Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#69298 - [libressl][ca-certificates-utils] /etc/libressl/cert.pem should use certs from /etc/ca-certificates/

Attached to Project: Community Packages
Opened by nl6720 (nl6720) - Tuesday, 12 January 2021, 07:56 GMT
Last edited by Morten Linderud (Foxboron) - Saturday, 13 February 2021, 12:38 GMT
Task Type Feature Request
Category Packages
Status Assigned
Assigned To Levente Polyak (anthraxx)
Eli Schwartz (eschwartz)
Bruno Pagani (ArchangeGabriel)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 3
Private No



The libressl package ships with its own CA certificates packed in /etc/libressl/cert.pem. This doesn't seem right.
It should instead use the certs from /etc/ca-certificates/extracted/tls-ca-bundle.pem like it's done for openssl with the /etc/ssl/cert.pem -> ../ca-certificates/extracted/tls-ca-bundle.pem symlink provided by ca-certificates-utils.

IMHO /etc/libressl/cert.pem should be removed from libressl and ca-certificates-utils should provide a /etc/libressl/cert.pem -> ../ca-certificates/extracted/tls-ca-bundle.pem symlink.

Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any
libressl 3.2.3-1
ca-certificates-utils 20181109-4
ca-certificates 20181109-4
ca-certificates-mozilla 3.60.1-1

Steps to reproduce:
$ diff /etc/ssl/cert.pem /etc/libressl/cert.pem
This task depends upon

Comment by Eli Schwartz (eschwartz) - Wednesday, 27 January 2021, 21:58 GMT
  • Field changed: Attached to Project (Arch Linux → Community Packages)
the ca-certificates-utils package should not need to provide a symlink for this community package, it should be the libressl package's responsibility. :D
Comment by Eli Schwartz (eschwartz) - Wednesday, 27 January 2021, 22:01 GMT
IMHO we can fix this by dropping libressl in favor of (just uploaded).

openntpd should build fine with it, future versions of opensmtpd "should" use libtls rather than libressl's

Comment by Mikhail N (mikhailnov) - Wednesday, 06 July 2022, 13:01 GMT
Why not just point libressl to /etc/ssl?
Comment by Mikhail N (mikhailnov) - Wednesday, 06 July 2022, 13:03 GMT
To point libressl to /etc/ssl the following is needed:
1) ./configure --with-openssldir=/etc/ssl
2) patch to separate config from OpenSSL