[rawhide] Removal of openssl_format_trust_bundle in ca-certificates package
#1804
Labels
pipeline failure
This issue or pull request is derived from CI failures
Comments
marmijo
added a commit
to marmijo/fedora-coreos-config
that referenced
this issue
Sep 26, 2024
A recent update to the ca-certificates package in Fedora removed the `openssl_format_trust_bundle` ca-bundle to improve the startup speed of OpenSSL. Certificates passed into /etc/pki/ca-trust/source/anchors are picked up and added to /etc/pki/tls/certs/ca-bundle.crt after running `update-ca-trust extract`, so let's change the location here to the new cert bundle. see: coreos/fedora-coreos-tracker#1804
I opened coreos/fedora-coreos-config#3183 to make that change |
marmijo
added
the
pipeline failure
|
Thanks for the thorough investigation and writeup here. |
dustymabe
pushed a commit
to coreos/fedora-coreos-config
that referenced
this issue
Sep 26, 2024
A recent update to the ca-certificates package in Fedora removed the `openssl_format_trust_bundle` ca-bundle to improve the startup speed of OpenSSL. Certificates passed into /etc/pki/ca-trust/source/anchors are picked up and added to /etc/pki/tls/certs/ca-bundle.crt after running `update-ca-trust extract`, so let's change the location here to the new cert bundle. see: coreos/fedora-coreos-tracker#1804
|
Looks like this is https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile. Though quite odd it was pushed out to Fedora already when it hasn't been discussed yet AFAICT. Anyway, coreos/fedora-coreos-config#3183 looks sane to me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A recent update to the
ca-certificatespackage in rawhide (Fedora 42) removed theopenssl_fomat_trust_bundle(previously located at/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt) to improve the startup speed of OpenSSL. This change might affect Fedora CoreOS if it's expected that this file will exist and will also include any certificates specified by users in a butane config. Theext.config.security.coreos-update-ca-trustkola test is failing for this reason.The change was first seen in
ca-certificates-2024.2.69_v8.0.401-1.fc42: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e3ddd9733b7dc60cbupdate-ca-trust: make a copy of directory-hash symlinks in ../tls/certsAfter supplying a cert to
/etc/pki/ca-trust/source/anchors/and runningupdate-ca-trust extract, the certificate can now be found in/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, or/etc/pki/tls/certs/ca-bundle.crtwhich is a symlink to the first location. I actually tested this in testing-devel and found the supplied cert in the new file, which confirms that this was the case before this change in rawhide. IIUIC,/etc/pki/tls/certs/ca-bundle.crtis a default location where OpenSSL looks for certificates.The
ext.config.security.coreos-update-ca-trustkola test will pass in rawhide if we change the test to validate against the new file instead of the old one, but I'm not sure how this change will affect FCOS as a whole.The text was updated successfully, but these errors were encountered: