Project

General

Profile

Actions
Copy link

Bug #15440

closed

CA certificates are not added to the Trust Store

Added by J Rey 9 days ago. Updated 3 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Certificates
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.07
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

stopped working after upgrade to 24.03

details in

https://forum.netgate.com/topic/187658/24-03-stuck-at-not-ready-yet/2?_=1714061693317

Actions
Copy link
 #1

Updated by Jim Pingle 9 days ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from CA Certificate not adding to trust store to CA certificates are not added to the Trust Store
  • Category changed from Certificates to Certificates
  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.8.0
  • Affected Plus Version deleted (24.03)
  • Plus Target Version set to 24.07

Looks like the behavior of certctl rehash changed and now it wipes out the contents of that directory when it did not do that in the past. So either we change it so we write out our custom entries after certctl rehash (in which case a manual invocation will wiped them again) or we write the CAs out slightly different so that certctl rehash pulls them in natually itself rather than us maintaining that separately.

I'm leaning toward the second approach which seems to work OK in testing here, placing the CA cert files in /usr/local/etc/ssl/certs with a crt extension and then when certctl rehash runs they end up in /etc/ssl/certs/ as before.

Actions
Copy link
 #2

Updated by Jim Pingle 9 days ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #3

Updated by Georgiy Tyutyunnik 3 days ago

tested the patch:
seems like imported ca is correctly recognised post-import as trusted only if you manually re-run 'certctl rehash' after importing

Actions
Copy link
 #4

Updated by Jim Pingle 3 days ago

Georgiy Tyutyunnik wrote in #note-3:

tested the patch:
seems like imported ca is correctly recognised post-import as trusted only if you manually re-run 'certctl rehash' after importing

The CA manager already runs that when making any changes, but it can take several minutes to finish depending on the hardware (check the output of ps uxaww | grep certctl for example). Is it possible you didn't wait long enough for it to finish before testing?

Actions
Copy link
 #5

Updated by Georgiy Tyutyunnik 3 days ago

I stand corrected.
patch works, wait time around 3 mins after adding a cert to trusted

Actions
Copy link
 #6

Updated by Jim Pingle 3 days ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF