Skip to content

fix c_rehash, correct manpage, remove blacklist.txt

Modify c_rehash to ignore the /etc/ssl/certs/certs/ca-certificates.crt file when created hash softlinks in the /etc/ssl/certs/ directory. There are 3 reasons for this: (1) normally whenever "update-ca-certificates" is run (whether by a script/trigger or by an end-user) a warning will appear:

WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping

which is annoying but not problematic, however (2) in some circumstances such as where that file only contains a single certificate, i.e. where you disable all the system certificates and only use your own "local" CA file, then c_rehash may wrongly create a softlink to the ca-certificates.crt file rather than to the correct CA file if c_rehash finds the ca-certificates.crt file first in the /etc/ssl/certs/ directory.

In the "single CA cert" situation if however c_rehash finds the correct (single CA) file first then (3) when it does find the ca-certificates.crt file it will generate the following warning:

WARNING: Skipping duplicate certificate in file ca-certificates.crt

The changes in this MR prevent all 3 scenarios from occurring.

Remove the blacklist.txt file - this has not been updated since it was added to the repo 5+ years ago. Also this file is not used for any purpose - it was previously used/read by the certdata2pem.py Python script but that was replaced by by the mk-ca-bundle.pl Perl script which makes no use of blacklist.txt.

Correct update-ca-certificates manpage - this was copied from Debian, however the Alpine program does NOT support any cli options, so remove these from the manpage.

Fixes #2 (closed).

Merge request reports

Loading