On 2/23/19 1:59 PM, DJ Lucas via blfs-dev wrote:
On 2/23/2019 3:54 AM, Ken Moffat wrote:
On Sat, Feb 23, 2019 at 09:32:18AM +0000, DJ Lucas via blfs-support wrote:
On 2/23/2019 3:14 AM, Ken Moffat via blfs-support wrote:
I had a reply off-list suggesting that I try without the local cert
directory. So I renamed that, and retried. Running make-ca -g
succeeded but told me that the certs were up to date. Running make-ca
-f succeeded, the final output was: Certificate: Global Chambersign
Root - 2008 Keyhash: 0c4c9b6c Added to p11-kit anchor directory with
trust 'C,C,'. Extracting OpenSSL certificates to
/etc/ssl/certs...Done! Extracting GNUTLS server auth certificates to
/etc/pki/tls/certs/ca-bundle.crt...Done! Extracting GNUTLS S-Mime
certificates to /etc/pki/tls/certs/email-ca-bundle.crt...Done!
Extracting GNUTLS code signing certificates to
/etc/pki/tls/certs/objsign-ca-bundle.crt...Done! Extracting Java
cacerts (JKS) to /etc/pki/tls/java/cacerts...Done! And running links
to an https: site from chroot now works. I'll keep this around for a
bit in case you are replying to my earlier reply, but I need to sort
out some food, then I'll probably go shopping and then wind down and
go to bed.
Bad cert in the /etc/ssl/local directory caused that to cascade like
that? I can't see how, but I'll have to figure it out. If you still have
it around and it's not too much trouble (and nothing private in
/etc/ssl/local), could you tar up the contents and send, or is it just
the example cacert.org certs?
--DJ
I don't have any current use for local certs, I was just trying to
follow the book. Maybe something in what I thought I had copied
from the book is wrong. So here is the commented-out part. KM_LOG
points to my log for this package, and apologies if I've mis-pasted
or failed to update this and wasted your time.
#install -vdm755 /etc/ssl/local >$KM_LOG 2>&1
#wget http://www.cacert.org/certs/root.crt >>$KM_LOG 2>&1
#wget http://www.cacert.org/certs/class3.crt >>$KM_LOG 2>&1
#openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
# -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
# > /etc/ssl/local/CAcert_Class_1_root.pem >>$KM_LOG 2>&1
#openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root"
\
# -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
# > /etc/ssl/local/CAcert_Class_3_root.pem >>$KM_LOG 2>&1
But, looking at the contents: clearly wget has failed.
-rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_1_root.pem
-rw-r--r-- 1 root root 0 Feb 23 05:15 CAcert_Class_3_root.pem
Is there something more pertinent out there? In addition to those, I
install the US military CAs and intermediates, but that's a mess of 111
certificates and a nasty script in and of itself (I just cleaned it up
and pushed it to http://www.linuxfromscratch.org/~dj/get-us-gov-certs.sh
if anybody needs them). I think we should just drop the example all
together, and leave the instructions in the man page. I figure for
better than 99% of our users, the Mozilla CAs are sufficient. Only a
handful of users would want to do overrides or append for local use
cases. Even Windows domains (if named properly) can use LE certs.
Any objections?
--DJ
Go for it. I think it'd remove some confusion and simplify things in
general.
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
