504892 – app-misc/ca-certificates: allow user customization /etc/ca-certificates.conf

Bug 504892 - app-misc/ca-certificates: allow user customization /etc/ca-certificates.conf

Summary: app-misc/ca-certificates: allow user customization /etc/ca-certificates.conf

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial with 1 vote (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-17 14:47 UTC by Thomas Deutschmann (RETIRED)
Modified:	2019-05-20 20:51 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2014-03-17 14:47:25 UTC

Hi,

/etc/ca-certificates.conf is an important file. It allows the user to disable any in app-misc/ca-certificates included certificate without messing with /etc/ssl/... (which would be wrong way to do that BTW).

Header from Gentoo (app-misc/ca-certificates-20140223):
# Automatically generated by app-misc/ca-certificates-20140223
# Mon Mar 17 13:00:43 UTC 2014
# Do not edit.

Header from Debian:
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#



Reproducible: Always

Comment 1 SpanKY gentoo-dev

2014-03-18 00:57:25 UTC

that header is generated on the fly by Debian in their postinst.  not exactly easy to extract ...

Comment 2 SpanKY gentoo-dev

2014-03-19 19:47:56 UTC

hmm, actually in the current system, the header is correct.  you cannot edit that file because we will simply blow it away on the next emerge (by design).  the file is explicitly masked from config protection.

you could add a hook in /etc/ca-certificates/update.d, but that's a hack at best.  the only option atm is to actually rm the relevant file.

Comment 3 Ciprian Ciubotariu 2014-04-29 19:10:26 UTC

I've just bumped into this problem, and with some help found out that certs placed in /usr/local/share/ca-certificates/ are added by udpate-ca-certificates into /etc/ssl/certs/ca-certificates.crt even if they're not listed in /etc/ca-certificates.conf.

That allows for addition of trusted certs. I'm not sure how to proceed if someone wanted to disable a certificate provided upstream.

Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev

2015-09-21 12:55:08 UTC

How about writing an eselect module ? I had one in the past though I lost it somewhere in bitrot.

Comment 5 Martin von Gagern 2016-11-03 22:30:15 UTC

The man page for update-ca-certificates(8) reads as though the canonical way to configure this would be the /etc/ca-certificates.conf file. If that's not the case on Gentoo, consider updating that man page, and also the header comment to suggest alternatives like the use of /usr/local/share/ca-certificates/.

Of course, having the file actually configurable would be preferable. Perhaps you could have a separate file which gets appended to /etc/ca-certificates.conf upon install, and which could contain additional names as well as !-prefixed removals? Then the header should suggest editing this other file instead, together with instructions on how to rebuild the combined list.