> Date: Mon, 28 Aug 2023 10:41:32 +0200 > From: Manuel Bouyer <bou...@antioche.eu.org> > > Maybe postinstall should check the /etc/openssl/certs.conf existance, > and fail the 'fix opensslcerts' asking for it to be manually created; > as we do for e.g. uid/gid if some are missing ?
I split it into two postinstall items: - opensslcertsconf: handles missing /etc/openssl/certs.conf, in case you neglect to apply etcupdate or equivalent to bring in new config files. If you appear to be managing /etc/openssl/certs manually already, this sets `manual' in certs.conf; otherwise it copies the default one from /usr/share/examples/certctl/certs.conf. - opensslcertsrehash: handles regenerating the /etc/openssl/certs cache from config. I also added a check operation so that this complains if and only if `certctl rehash' would create something different from what is currently in /etc/openssl/certs (or if it doesn't seem to be managed by certctl(8), but /etc/openssl/certs.conf doesn't set `manual'). Please let me know if you have any trouble with upgrades! I'm trying to make sure this will provide a seamless fresh install and upgrade path so that if you were already managing /etc/openssl/certs, it stays that way, but if you weren't, certctl(8) takes over and makes the Mozilla trust anchors available. And I'd like to get this into 10 ASAP.
