[Bug 258709] lang/mono6.8: cert-sync doesn't work on iocage style base jails

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 258709] lang/mono6.8: cert-sync doesn"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 11 Oct 2021 21:09:39 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258709

will@worrbase.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |will@worrbase.com

--- Comment #2 from will@worrbase.com ---
I'm experiencing this as well, although with my hand-rolled thinjails. It looks
like cert-sync tries to write to /usr/share/.mono, which is the culprit here.

Running cert-sync yields the following:

terra|worr|22:47:17|1$ sudo jexec j /usr/local/bin/cert-sync
/usr/local/etc/ssl/cert.pem
Mono Certificate Store Sync - version 6.8.0.123
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD
licensed.

Importing into legacy system store:
I already trust 0, your new list has 130
Warning: Could not import C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM
System.IO.IOException: Read-only file system
  at System.IO.FileSystem.CreateDirectory (System.String fullPath) [0x00191] in
<0e6cb1433c7b46f598f86593dd03f528>:0 
  at System.IO.Directory.CreateDirectory (System.String path) [0x0002c] in
<0e6cb1433c7b46f598f86593dd03f528>:0 
  at Mono.Security.X509.X509Store.CheckStore (System.String path,
System.Boolean throwException) [0x00020] in
<9d0b4d46cb9c4cd288c22cd9cdf5212a>:0 
  at Mono.Security.X509.X509Store.Import (Mono.Security.X509.X509Certificate
certificate) [0x00000] in <9d0b4d46cb9c4cd288c22cd9cdf5212a>:0 
  at Mono.Tools.CertSync.ImportToStore
(Mono.Security.X509.X509CertificateCollection roots,
Mono.Security.X509.X509Store store) [0x00050] in
<34bb119f69354d8986322c88a4400682>:0 
Warning: Could not import C=ES, O=FNMT-RCM, OU=Ceres,
OID.2.5.4.97=VATES-Q2826004J, CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS
...

Running the following dtrace script yields:

terra|worr|23:08:39|130$ cat ro-cert-sync.d 
#!/usr/sbin/dtrace -s

syscall:freebsd:mkdir:entry {
  self->path = copyinstr(arg0);
}

syscall:freebsd:mkdir:return {
  if (args[0] != 0) {
    printf("Could not create %s: %d", self->path, errno);
  }
}
terra|worr|23:08:41|0$ sudo dtrace -s ro-cert-sync.d -c 'jexec j
/usr/local/bin/cert-sync --quiet /usr/local/etc/ssl/cert.pem' | head -30
dtrace: script 'ro-cert-sync.d' matched 5 probes
dtrace: pid 35449 has exited
CPU     ID                    FUNCTION:NAME
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs/Trust: 2
  6  77594                     mkdir:return Could not create /usr/share/.mono:
30
  6  77594                     mkdir:return Could not create
/usr/share/.mono/certs: 2

-- 
You are receiving this mail because:
You are the assignee for the bug.