search

coreos / fedora-coreos-tracker

Issue tracker for Fedora CoreOS
https://fedoraproject.org/coreos/
264 stars 59 forks source link

[rawhide] Removal of `openssl_format_trust_bundle` in ca-certificates package #1804

Open marmijo opened 1 month ago

marmijo commented 1 month ago

A recent update to the ca-certificates package in rawhide (Fedora 42) removed the openssl_fomat_trust_bundle (previously located at /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt) to improve the startup speed of OpenSSL. This change might affect Fedora CoreOS if it's expected that this file will exist and will also include any certificates specified by users in a butane config. The ext.config.security.coreos-update-ca-trust kola test is failing for this reason.

The change was first seen in ca-certificates-2024.2.69_v8.0.401-1.fc42: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e3ddd9733b

After supplying a cert to /etc/pki/ca-trust/source/anchors/ and running update-ca-trust extract, the certificate can now be found in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, or /etc/pki/tls/certs/ca-bundle.crt which is a symlink to the first location. I actually tested this in testing-devel and found the supplied cert in the new file, which confirms that this was the case before this change in rawhide. IIUIC, /etc/pki/tls/certs/ca-bundle.crt is a default location where OpenSSL looks for certificates.

The ext.config.security.coreos-update-ca-trust kola test will pass in rawhide if we change the test to validate against the new file instead of the old one, but I'm not sure how this change will affect FCOS as a whole.

marmijo commented 1 month ago

The ext.config.security.coreos-update-ca-trust kola test will pass in rawhide if we change the test to validate against the new file instead of the old one

I opened https://github.com/coreos/fedora-coreos-config/pull/3183 to make that change

dustymabe commented 1 month ago

Thanks for the thorough investigation and writeup here.

jlebon commented 1 month ago

Looks like this is https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile. Though quite odd it was pushed out to Fedora already when it hasn't been discussed yet AFAICT. Anyway, https://github.com/coreos/fedora-coreos-config/pull/3183 looks sane to me.