[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
/etc/ssl/certs and the certificate bundle
From: |
Ludovic Courtès |
Subject: |
/etc/ssl/certs and the certificate bundle |
Date: |
Mon, 02 Mar 2015 23:12:40 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) |
Mark H Weaver <address@hidden> skribis:
> address@hidden (Ludovic Courtès) writes:
>
>> Mark H Weaver <address@hidden> skribis:
>>
>>> No, it's not worse than it was before. Sorry if I gave that impression.
>>> The only issue is that we might need to generate a single-file
>>> certificate bundle for now, because I haven't found a way to get 'git'
>>> to check certificates on GuixSD without a single-file cert bundle, at
>>> least not when curl is build with GnuTLS.
>>
>> It seems like adding this single-file bundle would be the simplest
>> short-term option. How would we create that file exactly?
>
> The single-file bundle is just a concatenation of all the individual PEM
> data, starting with "-----BEGIN CERTIFICATE-----" and ending with
> "-----END CERTIFICATE-----", including those delimiters.
>
> The only caveat is that the individual PEM files are not required to
> have a newline after the "-----END CERTIFICATE-----", but in the
> single-file cert bundle, we must ensure that the newline is present.
> See <https://bugs.debian.org/635570>.
OK, I’ve implemented this for GuixSD in commit 993300f. Thanks to you
and Andreas for your help.
> In order to support multiple packages containing CA certs, it would be
> good to handle creation of the single-file cert bundle in the profile
> generation code, analogous to our handling of info "dir" files. This
> would allow us to create additional cert packages (e.g. one for
> CAcert.org).
>
> I think it belongs in the profile generation code for the benefit of
> users running Guix packages on top of another distro, where they might
> not have root access. They can simply set GIT_SSL_CAINFO and
> SSL_CERT_FILE to ~/.guix-profile/etc/ssl/ca-certificates.crt
>
> What do you think?
It’s a good but as of yet unimplemented idea.
Although I now realize we could perhaps simple move the
‘certificate-bundle’ procedure to (guix profile), add the certificate
package to the system profile, and make /etc/ssl a symlink to
/run/current-system/profile/etc/ssl.
However there’s the complication that all the files of ‘nss-certs’ would
still be there in addition to the bundle. Hmm.
Thoughts?
Ludo’.