#10626: make-ca broken by openssl-1.1.0h --------------------+----------------------- Reporter: ken@… | Owner: blfs-book Type: defect | Status: new Priority: high | Milestone: 8.3 Component: BOOK | Version: SVN Severity: normal | Keywords: --------------------+----------------------- First reported by Ryan Marsaw on Sunday in [http://lists.linuxfromscratch.org/pipermail/blfs- dev/2018-April/034321.html]
This causes https to fail on new installs, and on upgraded installs from an earlier version of openssl the old certificates will be used if an attmpt is made to refresh the certs. Upstream bug is [https://github.com/openssl/openssl/issues/5772] (reported by debian, [https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=894282] ) From an openssl comment after this was closed: levitte commented 8 days ago Side note: while I understand the nature of habit, I would urge those who can (and this most definitely includes Linux as far as I know) to switch to use openssl rehash. c_rehash is a kinda fallback script that will disappear at some point. Meanwhile, in the absence of openssl-1.1.0j I suggest we try adding quotes to /usr/bin/c_rehash (on the make-ca page, before invoking make-ca) if they are not present. I have suggested {{{ sed -i -e s%'= /etc/ssl;%= "/etc/ssl";%' \ -e 's%= /usr;%= "/usr";%' /usr/bin/c_rehash }}} on the grounds that it looks as if it will do the right thing (nothing) if rerun, but I haven't confirmed that. For the longer term, I guess we should move to openssl rehash. I can take a look at confirming the sed can be run multiple times without breaking c_rehash. -- Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/10626> BLFS Trac <http://wiki.linuxfromscratch.org/blfs> Beyond Linux From Scratch -- http://lists.linuxfromscratch.org/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page