Bug #15440
closedCA certificates are not added to the Trust Store
100%
Description
stopped working after upgrade to 24.03
details in
https://forum.netgate.com/topic/187658/24-03-stuck-at-not-ready-yet/2?_=1714061693317
Updated by Jim Pingle 7 months ago
- Project changed from pfSense Plus to pfSense
- Subject changed from CA Certificate not adding to trust store to CA certificates are not added to the Trust Store
- Category changed from Certificates to Certificates
- Status changed from New to In Progress
- Assignee set to Jim Pingle
- Target version set to 2.8.0
- Affected Plus Version deleted (
24.03) - Plus Target Version set to 24.07
Looks like the behavior of certctl rehash
changed and now it wipes out the contents of that directory when it did not do that in the past. So either we change it so we write out our custom entries after certctl rehash (in which case a manual invocation will wiped them again) or we write the CAs out slightly different so that certctl rehash
pulls them in natually itself rather than us maintaining that separately.
I'm leaning toward the second approach which seems to work OK in testing here, placing the CA cert files in /usr/local/etc/ssl/certs
with a crt
extension and then when certctl rehash
runs they end up in /etc/ssl/certs/
as before.
Updated by Jim Pingle 7 months ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 27fc5a3020fe981b7a5bc98fc9b1660e8773fc7d.
Updated by Georgiy Tyutyunnik 7 months ago
tested the patch:
seems like imported ca is correctly recognised post-import as trusted only if you manually re-run 'certctl rehash' after importing
Updated by Jim Pingle 7 months ago
Georgiy Tyutyunnik wrote in #note-3:
tested the patch:
seems like imported ca is correctly recognised post-import as trusted only if you manually re-run 'certctl rehash' after importing
The CA manager already runs that when making any changes, but it can take several minutes to finish depending on the hardware (check the output of ps uxaww | grep certctl
for example). Is it possible you didn't wait long enough for it to finish before testing?
Updated by Georgiy Tyutyunnik 7 months ago
I stand corrected.
patch works, wait time around 3 mins after adding a cert to trusted
Updated by Jim Pingle 6 months ago
- Plus Target Version changed from 24.07 to 24.08
Updated by Jim Pingle about 1 month ago
- Plus Target Version changed from 24.08 to 24.11