Bug 1158197
Summary: | Allow disabling of legacy root CA certificates as a system configuration | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kai Engert (:kaie) (inactive account) <kengert> | ||||
Component: | ca-certificates | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 21 | CC: | emaldona, hkario, jorton, kengert, lemenkov, mcatanzaro+wrong-account-do-not-cc, mitr, nmavrogi, pwouters, rrelyea, sgallagh, stefw, tmraz, vondruch | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | ca-certificates-2014.2.1-1.5.fc19 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-11-18 12:23:23 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1144808, 1158343 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Kai Engert (:kaie) (inactive account)
2014-10-28 19:52:30 UTC
Packages with this feature are ready for testing: Rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=7965554 Fedora 21 testing: http://koji.fedoraproject.org/koji/taskinfo?taskID=7965585 scratch build for testing with Fedora 20: http://koji.fedoraproject.org/koji/taskinfo?taskID=7965788 Created attachment 951580 [details]
Difference between upstream certdata.txt and the edited version with legacy flags
Updated builds that fix a missing Requires:coreutils rawhide: http://koji.fedoraproject.org/koji/taskinfo?taskID=7974865 f21: http://koji.fedoraproject.org/koji/taskinfo?taskID=7975013 f20 scratch: http://koji.fedoraproject.org/koji/taskinfo?taskID=7975053 ca-certificates-2014.2.1-1.3.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.3.fc21 Package ca-certificates-2014.2.1-1.3.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ca-certificates-2014.2.1-1.3.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13900/ca-certificates-2014.2.1-1.3.fc21 then log in and leave karma (feedback). Hmmm, I'd expect that with this update, RubyGems should work, but they don't: $ rpm -q ca-certificates ca-certificates-2014.2.1-5.fc22.noarch $ cat /etc/pki/ca-trust/ca-legacy.conf # legacy=enable : # Certain legacy certs, that have been removed by upstream Mozilla, # are still marked as trusted, if required for backwards compatibility # with cryptographic libraries like openssl or gnutls. # # legacy=disable : # Follow all removal decisions of upstream Mozilla CA maintainers # legacy=enable $ gem install gem2rpm ERROR: Could not find a valid gem 'gem2rpm' (>= 0), here is why: Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz) ca-certificates-2014.2.1-1.4.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.4.fc21 Package ca-certificates-2014.2.1-1.5.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ca-certificates-2014.2.1-1.5.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15103/ca-certificates-2014.2.1-1.5.fc21 then log in and leave karma (feedback). ca-certificates-2014.2.1-1.5.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Vít Ondruch from comment #8) > Hmmm, I'd expect that with this update, RubyGems should work, but they don't: ... > $ gem install gem2rpm > ERROR: Could not find a valid gem 'gem2rpm' (>= 0), here is why: > Unable to download data from https://rubygems.org/ - SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify > failed > (https://s3.amazonaws.com/production.s3.rubygems.org/latest_specs.4.8.gz) On Rawhide 22 with ENABLED this command works for me, no errors (works on 21, too). > $ cat /etc/pki/ca-trust/ca-legacy.conf ... > legacy=enable More interesting to confirm the configuration is the output of the command ca-legacy check which should report ENABLED (The config file is read on package upgrades only.) I'm confused why it doesn't work for you. (In reply to Fedora Update System from comment #11) > ca-certificates-2014.2.1-1.5.fc21 has been pushed to the Fedora 21 stable > repository. If problems still persist, please make note of it in this bug > report. Peter, the package wasn't intended for stable yet, only for testing :-( (My previous packaged had been pushed to updates-testing only, with karma disabled.) Hmmm, interesting, it works now: $ rpm -q ca-certificates ca-certificates-2014.2.1-7.fc22.noarch $ cat /etc/pki/ca-trust/ca-legacy.conf # legacy=enable : # Certain legacy certs, that have been removed by upstream Mozilla, # are still marked as trusted, if required for backwards compatibility # with cryptographic libraries like openssl or gnutls. # # legacy=disable : # Follow all removal decisions of upstream Mozilla CA maintainers # legacy=enable $ ca-legacy check Legacy CAs are set to ENABLED in file /etc/pki/ca-trust/ca-legacy.conf (affects install/upgrade) Status of symbolic link /etc/pki/ca-trust/source/ca-bundle.legacy.crt: /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.enable.crt $ gem install gem2rpm Fetching: gem2rpm-0.10.1.gem (100%) Successfully installed gem2rpm-0.10.1 Parsing documentation for gem2rpm-0.10.1 Installing ri documentation for gem2rpm-0.10.1 Done installing documentation for gem2rpm after 0 seconds 1 gem installed So hopefully, everything is all right. SO problem solved (I hope it is not just due to changes RubyGems upstream is doing/did with their certificates ;)). (In reply to Vít Ondruch from comment #14) > Hmmm, interesting, it works now: I'm glad to hear about your success :-) > So hopefully, everything is all right. SO problem solved (I hope it is not > just due to changes RubyGems upstream is doing/did with their certificates > ;)). Seems unlikely. If I run ca-legacy disable and then repeat the "gem install gem2rpm" command, then I see the failure you had reported earlier. This seems to confirm that RubyGems indeed uses our system certificates. Then I ran ca-legacy enable and repeated the "gem" command again, and it worked again. So hopefully, when you saw the error at the earlier time, something hasn't configured correctly, and you fixed it afterwards. Please let me know if you ever see the failure again while having things "enable"'d, I really hope won't don't have any kind of intermittent failure. (In reply to Kai Engert (:kaie) from comment #13) > Peter, the package wasn't intended for stable yet, only for testing :-( Nevertheless, Peter, thanks for having worked on the Requires(post) fix! Since the package seems to work as intended, it should be fine to have pushed it out. For f20/f19, I'd like to push out the same code, however, want start with updates-testing, only. Let's wait for additional feedback and a test period, prior to pushing to stable updates on f20/f19. ca-certificates-2014.2.1-1.5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19 ca-certificates-2014.2.1-1.5.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20 ca-certificates-2014.2.1-1.5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. ca-certificates-2014.2.1-1.5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |