Opened 3 years ago

Closed 3 years ago

#11307 closed enhancement (fixed)

Fix use of system certificates with perl (and golang)

Reported by: ken@… Owned by: ken@…
Priority: normal Milestone: 8.4
Component: BOOK Version: SVN
Severity: normal Keywords:


At the moment, running update-leap from ntp uses Mozilla::CA to check the certificates (which is why we have LWP::Protocol::https as a dependency, although that is not mentioned in the update-leap script).

The problem with using Mozilla::CA is that it is intended as a fallback script for CPAN, and we have system certs (and possibly local certs) installed by make-ca. Additionally, Mozilla::CA cannot keep up to date with what mozilla change.

On investigation, the core perl module HTTP::Tiny is what suggests using Mozilla::CA, but only if it cannot find system certs. There are a number of choices for different linux and BSD variants (see the link below), we have chosen to use /etc/ssl/ca-bundle.crt which unfortunately does not match any of those choices.

The simplest solution is to create a symlink:

mkdir -pv /etc/pki/tls/certs &&
ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt

I can confirm that doing that allows update-leap to run with only IO::Socket::SSL and its dependency of Net::SSLeay. Further details in : it turns out that this symlink will also support golang.

I have a patch for LWP::Protocol::https to use our own /etc/ssl/ca-bundle.crt instead of Mozilla::CA, but without the symlink HTTP::Tiny will continue to report it needs Mozilla::CA.

Change History (3)

comment:1 by ken@…, 3 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by ken@…, 3 years ago

On reflection, using /etc/pki/tls/certs/ca-bundle.crt in the patch will keep it in sync with the rest of the perl code.

comment:3 by ken@…, 3 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.