Tiny Core Linux

Tiny Core Base => Raspberry Pi => Topic started by: stelian on November 26, 2021, 04:49:32 AM

Title: ca-certificates update needs openssl : circular dependency
Post by: stelian on November 26, 2021, 04:49:32 AM
I have updated ca-certificates tcz on my picore.

openssl.tcz lists ca-certifiates in its .dep file.

ca-certificates includes an /usr/local/tce.installed script, which in turn will call /usr/local/sbin/update-ca-certificates

But update-ca-certificates needs openssl.

This causes errors on boot.
Title: Re: ca-certificates update needs openssl : circular dependency
Post by: bmarkus on November 26, 2021, 06:38:43 AM
Which version, which architecture?
Title: Re: ca-certificates update needs openssl : circular dependency
Post by: stelian on November 26, 2021, 06:48:48 AM
13.1.0, armv6
Title: Re: ca-certificates update needs openssl : circular dependency
Post by: Rich on November 26, 2021, 08:53:21 AM
Hi bmarkus
I wonder if it makes sense to rearrange the  tce.installed  files for those 2 extensions.

Code: [Select]
update-ca-certificates
ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert.pem
ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/ca-bundle.crt

I think moving these 3 lines from the end of  tce.installed/ca-certificates  to the end of  tce.installed/openssl-1.1.1
would solve the issue:
Title: Re: ca-certificates update needs openssl : circular dependency
Post by: Paul_123 on November 26, 2021, 06:04:54 PM
Pretty sure I took the script in ca-certIificates from core x86_64.

But I don’t see how there is an error during boot, since tce-bootload mounts all extensions in onboot.lst before calling any of the startup scripts. 

The base image has only openssh.tcz in the onboot.lst.  Which will load OpenSSL and ca-certs properly.  The only way to trigger the error would be to have only ca-certificates.tcz listed in onboot

Title: Re: ca-certificates update needs openssl : circular dependency
Post by: Rich on November 26, 2021, 09:23:09 PM
Hi Paul_123
... openssl.tcz lists ca-certifiates in its .dep file. ...
In x86 and x86_64  ca-certificates  lists  openssl  in its  .dep  file. I think that way makes more sense. The
tce.installed/ca-certificates  script calls  update-ca-certificates  which calls  c_rehash.sh  which calls  openssl , so
ca-certificates  depends on  openssl , which should be loaded first.

When booting, tce-load (like tce-bootload) runs the  tce.installed  scripts after all extensions are loaded, so order
should not be an issue there. When using tce-load from the commandline , tce.installed  scripts get run as each
extension gets loaded and dependency scripts run first. So in that case, you want  ca-certificates  to depend on
openssl , and not the other way around.
Title: Re: ca-certificates update needs openssl : circular dependency
Post by: stelian on November 27, 2021, 05:26:13 AM
Pretty sure I took the script in ca-certIificates from core x86_64.

But I don’t see how there is an error during boot, since tce-bootload mounts all extensions in onboot.lst before calling any of the startup scripts. 

The base image has only openssh.tcz in the onboot.lst.  Which will load OpenSSL and ca-certs properly.  The only way to trigger the error would be to have only ca-certificates.tcz listed in onboot

The error came up because I did indeed remove openssh from the onboot.lst, in order to load it later.

Later on the bootprocess (in bootlocat.sh) I load python3, which needs openssl, which needs ca-certificates, which needs openssl...