Opened 5 years ago
Closed 5 years ago
#11307 closed enhancement (fixed)
Fix use of system certificates with perl (and golang)
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 8.4 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
At the moment, running update-leap from ntp uses Mozilla::CA to check the certificates (which is why we have LWP::Protocol::https as a dependency, although that is not mentioned in the update-leap script).
The problem with using Mozilla::CA is that it is intended as a fallback script for CPAN, and we have system certs (and possibly local certs) installed by make-ca. Additionally, Mozilla::CA cannot keep up to date with what mozilla change.
On investigation, the core perl module HTTP::Tiny is what suggests using Mozilla::CA, but only if it cannot find system certs. There are a number of choices for different linux and BSD variants (see the link below), we have chosen to use /etc/ssl/ca-bundle.crt which unfortunately does not match any of those choices.
The simplest solution is to create a symlink:
mkdir -pv /etc/pki/tls/certs && ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt
I can confirm that doing that allows update-leap to run with only IO::Socket::SSL and its dependency of Net::SSLeay. Further details in http://lists.linuxfromscratch.org/pipermail/blfs-dev/2018-November/035027.html : it turns out that this symlink will also support golang.
I have a patch for LWP::Protocol::https to use our own /etc/ssl/ca-bundle.crt instead of Mozilla::CA, but without the symlink HTTP::Tiny will continue to report it needs Mozilla::CA.
Change History (3)
comment:1 by , 5 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
On reflection, using /etc/pki/tls/certs/ca-bundle.crt in the patch will keep it in sync with the rest of the perl code.