Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only

  • 1.  ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Thu June 02, 2022 01:13 AM
    Edited by Ayappan P Thu June 02, 2022 02:55 AM
    We use a local copy of the AIX RPM repository, which I recently updated from the latest published by IBM. 

    This included ca-certificates version 2021.2.52-1. This I installed with DNF successfully from our local RPM repository- and then immediately all DNF commands started failing as the custom certificates we have installed in /var/ssl/certs to allow authentication to our local RPM repository were deleted (or more accurately, moved to /var/ssl/certs.orig)

    This behaviour is different to previous ca-certificates versions. ca-certificates updates should be limited to managing itself, not deleting other added certificates?

    Is this behaviour expected? Other than manually restoring the certificates each time, is there a better way to be managing this?

    ------------------------------
    Alan 
    ------------------------------
    #AIXOpenSource


  • 2.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Thu June 02, 2022 10:44 AM
    The post install script of the new ca-certificates does lot of messy things. We are working on it. 
    Once we fix them, we will update the fixed ca-certificates in Toolbox.

    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 3.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Thu June 02, 2022 05:14 PM
    Hi - another issue with the new ca-certificates is after it is installed the /var/ssl/certs symbolic links points to

    /opt/freeware/etc/ssl/certs/ca-bundle.crt

    This file is removed:

    ls -l /opt/freeware/etc/ssl/certs/ca-bundle.crt

    ls: cannot access '/opt/freeware/etc/ssl/certs/ca-bundle.crt': A file or directory in the path name does not exist.

    At this point running "updtvpkg" fails.

    I created this symlink get around the issue:
    rowswell@P720_01_NIM:/opt/freeware/etc/ssl/certs:$ s ln -s /opt/freeware/etc/ssl/certs/extracted/pem/tls-ca-bundle.pem ca-bundle.crt




    ------------------------------
    Dean Rowswell
    ------------------------------

    Original Message


  • 4.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri June 03, 2022 12:47 AM
    Hi Dean,

    That is interesting - on my system (which had earlier ca-certificates-2020.06.01-0.aix7.1.ppc.rpm installed first via the DNF installer, then an upgrade via DNF to 2021.2.52-1) the links are working. As does updtvpkg.

    # rpm -qa|grep ca-certificates
    ca-certificates-2021.2.52-1.ppc
    # ls -l /var/ssl/certs
    lrwxrwxrwx 1 root system 27 Jun 02 21:32 /var/ssl/certs -> /opt/freeware/etc/ssl/certs
    # ls -l /opt/freeware/etc/ssl/certs/ca-bundle.crt
    lrwxrwxrwx 1 root system 59 Jun 02 21:32 /opt/freeware/etc/ssl/certs/ca-bundle.crt -> /opt/freeware/etc/ssl/certs/extracted/pem/tls-ca-bundle.pem
    # updtvpkg
    Please wait...
    #

    It may have different behaviour based on how it is installed?​

    ------------------------------
    Alan
    ------------------------------

    Original Message


  • 5.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri June 03, 2022 12:18 PM
    Hi Alan - interesintg to know that DNF update was fine.     
    When I upgraded ca-certificates I had not yet converted to DNF so this was done with YUM.
    Thanks
    Dean

    ------------------------------
    Dean Rowswell
    ------------------------------

    Original Message


  • 6.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri August 05, 2022 02:40 AM
    Hello,

    I have tested the last two new releases of ca-certificates since this issue was reported (2021.2.52-2 and 2021.2.52-3), and both still have the same behaviour I reported in this thread, deleting all other certificates on installation or update. 

    Is this going to be expected behaviour going forward, needing us to manually re-install our other certificates every time ca-certificates is updated, or is this still  expected to be fixed in a future release?

    Thanks,
    Alan

    ------------------------------
    Alan
    ------------------------------

    Original Message


  • 7.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri August 05, 2022 03:02 AM

    The recent ca-certificates 2021.2.52-3 is supposed to fix the issues. 
    Can you explain more clearly how the custom certificates are kept in /var/ssl/certs ? Is it direct files or symlinks ? What is the format ? (.crt, .pem ., etc) 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 8.  RE: ca-certificates 2021.2.52-1 is deleting all certificates from /varl/ssl/certs not provided by itself

    Posted Fri August 05, 2022 03:18 AM
    Thanks for the response. 

    I think I understand the issue - yes I think it is fixed now. 

    Problematic version 2021.2.52-1 changed the certificate location to a symlink:

    # ls -l /var/ssl/certs
    lrwxrwxrwx 1 root system 27 Jun 01 17:54 /var/ssl/certs -> /opt/freeware/etc/ssl/certs

    I then installed the custom certificates in that directory. 

    New version 2021.2.52-3 changed /var/ssl/certs back to a directory, so my custom certificates were 'gone' again - still in the /opt/freeware/etc/ssl/certs location. 

    After a once-off reinstall of the custom certificates in to /var/ssl/certs, a subsequent reinstall of ca-certificates version 2021.2.52-3 left the custom certificates alone. 

    So yes I agree the issue is fixed - I just needed to 'undo' the different configuration from 2021.2.52-1 as a once-off activity.

    Thanks for the fix. 

    ------------------------------
    Alan
    ------------------------------

    Original Message


Related Content