Post by Ken Moffat via blfs-dev
At last, I've found out *what* was telling me that update-leap (from
ntp) was telling me to install Mozilla::CA because it could not find
the system's certificates. And no, it was not LWP-Protocol-https -
the deps listed in update-leap are technically correct.
The item in question is HTTP::Tiny which ntp still claims is an
external module, but has been part of core perl since at least
5.14.1 (the oldest log I have on this machine). And there, the code
# cert list copied from golang src/crypto/x509/root_unix.go
foreach my $ca_bundle (
"/etc/ssl/certs/ca-certificates.crt", #
Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL
"/etc/ssl/ca-bundle.pem", # OpenSUSE
"/etc/openssl/certs/ca-certificates.crt", # NetBSD
"/etc/ssl/cert.pem", # OpenBSD
"/usr/local/share/certs/ca-root-nss.crt", #
FreeBSD/DragonFly
"/etc/pki/tls/cacert.pem", # OpenELEC
"/etc/certs/ca-certificates.crt", # Solaris 11.2+
) {
return $ca_bundle if -e $ca_bundle;
}
die qq/Couldn't find a CA bundle with which to verify the SSL
certificate.\n/
. qq/Try installing Mozilla::CA from CPAN\n/;
}
This looks very like the code I was planning to change in biber if I
could get rid of Mozilla::CA. So, rather than hack on core perl
(and therefore leave it broken for people who have not made the
change), I propose to do something like
mkdir -pv /etc/pki/tls/certs
ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt
package x509
// Possible certificate files; stop after finding one.
var certFiles = []string{
"/etc/ssl/certs/ca-certificates.crt", //
Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", //
Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", // OpenSUSE
"/etc/pki/tls/cacert.pem", // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", //
CentOS/RHEL 7
}

Post by Ken Moffat via blfs-dev
At last, I've found out *what* was telling me that update-leap (from
ntp) was telling me to install Mozilla::CA because it could not find
the system's certificates. And no, it was not LWP-Protocol-https -
the deps listed in update-leap are technically correct.
The item in question is HTTP::Tiny which ntp still claims is an
external module, but has been part of core perl since at least
5.14.1 (the oldest log I have on this machine). And there, the code
# cert list copied from golang src/crypto/x509/root_unix.go
foreach my $ca_bundle (
"/etc/ssl/certs/ca-certificates.crt", #
Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL
"/etc/ssl/ca-bundle.pem", # OpenSUSE
"/etc/openssl/certs/ca-certificates.crt", # NetBSD
"/etc/ssl/cert.pem", # OpenBSD
"/usr/local/share/certs/ca-root-nss.crt", #
FreeBSD/DragonFly
"/etc/pki/tls/cacert.pem", # OpenELEC
"/etc/certs/ca-certificates.crt", # Solaris 11.2+
) {
return $ca_bundle if -e $ca_bundle;
}
die qq/Couldn't find a CA bundle with which to verify the SSL
certificate.\n/
. qq/Try installing Mozilla::CA from CPAN\n/;
}
This looks very like the code I was planning to change in biber if I
could get rid of Mozilla::CA. So, rather than hack on core perl
(and therefore leave it broken for people who have not made the
change), I propose to do something like
mkdir -pv /etc/pki/tls/certs
ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt
(on the certs page : we already create /etc/pki/)
And if that works (far too late for me to test it at the moment) I
think we can just drop Mozilla::CA.
I'm sure DJ will understand why I want to drop Mozilla::CA, but for
everyone else - Mozilla update their certificates regularly (in
particular, dropping trust), plus clever people can add other
certificates locally. The Mozilla::CA perl module was last updated
in January, so it is well out of date and only gets used as a
fallback because that is convenient for CPAN - really, we should
always prefer the system's certificates.
Or, am I again "too far out, and not waving but drowning" ? If so,
please advise soonest.
ĸen
--
Is it about a bicycle ?
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
--
This message has been scanned for viruses and dangerous content by
E.F.A. Project, and is believed to be clean.
Click here to report this message as spam.
https://efa.lucasit.com/cgi-bin/learn-msg.cgi?id=B197560F2F.A872B&token=b7aede92365022cb069729f85ce4a84e

Post by Ken Moffat via blfs-dev
At last, I've found out *what* was telling me that update-leap (from
ntp) was telling me to install Mozilla::CA because it could not find
the system's certificates. And no, it was not LWP-Protocol-https -
the deps listed in update-leap are technically correct.
The item in question is HTTP::Tiny which ntp still claims is an
external module, but has been part of core perl since at least
5.14.1 (the oldest log I have on this machine). And there, the code
# cert list copied from golang src/crypto/x509/root_unix.go
foreach my $ca_bundle (
"/etc/ssl/certs/ca-certificates.crt", #
Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL
"/etc/ssl/ca-bundle.pem", # OpenSUSE
"/etc/openssl/certs/ca-certificates.crt", # NetBSD
"/etc/ssl/cert.pem", # OpenBSD
"/usr/local/share/certs/ca-root-nss.crt", #
FreeBSD/DragonFly
"/etc/pki/tls/cacert.pem", # OpenELEC
"/etc/certs/ca-certificates.crt", # Solaris 11.2+
) {
return $ca_bundle if -e $ca_bundle;
}
die qq/Couldn't find a CA bundle with which to verify the SSL
certificate.\n/
. qq/Try installing Mozilla::CA from CPAN\n/;
}
This looks very like the code I was planning to change in biber if I
could get rid of Mozilla::CA. So, rather than hack on core perl
(and therefore leave it broken for people who have not made the
change), I propose to do something like
mkdir -pv /etc/pki/tls/certs
ln -svf /etc/ssl/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt