manually, a suitable workaround is to simply add the following line to the end of the /usr/sbin/make-ca script (or really, anywhere after c_rehash is run in that script): ls -s ../ca-bundle.crt "${DESTDIR}${CERTDIR}/ca-certificates.crt" I'll be ditching c_rehash in the next version of that script (0.9), but p11-kit does the same thing with the directory in our use case (overwrite). Same workaround should be good, however, it must be moved to just before the last "fi" in the 0.9 version of make-ca, which should land in the development BLFS in a couple of days. HTH --DJ -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-dev] Certificate updating
On February 13, 2018 3:35:18 PM CST, Brendan Lwrote: >Hey, I think I've spotted an issue with the update-pki.service file in >the make-ca package. On my system the update would always fail, when >looking at my logs it was because it would try to run before I had a >network connection. My solution after reading this: > >https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ > >Change this: > >After=local-fs.target >Before=shutdown.target > >To this: > >After=local-fs.target network-online.target >Before=shutdown.target >Wants=network-online.target > >Another issue I have, and might be something blfs doesn't support, is >when updating the certificates it deletes my >/etc/ssl/certs/ca-certificates.crt link to ca-bundle.crt. I need that >link because steam requires it. Not a huge deal, just annoying to >have to remember to recreate it when it's deleted. >-- >http://lists.linuxfromscratch.org/listinfo/blfs-dev >FAQ: http://www.linuxfromscratch.org/blfs/faq.html >Unsubscribe: See the above information page > > >-- >This message has been scanned for viruses and dangerous content by >E.F.A. Project, and is believed to be clean. > >Click here to report this message as spam. >https://efa.lucasit.com/cgi-bin/learn-msg.cgi?id=87C1360ABB.A8E1D=d3ea6769710ba086c9c504c56c970160 I'll get a look at it tonight. Thanks for the report. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page