Added by J Rey 7 months ago. Updated about 1 month ago.
100%
Description
stopped working after upgrade to 24.03
details in
https://forum.netgate.com/topic/187658/24-03-stuck-at-not-ready-yet/2?_=1714061693317
Updated by Jim Pingle 7 months ago
Looks like the behavior of certctl rehash changed and now it wipes out the contents of that directory when it did not do that in the past. So either we change it so we write out our custom entries after certctl rehash (in which case a manual invocation will wiped them again) or we write the CAs out slightly different so that certctl rehash pulls them in natually itself rather than us maintaining that separately.
I'm leaning toward the second approach which seems to work OK in testing here, placing the CA cert files in /usr/local/etc/ssl/certs with a crt extension and then when certctl rehash runs they end up in /etc/ssl/certs/ as before.
Updated by Jim Pingle 7 months ago
Applied in changeset 27fc5a3020fe981b7a5bc98fc9b1660e8773fc7d.
Updated by Georgiy Tyutyunnik 7 months ago
tested the patch:
seems like imported ca is correctly recognised post-import as trusted only if you manually re-run 'certctl rehash' after importing
Updated by Jim Pingle 7 months ago
Georgiy Tyutyunnik wrote in #note-3:
tested the patch:
seems like imported ca is correctly recognised post-import as trusted only if you manually re-run 'certctl rehash' after importing
The CA manager already runs that when making any changes, but it can take several minutes to finish depending on the hardware (check the output of ps uxaww | grep certctl for example). Is it possible you didn't wait long enough for it to finish before testing?
Updated by Georgiy Tyutyunnik 7 months ago
I stand corrected.
patch works, wait time around 3 mins after adding a cert to trusted
Updated by Jim Pingle 6 months ago
Updated by Jim Pingle about 1 month ago