Re: issue: poudriere jail update fails after recent changes around certctl
Alexander Leidinger writes: > If FreeBSD provides some certs as trusted (as part of > e.g. installworld), and I have some of them listed in untrusted, I > would not expect an error case, but a failsafe action of not trusting > them and not complaining... am I doing something wrong? No, this is definitely something we want to support. DES -- Dag-Erling Smørgrav - d...@freebsd.org
Re: issue: poudriere jail update fails after recent changes around certctl
Am 2023-10-13 17:42, schrieb Dag-Erling Smørgrav: Alexander Leidinger writes: some change around certctl (world from 2023-10-09) has broken the poudriere jail update command. The complete install finishes, certctl is run, and then there is an exit code 1. This is because I have some certs listed as untrusted, and this seems to give a retval of 1 inside certctl. This only happens if a certificate is listed as both trusted and untrusted, and I'm pretty sure the previous version would return 1 in that case as well. Can you check? I compared /usr/share/certs/untrusted/ with /usr/share/certs/trusted/ and some of them match with certs in /usr/share/certs/trusted/. Nothing in /usr/local/etc/ssl/untrusted/, one cert (as hash) in /usr/local/etc/ssl/blacklisted/ which is also in /usr/share/certs/untrusted/. If FreeBSD provides some certs as trusted (as part of e.g. installworld), and I have some of them listed in untrusted, I would not expect an error case, but a failsafe action of not trusting them and not complaining... am I doing something wrong? Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature
Re: issue: poudriere jail update fails after recent changes around certctl
On 13/10/23 17:42, Dag-Erling Smørgrav wrote: Alexander Leidinger writes: some change around certctl (world from 2023-10-09) has broken the poudriere jail update command. The complete install finishes, certctl is run, and then there is an exit code 1. This is because I have some certs listed as untrusted, and this seems to give a retval of 1 inside certctl. This only happens if a certificate is listed as both trusted and untrusted, and I'm pretty sure the previous version would return 1 in that case as well. Can you check? ON an unrelated note, I noticed the new certctl in head requires .pem (and any other extension, if I remember correctly) files to contain a "Certificate:" line. While I have no objection to the requirement, it is not documented in the man page, or anywhere else, I did have to look at the script source to discover this. Maybe a little note about this requirement in the man page should be added. -- Guido Falsi
Re: issue: poudriere jail update fails after recent changes around certctl
Alexander Leidinger writes: > some change around certctl (world from 2023-10-09) has broken the > poudriere jail update command. The complete install finishes, certctl > is run, and then there is an exit code 1. This is because I have some > certs listed as untrusted, and this seems to give a retval of 1 inside > certctl. This only happens if a certificate is listed as both trusted and untrusted, and I'm pretty sure the previous version would return 1 in that case as well. Can you check? DES -- Dag-Erling Smørgrav - d...@freebsd.org
issue: poudriere jail update fails after recent changes around certctl
Hi, some change around certctl (world from 2023-10-09) has broken the poudriere jail update command. The complete install finishes, certctl is run, and then there is an exit code 1. This is because I have some certs listed as untrusted, and this seems to give a retval of 1 inside certctl. Testcase: set a cert as untrusted and try to use "poudriere jail -u -j YOUR_JAIL_NAME -m src=/usr/src" Relevant log: ---snip--- -- Installing everything completed on Fri Oct 13 10:00:04 CEST 2023 -- 83.55 real 103.83 user 109.42 sys certctl.sh: Skipping untrusted certificate ad088e1d (/space/poudriere/jails/poudriere-x11/etc/ssl/untrusted/ad088e1d.0) [some more untrusted] *** [installworld] Error code 1 make[1]: stopped in /space/system/usr_src 1 error make[1]: stopped in /space/system/usr_src make: stopped in /usr/src [00:01:32] Error: Failed to 'make installworld' ---snip--- Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature