Open pepie34 opened 1 month ago
I agree that this script should ideally be fixed, but I think the "fix CA certs" part of it could also be removed completely now unless anyone knows different. There is already a function in downloader
/ update_all
that fixes the contents of the /etc/ssl/certs
folder in a more correct way if the folder is empty for some reason, and this approach matches the stock / default config (ie after a fresh install / linux img upgrade).
The only files needed for a working setup (and which are provided as part of the linux img) are:
/etc/ssl/cert.pem
(symbolic link pointing at /etc/ssl/certs/cacert.pem
and
/etc/ssl/certs/cacert.pem
(file containing all the root certs in a single file).
Fixing CA certs should only ever involve downloading a copy of cacert.pem
to /etc/ssl/certs/cacert.pem
, and nothing else, which is what update_all.sh
does if it detects an empty certs
folder.
All the additional stuff created by security_fixes.sh
(when it chops up the cacert.pem
places each individual cert in /etc/ssl/certs
, and doesn't create the /etc/ssl/certs/cacert.pem
file), is probably redundant and just causes problems. I don't want to say I'm 100% correct on this though, it's just the way it looks to me. The other features of security_fixes.sh
are very useful though and definitely worth keeping in there.
If you delete /etc/ssl/certs and then run security_fixes.sh, it should recreate a clean certificate database. But when update_all.sh is run its fails on:
security_fixes.sh already download that file line 185:
put pipes it through an awk script that splits it.
In order to avoid the error on update_all.sh the file cacert.pem should be recorded in /etc/ssl/certs/ not only pipes and split...