-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[rawhide] Removal of openssl_format_trust_bundle
in ca-certificates package
#1804
Comments
A recent update to the ca-certificates package in Fedora removed the `openssl_format_trust_bundle` ca-bundle to improve the startup speed of OpenSSL. Certificates passed into /etc/pki/ca-trust/source/anchors are picked up and added to /etc/pki/tls/certs/ca-bundle.crt after running `update-ca-trust extract`, so let's change the location here to the new cert bundle. see: coreos/fedora-coreos-tracker#1804
I opened coreos/fedora-coreos-config#3183 to make that change |
Thanks for the thorough investigation and writeup here. |
A recent update to the ca-certificates package in Fedora removed the `openssl_format_trust_bundle` ca-bundle to improve the startup speed of OpenSSL. Certificates passed into /etc/pki/ca-trust/source/anchors are picked up and added to /etc/pki/tls/certs/ca-bundle.crt after running `update-ca-trust extract`, so let's change the location here to the new cert bundle. see: coreos/fedora-coreos-tracker#1804
Looks like this is https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile. Though quite odd it was pushed out to Fedora already when it hasn't been discussed yet AFAICT. Anyway, coreos/fedora-coreos-config#3183 looks sane to me. |
A recent update to the
ca-certificates
package in rawhide (Fedora 42) removed theopenssl_fomat_trust_bundle
(previously located at/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
) to improve the startup speed of OpenSSL. This change might affect Fedora CoreOS if it's expected that this file will exist and will also include any certificates specified by users in a butane config. Theext.config.security.coreos-update-ca-trust
kola test is failing for this reason.The change was first seen in
ca-certificates-2024.2.69_v8.0.401-1.fc42
: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e3ddd9733b7dc60cb
update-ca-trust: make a copy of directory-hash symlinks in ../tls/certsAfter supplying a cert to
/etc/pki/ca-trust/source/anchors/
and runningupdate-ca-trust extract
, the certificate can now be found in/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
, or/etc/pki/tls/certs/ca-bundle.crt
which is a symlink to the first location. I actually tested this in testing-devel and found the supplied cert in the new file, which confirms that this was the case before this change in rawhide. IIUIC,/etc/pki/tls/certs/ca-bundle.crt
is a default location where OpenSSL looks for certificates.The
ext.config.security.coreos-update-ca-trust
kola test will pass in rawhide if we change the test to validate against the new file instead of the old one, but I'm not sure how this change will affect FCOS as a whole.The text was updated successfully, but these errors were encountered: