FS#44690 - [ca-certificates] [ca-certificates-utils] "trust extract-compat" doesn't work
Attached to Project:
Arch Linux
Opened by ITwrx (andriesinfoserv) - Wednesday, 22 April 2015, 16:12 GMT
Last edited by Jan Alexander Steffens (heftig) - Tuesday, 28 April 2015, 19:32 GMT
Opened by ITwrx (andriesinfoserv) - Wednesday, 22 April 2015, 16:12 GMT
Last edited by Jan Alexander Steffens (heftig) - Tuesday, 28 April 2015, 19:32 GMT
|
Details
Description: updating to
ca-certificates-20150402-1-any.pkg.tar.xz and
ca-certificates-utils-20150402-1-any.pkg.tar.xz seems to
have deleted my previously trusted CA cert, breaking mail
forms for several applications. running "trust
extract-compat" did not successfully extract the CA cert and
did not provide any feedback. Downgrading to
ca-certificates-20140923-9-any.pkg.tar.xz and
ca-certificates-utils-20140923-9-any.pkg.tar.xz and
re-running trust extract-compat successfully extracted the
CA cert and now mail forms work again.
question: are users expected to re-extract certs upon each upgrade or should previously extracted certs be kept automatically? Thanks in advance. Additional info: * package version(s) ca-certificates-20150402-1-any.pkg.tar.xz and ca-certificates-utils-20150402-1-any.pkg.tar.xz Steps to reproduce: upgrade to these packages. |
This task depends upon
Closed by Jan Alexander Steffens (heftig)
Tuesday, 28 April 2015, 19:32 GMT
Reason for closing: Works for me
Tuesday, 28 April 2015, 19:32 GMT
Reason for closing: Works for me
(deleted attachment --heftig)
While I look into this, could you try using your CA certificate as the trust anchor instead of individual self-signed server certs? That should work better.
Again, the certificate you gave me is a self-signed certificate. It's actually dangerous to place such in the trust store, as OpenSSL ignores the purpose bits in the root certs, and any such cert now becomes a valid CA for any other certificate the owner of the cert wants to sign.
The proper thing to do is make your own CA certificate, add *that* to the trust store, then sign whatever server certificates you need with the CA cert.