overhaul cc_ca_certs functionality #1962
Merged
Commits on Feb 13, 2023
-
Overhaul/rewrite of certificate handling as follows:
Change "ca-certs" references to "ca_certs". New certificates are written to individual files, with an incrementing number as part of their filename, rather than all being placed in a single file. This resolves issues caused when certificate files containing more than a single certificate are placed in /etc/ssl/certs (by utilities such as "update-ca-certificates" run by ca_certs). Alpine / Debian / Ubuntu: The current behaviour, whilst it works, is incorrect with regard to the design of the underlying OS utilities for managing certificates. For "remove_defaults" the system-installed certificate files should not be actually deleted (otherwise it becomes problematic if someone wishes to later re-enable one or more of them), rather they should be deactivated and these OSes already provide the means to do so - this MR modifies the certificate entries in the /etc/ca-certificates.conf file by prefixing them with "!" - when the update-ca-certificate utility is then run it will *not* place such delimited certificates into either the /etc/ssl/certs/ directory (via symlinks) nor add them to the (re)generated certificates bundle file. Additionally it is incorrect for added certificates to be placed in the /usr/share/ca-certificates directory - this location is intended for standard/"official" certificates, the /usr/local/share/ca-certificates directory is intended for "local" or "site-specific" certificates and so this PR adds them there instead - for certs in /usr/local/share/ca-certificates the update-ca-certificates utility will automatically use them, there is *no* need to add their filenames to the /etc/ca-certificates.conf file. LP: #1931174
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.