IBM / ibmichroot

A set of scripts to facilitate the use of chroot-based containers for IBM i
MIT License
21 stars 9 forks source link

Add an RPM for the root certs #32

Closed abmusse closed 4 years ago

abmusse commented 8 years ago

Original report by Justin Dearing (Bitbucket: zippy1981, GitHub: zippy1981).


If I try to clone a https git url I get the following:

-bash-4.3$ git clone https://github.com/rpm-software-management/rpm.git
Cloning into 'rpm'...
fatal: unable to access 'https://github.com/rpm-software-management/rpm.git/': SSL certificate problem: unable to get local issuer certificate
-bash-4.3$

The solution of course is to grab ca-certificates.crt from a linux box or git for windows. The better solution would be if we made an RPM for the ssl certs.

I tried grabbing the fedora RPM sources for the mozilla root certs. Discovered that rpm 3.0.5 won't build that spec. So before I go down the rabbit hole of building RPM 4 on PASE I figured I'd ask here what the best way to proceed would be?

abmusse commented 6 years ago

Original comment by Kevin Adler (Bitbucket: kadler, GitHub: kadler).


Best is going to be a combination of p11-kit and update-ca-certificates along with the Mozilla root certs. This is exactly what SUSE does and probably other Linux distros.

abmusse commented 8 years ago

Original comment by Aaron Bartell (Bitbucket: aaronbartell, GitHub: aaronbartell).


What I do is download the cacerts from curl's website. I put it in ~/certs/cacert.pem and then run commands as follows:

$ CURL_CA_BUNDLE=~/certs/cacert.pem le issue /www/mysite/htdocs/letsencrypt mysite.com

The best solution would be to figure out where git/curl/wget/etc are looking for certs by default and then put together directions to symlink our way to them all working. Once we have the symlinks setup we just need to wget https://curl.haxx.se/ca/cacert.pem to the symlink'd directory and everything should be snappy.

Thoughts?

abmusse commented 5 years ago

@ThePrez Once we ship ca-certs should copy the certs over as part of the minimal chroot install?

abmusse commented 4 years ago

We now ship ca-certificates-mozilla which solves this issue.

$ yum install ca-certificates-mozilla