Bug 1895619
Summary: | Symlink cert.pem and openssl.cnf to /etc/ssl for cross-distro compatibility | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christian Heimes <cheimes> |
Component: | ca-certificates | Assignee: | Bob Relyea <rrelyea> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | low | ||
Version: | 32 | CC: | awilliam, crypto-team, jorton, kai-engert-fedora, mhroncok, pwouters, rrelyea, tmraz |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-12 07:13:09 UTC | Type: | Enhancement |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Christian Heimes
2020-11-07 19:22:00 UTC
My PR https://src.fedoraproject.org/rpms/ca-certificates/pull-request/5 implements the additional symlinks. I've visited this trough https://github.com/tiran/distro-truststore and https://github.com/psf/requests/issues/2966 The PR is merged. This can be closed then? Thanks for the ping, Miro! The new symlinks are available in Fedora 34+ and RHEL 9. # . /etc/os-release # echo $NAME $VERSION_ID Fedora 34 # ls -l /etc/ssl total 0 lrwxrwxrwx. 1 root root 49 Jan 25 21:08 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 18 Jan 25 21:08 certs -> /etc/pki/tls/certs lrwxrwxrwx. 1 root root 28 Jan 25 21:08 ct_log_list.cnf -> /etc/pki/tls/ct_log_list.cnf lrwxrwxrwx. 1 root root 24 Jan 25 21:08 openssl.cnf -> /etc/pki/tls/openssl.cnf # . /etc/os-release # echo $NAME $VERSION_ID Red Hat Enterprise Linux 9.0 # ls -l /etc/ssl total 0 lrwxrwxrwx. 1 root root 49 Feb 3 06:00 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 18 Feb 3 06:00 certs -> /etc/pki/tls/certs lrwxrwxrwx. 1 root root 28 Feb 3 06:00 ct_log_list.cnf -> /etc/pki/tls/ct_log_list.cnf lrwxrwxrwx. 1 root root 24 Feb 3 06:00 openssl.cnf -> /etc/pki/tls/openssl.cnf I kinda disagree with a lot of the basis for this, though adding more symlinks doesn't hurt *much*. "The majority" of distributions seems like an overly strong assertion, especially for /etc/ssl/cert.pem , which is what this PR actually did (a populated /etc/ssl/certs is more common, though we still do not have that). Per Miro's link, really only a few fairly niche distros have /etc/ssl/cert.pem . I looked into this extensively many years ago and filed some suggestions, none of which unfortunately were picked up. I would prefer we *get rid of* our /etc/ssl/certs directory as it does nothing but confuse people. See https://bugzilla.redhat.com/show_bug.cgi?id=1053882 (and https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ ) . It would've been nice if someone could've looked over that work, as I put quite a lot of effort into it. sorry, I forgot we actually followed up a bit on the end of that bug before, never mind. |