Request for ca-certificates

[andyj]

The ca-certificates has a script named 'update-ca-certificates' that gets run as part of the /usr/local/tce.installed load process. However, there is no mkdir in this script; it assumes all the directories to be used exist. This is not the case for the /usr/local/etc/ssl/certs directory. It is not part of this package or its dependency openssl, so if ca-certificates is loaded before whatever does create this directory then update-ca-certificates will fail. Either the update-ca-certificates script needs to be modified to create the certs directory if it does not already exist, or the extension needs to be updated so that directory is in the squashfs structure when it is loaded.

[Rich]

Hi andyj
The first 3 lines of /usr/local/tce.installed/ca-certificates are:

Code: [Select]

if [ ! -d /usr/local/etc ]; then
        mkdir -p /usr/local/etc
fi
If they were changed to this:

Code: [Select]

if [ ! -d /usr/local/etc/ssl/certs ]; then
        mkdir -p /usr/local/etc/ssl/certs
fithat should solve it, right?

[andyj]

Yes, that would work.

[Juanito]

..but something is creating /usr/local/etc/ssl/certs.

Is it the openssl startup script?

[Rich]

Hi Juanito
Yes, the openssl startup script is creating  /usr/local/etc/ssl/certs.

Would you like me to update the ca-certificates startup script?
This way who depends on whom and load order become irrelevant.

[Juanito]

Sure, please go ahead 

[Rich]

Hi andyj
ca-certificates updated in TC16 x86 and x86_64.
Please check one of them out and make sure it works correctly.

[Paul_123]

For reference piCore already had

Code: [Select]

[ -d /usr/local/etc/ssl/certs ] || mkdir -p /usr/local/etc/ssl/certs
Although its a bit redundant, as it could have been fixed your way.  I'll change my scripts for the next time I update piCore.   Although packages like these are architecture independent.

[andyj]

Yes, the openssl startup script is creating  /usr/local/etc/ssl/certs.

Code: [Select]

Dec  8 20:09:07 www-vm authpriv.notice sudo:       tc : TTY=unknown ; PWD=/mnt/sr0/cde/optional ; USER=root ; COMMAND=/bin/mkdir -p /tmp/tcloop/openssl
Dec  8 20:09:07 www-vm authpriv.notice sudo:       tc : TTY=unknown ; PWD=/mnt/sr0/cde/optional ; USER=root ; COMMAND=/bin/mkdir -p /tmp/tcloop/ca-certificates
Dec  8 20:09:07 www-vm authpriv.notice sudo:       tc : TTY=unknown ; PWD=/mnt/sr0/cde/optional ; USER=root ; COMMAND=/bin/mkdir -p /tmp/tcloop/openssh

The load order is right, but I get an error on the console saying the directory can't be found. The directory is there this time but it's empty. I don't have the updated ca-certificates extension, I'm waiting on mirrors. Could this be a race problem? When I run update-ca-certificates from the command line after it boots it works as expected.

[Rich]

Hi andyj

... Could this be a race problem? ...

It does sound like it. Kind of like when the kernel queues a write
until it's convenient to complete it.

[andyj]

Going down yet another rabbit hole, I added -xv to the scripts and updated tce-setup to trace it. In update-ca-certificates this happens:

Code: [Select]

cleanup() {
  rm -f "$TEMPBUNDLE"
  rm -f "$ADDED"
  rm -f "$REMOVED"
}
trap cleanup 0
+ trap cleanup 0

# Helper files.  (Some of them are not simple arrays because we spawn
# subshells later on.)
TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
+ TEMPBUNDLE=/usr/local/etc/ssl/certs/ca-certificates.crt.new
ADDED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")"
+ mktemp -p /tmp ca-certificates.tmp.XXXXXX
+ ADDED=/tmp/ca-certificates.tmp.aaaaaa
REMOVED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")"
+ mktemp -p /tmp ca-certificates.tmp.XXXXXX
mktemp: File exists
+ REMOVED=
+ cleanup
+ rm -f /usr/local/etc/ssl/certs/ca-certificates.crt.new
+ rm -f /tmp/ca-certificates.tmp.aaaaaa
+ rm -f
ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert.pem
+ ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert.pem
ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/ca-bundle.crt
+ ln -s /usr/local/etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/ca-bundle.crt

I see the last two links from the tce.installed/ca-certificates script, but they are red and broken. The script exits because mktemp throws a "file exists" error. Why does this not work from tce-setup, but it does from the CLI?

[Rich]

Hi andyj

Code: [Select]

+ mktemp -p /tmp ca-certificates.tmp.XXXXXX
+ ADDED=/tmp/ca-certificates.tmp.aaaaaaIsn't  .XXXXXX  supposed to be replaced with a random sequence?
It looks like it's being replaced with  .aaaaaa  which doesn't look random.

I'm guessing the second time its being called it's returning  .aaaaaa  again.
No entropy?

[andyj]

Apparently my system doesn't have entropy when it starts which is why the script fails, but it does later which is why it works. This brings up a lot of questions, like why isn't there any entropy initially, and why does it have some later.

[Rich]

Hi andyj
I noticed something. The 32 bit version of  haveged  does not have
a tce.installed file. That means it's not started until called after all
extensions have completed loading (bootsync, bootlocal?).

Meanwhile, ca-certificates and openssl do have tce.installed files,
which get executed in the order they were loaded after extensions
have finished loading. So  update-ca-certificates  gets run before
haveged has even been started.

The 64 bit version of  haveged  has this for tce.installed:

Code: [Select]

#!/bin/sh
haveged 1>/dev/null 2>&1 &

[GNUser]

Apparently my system doesn't have entropy when it starts which is why the script fails, but it does later which is why it works. This brings up a lot of questions, like why isn't there any entropy initially, and why does it have some later.

Hi andyj. Since version 5.4 the linux kernel has a haveged-like mechanism for generating entropy, but it does so only after the kernel's random number generator (CRNG) is fully initialized. Maybe your setup needs entropy before the CRNG is initialized?

Take a look here: https://github.com/jirka-h/haveged/blob/master/README.md