Re: How to populate /etc/ssl/certs
- Reply: Andrea Venturoli : "Re: How to populate /etc/ssl/certs"
- In reply to: Andrea Venturoli : "Re: How to populate /etc/ssl/certs"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 17 Dec 2021 07:12:18 UTC
On Thu, Dec 16, 2021 at 9:22 AM Andrea Venturoli <ml@netfence.it> wrote:
>
>
> On 12/16/21 03:03, Kyle Evans wrote:
>
> Hello.
> (And thanks for you time).
>
>
>
> > Both; installworld rehashes once and the DESTDIR becomes populated
> > with whatever's present at the time for the purposes of populating an
> > image root or what-have-you. etcupdate will do it again, operating
> > under the theory that it's running on the live system, which may have
> > more roots present to grab than we did previously.
>
> So are we expected to run etcupdate after, e.g., installing
> security/ca_root_nss?
>
Negative; certctl in-fact doesn't do anything with
security/ca_root_nss as of yet. The current incarnation of
security/ca_root_nss will likely go away in the near-to-mid future and
might be replaced with a version that installs certctl compatible
roots at some point.
>
>
> > installworld has done it more or less since introduction,
> > freebsd-update will do it as of more recent versions if that's how
> > you're updating jails.
>
> I'm not using freebsd-update at all (only source updates).
> For jails I use:
> _ first, "ezjail-update -i" which should do something like "make -D
> /usr/jails/basejail installworld";
> _ then, for each jail, "etcupdate -D /usr/jails/{$JAIL}".
>
> This doesn't seem to do the trick.
>
Is /usr/share/certs/* populated *in the jail*? You can always try
running `certctl rehash` manually, maybe with a -v thrown in there for
verbosity.
Thanks,
Kyle Evans