[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#790943: [ssl-cert] Root and local certificate location clash

On Fri, 03 Jul 2015 10:56:54 +0200 Daniel Pocock <daniel@pocock.pro> wrote:
> Package: ssl-cert
> Version: 1.0.35

> This package provides the script /usr/sbin/make-ssl-cert
> It creates certificates and puts the public key / certificate PEM file
> in /etc/ssl/certs
> The ca-certificates package puts symlinks to CA certificates in the same
> location, /etc/ssl/certs
> Some other packages refer to /etc/ssl/certs as a directory of trusted
> roots.

> Some people suggest using /etc/ssl/ssl.crt or /etc/ssl/public for local
> certificate files.
> I did a Google search to try and find out of there is a policy about
> this directory and no results were found. So I can't say that this
> package is violating any specific policy or what should be done to fix
> it, but I do feel the status quo is troublesome.


/etc/ssl/certs is generated by ca-certificates, I don't think it should be modified by anyone else. I found a weird bug/conflict as a result.

Debian Jessie provides this awesomely convenient setup for Apache. You can literally just enable SSL, and it uses the "snakeoil" (self-signed) certificate created by ssl-cert. (Then Iceweasel/Firefox let you add the server cert when you visit).

I'm looking at trusting the snakeoil cert (to get secure Owncloud sync). I tested curl from the server to itself - certificate error. But the snakeoil cert is already in /etc/ssl/certs, so how does this actually work[*]? curl --cacert <certificate file> works fine. Let's poke around...

update-ca-certificates # no change

update-ca-certificates --fresh # now curl works! without specifying any options.

`update-ca-certificates --fresh` is only documented to remove any stale symlinks. It shouldn't suddenly change the trust status of the default snakeoil! It's not a massive security problem because the snakeoil isn't a CA cert. But it's obviously unintended and surprising behavior.

You could argue it suggests sloppy coding in ca-certificates as well, but ssl-cert's behavior is just asking for trouble.

[*] The "standard", documented way is to copy certs to /usr/local/share/ca-certificates (huh?) and run update-ca-certificates.

> Should local certs go in some other directory,


> or should other packages
> stop trusting everything in /etc/ssl/certs?

Btw I don't mind an extra step to trust local certs, so long as there's a documented method I can have confidence in.


Reply to: