Fix use of system certificates with perl (and golang)
|Reported by:||Owned by:|
At the moment, running update-leap from ntp uses Mozilla::CA to check the certificates (which is why we have LWP::Protocol::https as a dependency, although that is not mentioned in the update-leap script).
The problem with using Mozilla::CA is that it is intended as a fallback script for CPAN, and we have system certs (and possibly local certs) installed by make-ca. Additionally, Mozilla::CA cannot keep up to date with what mozilla change.
On investigation, the core perl module HTTP::Tiny is what suggests using Mozilla::CA, but only if it cannot find system certs. There are a number of choices for different linux and BSD variants (see the link below), we have chosen to use /etc/ssl/ca-bundle.crt which unfortunately does not match any of those choices.
The simplest solution is to create a symlink:
mkdir -pv /etc/pki/tls/certs && ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt
I can confirm that doing that allows update-leap to run with only IO::Socket::SSL and its dependency of Net::SSLeay. Further details in http://lists.linuxfromscratch.org/pipermail/blfs-dev/2018-November/035027.html : it turns out that this symlink will also support golang.
I have a patch for LWP::Protocol::https to use our own /etc/ssl/ca-bundle.crt instead of Mozilla::CA, but without the symlink HTTP::Tiny will continue to report it needs Mozilla::CA.