AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only

  • 1.  ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Thu June 02, 2022 01:13 AM
    Edited by Ayappan P Thu June 02, 2022 02:55 AM
    We use a local copy of the AIX RPM repository, which I recently updated from the latest published by IBM. 

    This included ca-certificates version 2021.2.52-1. This I installed with DNF successfully from our local RPM repository- and then immediately all DNF commands started failing as the custom certificates we have installed in /var/ssl/certs to allow authentication to our local RPM repository were deleted (or more accurately, moved to /var/ssl/certs.orig)

    This behaviour is different to previous ca-certificates versions. ca-certificates updates should be limited to managing itself, not deleting other added certificates?

    Is this behaviour expected? Other than manually restoring the certificates each time, is there a better way to be managing this?

    ------------------------------
    Alan 
    ------------------------------


  • 2.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Thu June 02, 2022 10:44 AM
    The post install script of the new ca-certificates does lot of messy things. We are working on it. 
    Once we fix them, we will update the fixed ca-certificates in Toolbox.

    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 3.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Thu June 02, 2022 05:14 PM
    Hi - another issue with the new ca-certificates is after it is installed the /var/ssl/certs symbolic links points to

    /opt/freeware/etc/ssl/certs/ca-bundle.crt

    This file is removed:

    ls -l /opt/freeware/etc/ssl/certs/ca-bundle.crt

    ls: cannot access '/opt/freeware/etc/ssl/certs/ca-bundle.crt': A file or directory in the path name does not exist.

    At this point running "updtvpkg" fails.

    I created this symlink get around the issue:
    rowswell@P720_01_NIM:/opt/freeware/etc/ssl/certs:$ s ln -s /opt/freeware/etc/ssl/certs/extracted/pem/tls-ca-bundle.pem ca-bundle.crt




    ------------------------------
    Dean Rowswell
    ------------------------------

    Original Message


  • 4.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri June 03, 2022 12:47 AM
    Hi Dean,

    That is interesting - on my system (which had earlier ca-certificates-2020.06.01-0.aix7.1.ppc.rpm installed first via the DNF installer, then an upgrade via DNF to 2021.2.52-1) the links are working. As does updtvpkg.

    # rpm -qa|grep ca-certificates
    ca-certificates-2021.2.52-1.ppc
    # ls -l /var/ssl/certs
    lrwxrwxrwx 1 root system 27 Jun 02 21:32 /var/ssl/certs -> /opt/freeware/etc/ssl/certs
    # ls -l /opt/freeware/etc/ssl/certs/ca-bundle.crt
    lrwxrwxrwx 1 root system 59 Jun 02 21:32 /opt/freeware/etc/ssl/certs/ca-bundle.crt -> /opt/freeware/etc/ssl/certs/extracted/pem/tls-ca-bundle.pem
    # updtvpkg
    Please wait...
    #

    It may have different behaviour based on how it is installed?​

    ------------------------------
    Alan
    ------------------------------

    Original Message


  • 5.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri June 03, 2022 12:18 PM
    Hi Alan - interesintg to know that DNF update was fine.     
    When I upgraded ca-certificates I had not yet converted to DNF so this was done with YUM.
    Thanks
    Dean

    ------------------------------
    Dean Rowswell
    ------------------------------

    Original Message


  • 6.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri August 05, 2022 02:40 AM
    Hello,

    I have tested the last two new releases of ca-certificates since this issue was reported (2021.2.52-2 and 2021.2.52-3), and both still have the same behaviour I reported in this thread, deleting all other certificates on installation or update. 

    Is this going to be expected behaviour going forward, needing us to manually re-install our other certificates every time ca-certificates is updated, or is this still  expected to be fixed in a future release?

    Thanks,
    Alan

    ------------------------------
    Alan
    ------------------------------

    Original Message


  • 7.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri August 05, 2022 03:02 AM

    The recent ca-certificates 2021.2.52-3 is supposed to fix the issues. 
    Can you explain more clearly how the custom certificates are kept in /var/ssl/certs ? Is it direct files or symlinks ? What is the format ? (.crt, .pem ., etc) 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 8.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri August 05, 2022 03:18 AM
    Thanks for the response. 

    I think I understand the issue - yes I think it is fixed now. 

    Problematic version 2021.2.52-1 changed the certificate location to a symlink:

    # ls -l /var/ssl/certs
    lrwxrwxrwx 1 root system 27 Jun 01 17:54 /var/ssl/certs -> /opt/freeware/etc/ssl/certs

    I then installed the custom certificates in that directory. 

    New version 2021.2.52-3 changed /var/ssl/certs back to a directory, so my custom certificates were 'gone' again - still in the /opt/freeware/etc/ssl/certs location. 

    After a once-off reinstall of the custom certificates in to /var/ssl/certs, a subsequent reinstall of ca-certificates version 2021.2.52-3 left the custom certificates alone. 

    So yes I agree the issue is fixed - I just needed to 'undo' the different configuration from 2021.2.52-1 as a once-off activity.

    Thanks for the fix. 

    ------------------------------
    Alan
    ------------------------------

    Original Message


Related Content