| === chris14_ is now known as chris14 | ||
| hwpplayer1 | hi people ! | 10:43 |
|---|---|---|
| hwpplayer1 | sarnold: hi | 10:44 |
| === crazybyte2 is now known as crazybyte | ||
| === cpaelzer_ is now known as cpaelzer | ||
| smoser | hi. I'm wondering if there is an advisable way to solve a problem i'm seeing. | 17:07 |
| smoser | i have a supplied p7b file that represents a list of to-be-trusted certificate authorities. | 17:09 |
| smoser | that is intended to be the entire set. | 17:09 |
| smoser | i can't really avoid ca-certificates getting installed, as it is a dependency (Depends, not just Recommends) of many packages. | 17:10 |
| smoser | is there a recommended path for acheiving this? I want to only trust "my" list. | 17:11 |
| smoser | the thing i'm missing is how i can avoid having an 'apt-get install' or 'upgrade' command adding the Ubuntu certs to the search list. | 17:12 |
| sdeziel | smoser: I guess that depends on what software you'd like to use your "custom CA root set"? I know postfix for example can be told to use any directory for that | 17:14 |
| smoser | ideally "all software". basically anything using openssl. | 17:16 |
| smoser | and, yeah, for things that have other "custom" locations, i understand i would have to address those separately. | 17:16 |
| sdeziel | smoser: so maybe add your custom CA root set to `/usr/local/share/ca-certificates/`, then run `update-ca-certificates` to distrust the official roots and only keep yours | 17:27 |
| sdeziel | smoser: maybe you can be creative and use a hook script (`/etc/ca-certificates/update.d`) to do that when updates are pushed? | 17:29 |
| smoser | yeah, i'd thought about the update.d dir. | 17:37 |
| smoser | what did you mean "to distrust the offical roots" ? | 17:38 |
| smoser | i thought it unioned /usr/share/ca-certificates/ and /usr/local/share/ca-certificates/ | 17:38 |
| smoser | i'd also thought of just dpkg-divert'ing update-ca-certificates, and replacing it with my own. | 17:41 |
| === crazybyte2 is now known as crazybyte | ||
| sdeziel | smoser: `dpkg-reconconfigure ca-certificates` can ask you for each of the root CAs to trust, by default they are all trusted but you can remove them all if you wish | 18:40 |
| sdeziel | smoser: I just went on and removed them all and the debconf equivalent seems to be: | 18:44 |
| sdeziel | root@j:~# debconf-show ca-certificates | 18:44 |
| sdeziel | * ca-certificates/enable_crts: | 18:44 |
| sdeziel | ca-certificates/new_crts: | 18:45 |
| sdeziel | * ca-certificates/trust_new_crts: ask | 18:45 |
| sdeziel | ca-certificates/title: | 18:45 |
| sdeziel | prior to removing them all from the trusted list, they all appeared in `ca-certificates/enable_crts` | 18:45 |
| smoser | that just edits /etc/ca-certificates.conf, right? | 19:08 |
| smoser | so what would you think about | 19:08 |
| smoser | 1. install package | 19:08 |
| smoser | 2. sed -i '/^[^#!]/s/^/!/' /etc/ca-certificates.conf | 19:08 |
| smoser | 3. printf "%s\t%s\t%s\t%s\n" ca-certificates ca-certificates/enable_crts select no | debconf-set-selections --checkonly | 19:08 |
| smoser | 4. dpkg-reconfigure ca-certificates --frontend=noninteractive | 19:08 |
| smoser | ooops. drop the '--checkonly' from set-selections of course. | 19:09 |
| smoser | bah. '3' should have been: | 19:14 |
| smoser | printf "%s\t%s\t%s\t%s\n" ca-certificates ca-certificates/trust_new_crts select no | debconf-set-selections | 19:14 |
| sdeziel | smoser: ah I didn't know it was simply editing `/etc/ca-certificates.conf` so yeah that looks good except that apparently removing all cert doesn't create an empty `/etc/ssl/certs/ca-certificates.crt`, it remains unaltered with the full CA list | 19:26 |
| === hank_ is now known as hank | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!