Commits on Apr 8, 2020

1. Debian: write out only one CA certificate per file …

   ca-certificates populates /etc/ssl/certs with symlinks to its input
   files and then runs 'openssl rehash' to create the symlinks that libssl
   uses to look up a CA certificate to see if it is trused.
   
   'openssl rehash' ignores any files that contain more than one
   certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>.
   
   With this change, we write out trusted CA certificates to
   /usr/local/share/ca-certificates/ipa-ca, one certificate per file.
   
   The logic that decides whether to reload the store is moved up into the
   original `insert_ca_certs_into_systemwide_ca_store` and
   `remove_ca_certs_from_systemwide_ca_store` methods. These methods now
   also handle any exceptions that may be thrown while updating the store.
   
   The functions that actually manipulate the store are factored out into
   new `platform_{insert,remove}_ca_certs` methods, which implementations
   must override.
   
   These new methods also orchestrate the cleanup of deprecated files (such
   as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having
   the cleanup code be included in the same method that creates
   `/etc/pki/ca-trust/source/ipa.p11-kit`.
   
   As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian
   systems will now also have
   `/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that
   `p11-kit` in Debian does not use this file.
   
   Fixes: https://pagure.io/freeipa/issue/8106

   

   yrro authored and abbra committed Apr 8, 2020
   Configuration menu

   • View commit details
   • Copy full SHA for 4cefd3a
   • Browse repository at this point

   Copy the full SHA

   4cefd3a View commit details

   Browse the repository at this point in the history