Symlinks in local directory are silently ignored by update-ca-certificates
update-ca-certificates (in package ca-certificates) silently ignores
symlinks added to /usr/local/share/ca-certificates/.
This makes things difficult when, for example, configuring Kubernetes
to
mount certificates into this directory using its configMap volumeMount
feature; all the files Kubernetes creates are symlinks to normal files
in a
mount directory that it places elsewhere (./..data/).
If excluding symlinks is intentional (why?) then I would expect the
update-ca-certificates program to at least print a warning message for
any
it finds when it runs.
Demo: below, I write some dummy data to two files in
/usr/local/share/ca-certificates, one a normal file and one a symlink,
then
run update-ca-certificates. I would expect to see warnings generated
for
both, but we only see a warning for one; the symlink has been ignored.
$ docker run -it —rm alpine /bin/sh
/ # apk update
fetch
http://dl-cdn.alpinelinux.org/alpine/v3.5/main/x86\_64/APKINDEX.tar.gz
fetch
http://dl-cdn.alpinelinux.org/alpine/v3.5/community/x86\_64/APKINDEX.tar.gz
v3.5.2-56-g7a34e8bf
[http://dl-cdn.alpinelinux.org/alpine/v3.5/main\]
v3.5.2-49-g2cff35f5
[http://dl-cdn.alpinelinux.org/alpine/v3.5/community\]
OK: 7961 distinct packages available
/ # apk add ca-certificates
(1/1) Installing ca-certificates (20161130-r1)
Executing busybox-1.25.1-r0.trigger
Executing ca-certificates-20161130-r1.trigger
OK: 5 MiB in 12 packages
/ # echo foo >/usr/local/share/ca-certificates/foo.crt
/ # echo bar >/tmp/bar.crt
/ # ln -s /tmp/bar.crt /usr/local/share/ca-certificates/bar.crt
/ # update-ca-certificates
WARNING: ca-certificates.crt does not contain exactly one certificate
or
CRL: skipping
WARNING: ca-cert-foo.pem does not contain exactly one certificate or
CRL:
skipping
(from redmine: issue id 7253, created on 2017-04-27)