Bug 445344

Summary: Confusion about CA.sh
Product: [Fedora] Fedora Reporter: Mads Kiilerich <mads>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: mads
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-0.9.8k-6.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-03 13:56:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 473302    

Description Mads Kiilerich 2008-05-06 10:54:28 UTC 
Description of problem:
openssl source contains CA.sh (and CA.pl) which are mentioned in tutorials on
the net.

1. CA.sh can't be found in the rpm. I would expect it to be packaged in either
/usr/bin/CA.sh or /usr/lib/openssl/CA.sh

2. CA.sh is patched and renamed and installed in /etc/pki/tls/misc/CA. A strange
location for a script. But a user searching for CA.sh might find it and try to
use it, but very confusingly openssl-0.9.7f-ca-dir.patch patches it to use
../../CA without setting CWD. I suggest using an absolute path instead.

Version-Release number of selected component (if applicable):
openssl-0.9.8b-17.fc8
Comment 1 Tomas Mraz 2008-05-12 12:22:53 UTC 
Moving to rawhide.
Comment 2 Bug Zapper 2008-05-14 10:42:47 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Mads Kiilerich 2008-05-27 22:17:45 UTC 
Problem remains in openssl-0.9.8g-6.fc9.i686
Comment 4 Mads Kiilerich 2008-10-02 17:20:44 UTC 
It's the same in openssl-0.9.8g-11.fc10.i686

Tried to make a patch but gave up; relative paths are used in a very confusing way and I can't figure out what the intention is.

For example, /etc/pki/tls/openssl.cnf contains
	dir = ../../CA # Where everything is kept
but apparently it doesn't refer to /etc/CA; it assumes that CWD is one level deeper so that it hits /etc/pki/CA
Comment 5 Tomas Mraz 2008-10-03 07:41:13 UTC 
The CA.sh needs a rehaul I agree. Also to comply with the packaging guidelines.

The current script as is together with the openssl.cnf works if you have CWD in the /etc/pki/tls/misc and run ./CA

But the scripts in the misc directory must be moved to some other directory - I think that either /usr/sbin or /usr/lib/openssl would be appropriate. The scripts will have to be modified to contain absolute paths then.
Comment 6 Bug Zapper 2008-11-26 02:15:05 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Jon Stanley 2008-11-26 19:13:28 UTC 
Fixing version to align with rawhide again.  Sorry for the noise.
Comment 8 Mads Kiilerich 2009-03-06 14:15:55 UTC 
As Original Poster I will add this comment:

As far as I understand NSS is the crypto lib Fedora prefers. And IMHO certutil from nss-tools works better than openssl's CA stuff.

So, as far as I am concerted this issue could be marked WONTFIX. I assume that is the truth anyway ;-)
Comment 9 Bug Zapper 2009-06-09 09:34:17 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping