iso70x
commented
1 week ago I agree that this script should ideally be fixed, but I think the "fix CA certs" part of it could also be removed completely now unless anyone knows different. There is already a function in downloader / update_all that fixes the contents of the /etc/ssl/certs folder in a more correct way if the folder is empty for some reason, and this approach matches the stock / default config (ie after a fresh install / linux img upgrade).
The only files needed for a working setup (and which are provided as part of the linux img) are:
/etc/ssl/cert.pem (symbolic link pointing at /etc/ssl/certs/cacert.pem
and
/etc/ssl/certs/cacert.pem (file containing all the root certs in a single file).
Fixing CA certs should only ever involve downloading a copy of cacert.pem to /etc/ssl/certs/cacert.pem, and nothing else, which is what update_all.sh does if it detects an empty certs folder.
All the additional stuff created by security_fixes.sh (when it chops up the cacert.pem places each individual cert in /etc/ssl/certs, and doesn't create the /etc/ssl/certs/cacert.pem file), is probably redundant and just causes problems. I don't want to say I'm 100% correct on this though, it's just the way it looks to me. The other features of security_fixes.sh are very useful though and definitely worth keeping in there.
If you delete /etc/ssl/certs and then run security_fixes.sh, it should recreate a clean certificate database. But when update_all.sh is run its fails on:
security_fixes.sh already download that file line 185:
put pipes it through an awk script that splits it.
In order to avoid the error on update_all.sh the file cacert.pem should be recorded in /etc/ssl/certs/ not only pipes and split...