WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: ca-certificates update needs openssl : circular dependency  (Read 1881 times)

Offline stelian

  • Newbie
  • *
  • Posts: 13
ca-certificates update needs openssl : circular dependency
« on: November 26, 2021, 04:49:32 AM »
I have updated ca-certificates tcz on my picore.

openssl.tcz lists ca-certifiates in its .dep file.

ca-certificates includes an /usr/local/tce.installed script, which in turn will call /usr/local/sbin/update-ca-certificates

But update-ca-certificates needs openssl.

This causes errors on boot.

Offline bmarkus

  • Administrator
  • Hero Member
  • *****
  • Posts: 7183
    • My Community Forum
Re: ca-certificates update needs openssl : circular dependency
« Reply #1 on: November 26, 2021, 06:38:43 AM »
Which version, which architecture?
Béla
Ham Radio callsign: HA5DI

"Amateur Radio: The First Technology-Based Social Network."

Offline stelian

  • Newbie
  • *
  • Posts: 13
Re: ca-certificates update needs openssl : circular dependency
« Reply #2 on: November 26, 2021, 06:48:48 AM »
13.1.0, armv6

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11178
Re: ca-certificates update needs openssl : circular dependency
« Reply #3 on: November 26, 2021, 08:53:21 AM »
Hi bmarkus
I wonder if it makes sense to rearrange the  tce.installed  files for those 2 extensions.

Code: [Select]
update-ca-certificates
ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert.pem
ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/ca-bundle.crt

I think moving these 3 lines from the end of  tce.installed/ca-certificates  to the end of  tce.installed/openssl-1.1.1
would solve the issue:

Offline Paul_123

  • Administrator
  • Hero Member
  • *****
  • Posts: 1063
Re: ca-certificates update needs openssl : circular dependency
« Reply #4 on: November 26, 2021, 06:04:54 PM »
Pretty sure I took the script in ca-certIificates from core x86_64.

But I don’t see how there is an error during boot, since tce-bootload mounts all extensions in onboot.lst before calling any of the startup scripts. 

The base image has only openssh.tcz in the onboot.lst.  Which will load OpenSSL and ca-certs properly.  The only way to trigger the error would be to have only ca-certificates.tcz listed in onboot

« Last Edit: November 26, 2021, 06:30:56 PM by Paul_123 »

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11178
Re: ca-certificates update needs openssl : circular dependency
« Reply #5 on: November 26, 2021, 09:23:09 PM »
Hi Paul_123
... openssl.tcz lists ca-certifiates in its .dep file. ...
In x86 and x86_64  ca-certificates  lists  openssl  in its  .dep  file. I think that way makes more sense. The
tce.installed/ca-certificates  script calls  update-ca-certificates  which calls  c_rehash.sh  which calls  openssl , so
ca-certificates  depends on  openssl , which should be loaded first.

When booting, tce-load (like tce-bootload) runs the  tce.installed  scripts after all extensions are loaded, so order
should not be an issue there. When using tce-load from the commandline , tce.installed  scripts get run as each
extension gets loaded and dependency scripts run first. So in that case, you want  ca-certificates  to depend on
openssl , and not the other way around.

Offline stelian

  • Newbie
  • *
  • Posts: 13
Re: ca-certificates update needs openssl : circular dependency
« Reply #6 on: November 27, 2021, 05:26:13 AM »
Pretty sure I took the script in ca-certIificates from core x86_64.

But I don’t see how there is an error during boot, since tce-bootload mounts all extensions in onboot.lst before calling any of the startup scripts. 

The base image has only openssh.tcz in the onboot.lst.  Which will load OpenSSL and ca-certs properly.  The only way to trigger the error would be to have only ca-certificates.tcz listed in onboot

The error came up because I did indeed remove openssh from the onboot.lst, in order to load it later.

Later on the bootprocess (in bootlocat.sh) I load python3, which needs openssl, which needs ca-certificates, which needs openssl...