meenaminimal: a root cert, valid for the next 20 years…?00:04
minimalmeena: well for your own (self-signed) use you can use whatever you want ;-)00:09
minimalif you're asking about policy for official Root CAs you'd need to check the CAB Forum documents00:09
meenaLet's start by removing some certificates!00:12
meenacuz I'm too tired to go creating fresh ones00:13
meenameena: wait, we can't just delete one of the currently trusted certs, they're *all* deleted?00:17
minimalmeena: yupe, that was why I suggested you test on a throwaway VM and mentioned curl/wget/etc having problems due ot missing CAs ;-)00:22
* meena creates a snapshot00:26
meenaminimal: first problem found!00:36
minimaldon't keep me in suspense....lol00:36
meenaminimal: if we're adding FrcccccclvlvgrufghghchhvdjbblebnjkcreublllteiceeBSD00:39
meenato the module, we also need to enable the module in cloud.cfg.tmpl00:39
meenaminimal: but at least i got my setup back in order for being able to actually test this.00:40
meenaalso, i think I should be easily able to test remove_defaults, and reinstall it, because pkg's certificate validation is independent of the rest of the system.00:41
minimalah, doh! let me look at cloud.cfg.tmpl00:41
meenado, I'll look at going to bed now00:42
minimalright, there's a "if not variant.endswith("bsd")" in the template, I'll change that and update the PR00:43
meenawe support FreeBSD, not even dragonfly yet: https://man.dragonflybsd.org/?command=certutil&section=ANY00:45
meenaand pkg puts its keys into /usr/share/keys/pkg/trusted/ so that's safe…00:45
meenaokay gotta go now after the dog00:45
=== meena4 is now known as meeena
=== meeena is now known as meena
esvhey folks, when using custom data on a new deployment, is it required the shebang for the interpreter be added in the file? 16:14
esvI think it just makes sense as cloud-init needs a way to differentiate the scripts from a clound-config file, but not sure if it is mandatory 16:15
minimalesv: you mean user-data (when you say "custom data") ?16:15
minimalesv: look here: https://cloudinit.readthedocs.io/en/latest/explanation/format.html16:16
esvwell, azure api calls it custom-data but if it is better known as user-data, I'd go with that. 16:16
minimalthat defines the various formats of user-data16:16
minimalfor a shell script the section "User data script" says: "Begins with: #! or Content-Type: text/x-shellscript when using a MIME archive"16:17
esvthank you16:22
=== arif-ali_ is now known as arif-ali
minimalFYI: Amazon have implemented a configuration system for their BottleRocket OS that is similar to cloud-int except it uses TOML: https://github.com/bottlerocket-os/bottlerocket/blob/develop/PROVISIONING-METAL.md20:14
meenasomething less awful than https://noyaml.com/ ?!22:01
meenaminimal: well, it works and it doesn't work…22:17
meenawe have two certificate stores… most of ports software uses ca_root_nss; I'm just surprised that fetch (from base) also uses it, must be a fallback22:28
minimalmeena: so what works? and also what does not work? lol22:33
meenaminimal: removing all the default system worked. but I'm surprised that everything still works. because ca_root_nss is installed for some ports like git22:37
minimalmeena: perhaps there is still a "bundle" file somewhere that is used?22:38
meenait installs into /usr/local/share/certs, and this is a location all ssl linked software checks22:38
meenaminimal: that *is* the bundle. ca_root_nss that is.22:38
meenaanyway, this is a FreeBSD problem, not a you problem.22:39
meenaI'll test installing a certificate next.22:39
minimalok, thanks. There was little docs online that I could find about how FreeBSD deals with certs22:39
meenatime for you to share your script :P22:42

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!