Support for /usr/local/share/ca-certificates/ is incomplete

Bug #487845 reported by Daniel Richard G.
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: ca-certificates

This concerns ca-certificates 20090814 in Ubuntu Karmic.

Bug #293944 requested better support for adding site-local certificates, and this was implemented by making /usr/local/share/ca-certificates/ the place to add these. Code was added to the update-ca-certificates(8) program to read certificate files in this directory, and indeed that part is working fine.

However, the debconf configuration script for the package (i.e. the thing that runs when you invoke "dpkg-reconfigure ca-certificates") does not recognize this directory under /usr/local/. Certificates placed there do not appear in the multiselect list presented to the user. Obviously, they should.

Related branches

Revision history for this message
Daniel Richard G. (skunk) wrote :

Subscribed Matthias Klose, from Bug #293944.

Matthias, this issue needs a bit more work. Please have a look at the package's debconf script.

Revision history for this message
Philipp Kern (pkern) wrote :

IMHO they should not. If an administrator chooses to install certificates there they are assumed to be wanted.

Revision history for this message
Daniel Richard G. (skunk) wrote :

I can see where you're coming from, but I think it would be less confusing to the user if local certificates were handled just the same as system-bundled ones. I wouldn't see it as a good thing if the procedure for enabling/disabling a certificate differed depending on whether it were locally-installed or not.

That aside, the symlinks in /etc/ssl/certs/ are generated based on the multiselect list, so the local certificates aren't getting in there anyway.

Revision history for this message
Philipp Kern (pkern) wrote : Re: [Bug 487845] Re: Support for /usr/local/share/ca-certificates/ is incomplete

On Sat, Jan 09, 2010 at 05:37:58PM -0000, Daniel Richard G. wrote:
> I can see where you're coming from, but I think it would be less
> confusing to the user if local certificates were handled just the same
> as system-bundled ones. I wouldn't see it as a good thing if the
> procedure for enabling/disabling a certificate differed depending on
> whether it were locally-installed or not.
>
> That aside, the symlinks in /etc/ssl/certs/ are generated based on the
> multiselect list, so the local certificates aren't getting in there

Untrue.

| # Now process certificate authorities installed by the local system
| # administrator.
| if [ -d "$LOCALCERTSDIR" ]
| then
| find -L "$LOCALCERTSDIR" -type f -name '*.crt' | while read crt
| do
| add "$crt"
| done
| fi

It's handled just like the multiselect list, calling add will add the
symlink.

Kind regards,
Philipp Kern

Revision history for this message
Daniel Richard G. (skunk) wrote :

Okay, my bad: certificates in $LOCALCERTSDIR *are* added to /etc/ssl/certs/, even though they don't appear in the multiselect list.

I don't have a need to disable locally-installed certificates via the multiselect, but do believe the behavior should be for local certificates to appear in the list. Aside from that being what I would have expected, there's also the implicit assumption that the multiselect lists *all* the system-wide SSL certificates currently active, and not just the subset shipped with the distro.

Changed in ca-certificates (Ubuntu):
status: New → Triaged
Michael Shuler (mshuler)
Changed in ca-certificates (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Michael Shuler (mshuler) wrote :

Pending upload to Debian, these have been committed to the collab-maint git repository:

  * Add ca-certificates-local source package example to documentation
  * Update local certificate handling in README.Debian.

In addition to adding a bit more documentation on local certificate handling, I have added an example source package for building a custom local CA package, which will be located at /usr/share/doc/ca-certificates/examples/ca-certificates-local/

--
Kind regards,
Michael

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20130906

---------------
ca-certificates (20130906) unstable; urgency=low

  * Add ca-certificates-local source package example to documentation
  * Update local certificate handling in README.Debian.
    Closes: #718173, LP: #487845
  * Update CA inclusion policy for ca-certificates in README.Debian. With
    the exception of SPI and CAcert, only those CAs included in Mozilla's
    trust store will be included in ca-certificates in Debian.
    Closes: #647848, LP: #103074
  * Clarify that not all software that uses SSL uses ca-certificates in
    README.Debian. Closes: #664769
  * Add mozilla/nssckbi.h to source, since certdata.txt no longer contains
    a version number.
  * Update debian/copyright to "Copyright: Mozilla Contributors" for
    mozilla/{certdata.txt,nssckbi.h}.
  * Update mozilla/certdata.txt to version 1.94
    Certificates added (+) and removed (-):
    + "CA Disig Root R1"
    + "CA Disig Root R2"
    + "China Internet Network Information Center EV Certificates Root"
    + "D-TRUST Root Class 3 CA 2 2009"
    + "D-TRUST Root Class 3 CA 2 EV 2009"
    + "PSCProcert"
    + "Swisscom Root CA 2"
    + "Swisscom Root EV CA 2"
    + "TURKTRUST Certificate Services Provider Root 2007"
    - "Equifax Secure eBusiness CA 2"
    - "TC TrustCenter Universal CA III"

 -- Michael Shuler <email address hidden> Fri, 06 Sep 2013 11:31:06 -0500

Changed in ca-certificates (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.