Tiny Core Linux

Tiny Core Base => TCB Talk => Topic started by: qopit on June 30, 2023, 08:39:02 PM

Title: Updating ca-certificates.tcz?
Post by: qopit on June 30, 2023, 08:39:02 PM

The last update to ca-certificates.tcz was back in May of 2020:

Code: [Select]

Change-log:     2016/09/12 first version
                2017/04/24 updated to latest certificates
                2017/05/24 added non-perl c_rehash by andyj
                2017/05/25 adjusted non-perl c_rehash
                2019/05/01 updated to latest certificates
Current:        2020/05/08 updated to latest certificates

I'm having some cert problems that I suspect are related to this.  I've tried manually installing the latest Mozilla certs without success... but I'm very likely not doing it correctly since I don't quite understand how it all works, especially in the way this ca-certificates.tcz is working.

Aside from wanting an updated package, does anyone know how to keep these CA certs fresh on a TinyCore system?  I do see that `/tmp/tcloop/ca-certificates/usr/local/sbin/update-ca-certificates` exists, but it is not clear to me how to use it.

FWIW, the cert problem I'm trying to solve can be reproduced like this:

Code: [Select]

tce-load -wi ca-certificates go git
mkdir ~/deleteme
cd ~/deleteme
git clone https://github.com/ochinchina/supervisord.git
cd supervisord
go generate


This will result in this cert problem:

Code: [Select]

$ go generate
go: github.com/gorilla/mux@v1.8.0: Get "https://proxy.golang.org/github.com/gorilla/mux/@v/v1.8.0.mod": x509: certificate signed by unknown authority


Title: Re: Updating ca-certificates.tcz?
Post by: qopit on June 30, 2023, 11:00:15 PM

Ok... I've solves my specific Go issue, but not my generic root cert issue/questions.

Based on this link:
https://stackoverflow.com/questions/40051213/where-is-golang-picking-up-root-cas-from/40051432#40051432

it shows that Go is looking in certain locations for the cert bundle, so doing this addresses the specific problem I was having:


wget https://curl.se/ca/cacert.pem
sudo mkdir -p /etc/ssl/certs
sudo mv ./cacert.pem /etc/ssl/certs/ca-certificates.crt


(unsure why I can't make the above into a code block!?! The forum software gives me an internal server error when I do)

All I've done there is grabbed the latest official (or at least extracted from official) Mozilla CA cert bundle and put it in the debian/ubuntu location where Go will look for it.

I'm not sure about how to (or whether it is wise to) unpack that bundle into all the individual certs that exist in the ca-certificates.tcz package.

Muddling my way through this it seems a bit shocking to me how non-standardized (and confusing) this is.  It's weird that there are both non-standard locations for the bundle file, as well as seemingly mixed usage of whether applications need/use the bundle or individual certs.