Bug 445344 - Confusion about CA.sh
Summary: Confusion about CA.sh
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F12Target
TreeView+ depends on / blocked
 
Reported: 2008-05-06 10:54 UTC by Mads Kiilerich
Modified: 2009-07-03 13:56 UTC (History)
1 user (show)

Fixed In Version: openssl-0.9.8k-6.fc12
Clone Of:
Environment:
Last Closed: 2009-07-03 13:56:50 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Mads Kiilerich 2008-05-06 10:54:28 UTC 
Description of problem:
openssl source contains CA.sh (and CA.pl) which are mentioned in tutorials on
the net.

1. CA.sh can't be found in the rpm. I would expect it to be packaged in either
/usr/bin/CA.sh or /usr/lib/openssl/CA.sh

2. CA.sh is patched and renamed and installed in /etc/pki/tls/misc/CA. A strange
location for a script. But a user searching for CA.sh might find it and try to
use it, but very confusingly openssl-0.9.7f-ca-dir.patch patches it to use
../../CA without setting CWD. I suggest using an absolute path instead.

Version-Release number of selected component (if applicable):
openssl-0.9.8b-17.fc8
Comment 1 Tomas Mraz 2008-05-12 12:22:53 UTC 
Moving to rawhide.
Comment 2 Bug Zapper 2008-05-14 10:42:47 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Mads Kiilerich 2008-05-27 22:17:45 UTC 
Problem remains in openssl-0.9.8g-6.fc9.i686
Comment 4 Mads Kiilerich 2008-10-02 17:20:44 UTC 
It's the same in openssl-0.9.8g-11.fc10.i686

Tried to make a patch but gave up; relative paths are used in a very confusing way and I can't figure out what the intention is.

For example, /etc/pki/tls/openssl.cnf contains
	dir = ../../CA # Where everything is kept
but apparently it doesn't refer to /etc/CA; it assumes that CWD is one level deeper so that it hits /etc/pki/CA
Comment 5 Tomas Mraz 2008-10-03 07:41:13 UTC 
The CA.sh needs a rehaul I agree. Also to comply with the packaging guidelines.

The current script as is together with the openssl.cnf works if you have CWD in the /etc/pki/tls/misc and run ./CA

But the scripts in the misc directory must be moved to some other directory - I think that either /usr/sbin or /usr/lib/openssl would be appropriate. The scripts will have to be modified to contain absolute paths then.
Comment 6 Bug Zapper 2008-11-26 02:15:05 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Jon Stanley 2008-11-26 19:13:28 UTC 
Fixing version to align with rawhide again.  Sorry for the noise.
Comment 8 Mads Kiilerich 2009-03-06 14:15:55 UTC 
As Original Poster I will add this comment:

As far as I understand NSS is the crypto lib Fedora prefers. And IMHO certutil from nss-tools works better than openssl's CA stuff.

So, as far as I am concerted this issue could be marked WONTFIX. I assume that is the truth anyway ;-)
Comment 9 Bug Zapper 2009-06-09 09:34:17 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Note You need to log in before you can comment on or make changes to this bug.