Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504892 - app-misc/ca-certificates: allow user customization /etc/ca-certificates.conf
Summary: app-misc/ca-certificates: allow user customization /etc/ca-certificates.conf
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal trivial with 1 vote (vote)
Assignee: Gentoo's Team for Core System packages
Depends on:
Reported: 2014-03-17 14:47 UTC by Thomas Deutschmann
Modified: 2019-05-20 20:51 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2014-03-17 14:47:25 UTC

/etc/ca-certificates.conf is an important file. It allows the user to disable any in app-misc/ca-certificates included certificate without messing with /etc/ssl/... (which would be wrong way to do that BTW).

Header from Gentoo (app-misc/ca-certificates-20140223):
# Automatically generated by app-misc/ca-certificates-20140223
# Mon Mar 17 13:00:43 UTC 2014
# Do not edit.

Header from Debian:
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.

Reproducible: Always
Comment 1 SpanKY gentoo-dev 2014-03-18 00:57:25 UTC
that header is generated on the fly by Debian in their postinst.  not exactly easy to extract ...
Comment 2 SpanKY gentoo-dev 2014-03-19 19:47:56 UTC
hmm, actually in the current system, the header is correct.  you cannot edit that file because we will simply blow it away on the next emerge (by design).  the file is explicitly masked from config protection.

you could add a hook in /etc/ca-certificates/update.d, but that's a hack at best.  the only option atm is to actually rm the relevant file.
Comment 3 Ciprian Ciubotariu 2014-04-29 19:10:26 UTC
I've just bumped into this problem, and with some help found out that certs placed in /usr/local/share/ca-certificates/ are added by udpate-ca-certificates into /etc/ssl/certs/ca-certificates.crt even if they're not listed in /etc/ca-certificates.conf.

That allows for addition of trusted certs. I'm not sure how to proceed if someone wanted to disable a certificate provided upstream.
Comment 4 Gilles Dartiguelongue gentoo-dev 2015-09-21 12:55:08 UTC
How about writing an eselect module ? I had one in the past though I lost it somewhere in bitrot.
Comment 5 Martin von Gagern 2016-11-03 22:30:15 UTC
The man page for update-ca-certificates(8) reads as though the canonical way to configure this would be the /etc/ca-certificates.conf file. If that's not the case on Gentoo, consider updating that man page, and also the header comment to suggest alternatives like the use of /usr/local/share/ca-certificates/.

Of course, having the file actually configurable would be preferable. Perhaps you could have a separate file which gets appended to /etc/ca-certificates.conf upon install, and which could contain additional names as well as !-prefixed removals? Then the header should suggest editing this other file instead, together with instructions on how to rebuild the combined list.