> Date: Sat, 26 Aug 2023 19:15:01 +0200 > From: Manuel Bouyer <bou...@antioche.eu.org> > > On Sat, Aug 26, 2023 at 04:48:59PM +0000, Taylor R Campbell wrote: > > [...] > > If you currently use security/mozilla-rootcerts or > > security/ca-certificates (or security/mozilla-rootcerts-openssl) to > > populate /etc/openssl/certs, and you want to continue to use it, you > > will have to put the line `manual' in /etc/openssl/certs.conf before > > you next run postinstall(8). > > Will postinstall remove any certificate in /etc/openssl/certs/ > if there is no certs.conf ? I have server certificates here, in addition > to some local (private) CA roots.
Currently, if /etc/openssl/certs.conf doesn't exist, `certctl rehash' (the crux of `postinstall fix opensslcerts') will print an error message and then exit with status 0. This combination is a bug -- need to think a bit about it, but probably better to exit nonzero than to suppress the error message. So if you unpack new _non-etc_ sets, `postinstall fix' won't clobber your /etc/openssl/certs directory. The etc.tgz set, however, will have /etc/openssl/certs.conf. So if you naively unpack etc.tgz, `postinstall fix' will clobber your /etc/openssl/certs directory. That said, I think if you use etcupdate(8), it will interactively prompt you before creating the new /etc/openssl/certs.conf. (Have made a note to add this in my etcmerge(8) tool to do a three-way merge for updating (x)etc sets too.) I'm open to other suggestions about how to handle the transition from manually maintained /etc/openssl/certs on (say) 9.x with no certs.conf or certctl(8) to 10.0 with new default certs.conf and certctl(8), provided that (a) new installations get /etc/openssl/certs populated out of the box, and (b) on _future_ updates (like 10.0 to 10.1, where both releases have certctl(8) and a default certs.conf), /etc/openssl/certs gets updated too (unless you set `manual' in /etc/openssl/certs.conf).