Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 504892

Summary: app-misc/ca-certificates: allow user customization /etc/ca-certificates.conf
Product: Gentoo Linux Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: UNCONFIRMED ---    
Severity: trivial CC: djmatic8, flow, jasmin+gentoo, Martin.vGagern, zima
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2014-03-17 14:47:25 UTC 
Hi,

/etc/ca-certificates.conf is an important file. It allows the user to disable any in app-misc/ca-certificates included certificate without messing with /etc/ssl/... (which would be wrong way to do that BTW).

Header from Gentoo (app-misc/ca-certificates-20140223):
# Automatically generated by app-misc/ca-certificates-20140223
# Mon Mar 17 13:00:43 UTC 2014
# Do not edit.

Header from Debian:
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#



Reproducible: Always
Comment 1 SpanKY gentoo-dev 2014-03-18 00:57:25 UTC 
that header is generated on the fly by Debian in their postinst.  not exactly easy to extract ...
Comment 2 SpanKY gentoo-dev 2014-03-19 19:47:56 UTC 
hmm, actually in the current system, the header is correct.  you cannot edit that file because we will simply blow it away on the next emerge (by design).  the file is explicitly masked from config protection.

you could add a hook in /etc/ca-certificates/update.d, but that's a hack at best.  the only option atm is to actually rm the relevant file.
Comment 3 Ciprian Ciubotariu 2014-04-29 19:10:26 UTC 
I've just bumped into this problem, and with some help found out that certs placed in /usr/local/share/ca-certificates/ are added by udpate-ca-certificates into /etc/ssl/certs/ca-certificates.crt even if they're not listed in /etc/ca-certificates.conf.

That allows for addition of trusted certs. I'm not sure how to proceed if someone wanted to disable a certificate provided upstream.
Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev 2015-09-21 12:55:08 UTC 
How about writing an eselect module ? I had one in the past though I lost it somewhere in bitrot.
Comment 5 Martin von Gagern 2016-11-03 22:30:15 UTC 
The man page for update-ca-certificates(8) reads as though the canonical way to configure this would be the /etc/ca-certificates.conf file. If that's not the case on Gentoo, consider updating that man page, and also the header comment to suggest alternatives like the use of /usr/local/share/ca-certificates/.

Of course, having the file actually configurable would be preferable. Perhaps you could have a separate file which gets appended to /etc/ca-certificates.conf upon install, and which could contain additional names as well as !-prefixed removals? Then the header should suggest editing this other file instead, together with instructions on how to rebuild the combined list.