Bug#790943: [ssl-cert] Root and local certificate location clash
On Fri, 03 Jul 2015 10:56:54 +0200 Daniel Pocock <email@example.com> wrote:
> Package: ssl-cert
> Version: 1.0.35
> This package provides the script /usr/sbin/make-ssl-cert
> It creates certificates and puts the public key / certificate PEM file
> in /etc/ssl/certs
> The ca-certificates package puts symlinks to CA certificates in the same
> location, /etc/ssl/certs
> Some other packages refer to /etc/ssl/certs as a directory of trusted
> Some people suggest using /etc/ssl/ssl.crt or /etc/ssl/public for local
> certificate files.
> I did a Google search to try and find out of there is a policy about
> this directory and no results were found. So I can't say that this
> package is violating any specific policy or what should be done to fix
> it, but I do feel the status quo is troublesome.
/etc/ssl/certs is generated by ca-certificates, I don't think it should
be modified by anyone else. I found a weird bug/conflict as a result.
Debian Jessie provides this awesomely convenient setup for Apache. You
can literally just enable SSL, and it uses the "snakeoil" (self-signed)
certificate created by ssl-cert. (Then Iceweasel/Firefox let you add
the server cert when you visit).
I'm looking at trusting the snakeoil cert (to get secure Owncloud
sync). I tested curl from the server to itself - certificate error.
But the snakeoil cert is already in /etc/ssl/certs, so how does this
actually work[*]? curl --cacert <certificate file> works fine. Let's
update-ca-certificates # no change
update-ca-certificates --fresh # now curl works! without specifying any
`update-ca-certificates --fresh` is only documented to remove any stale
symlinks. It shouldn't suddenly change the trust status of the default
snakeoil! It's not a massive security problem because the snakeoil
isn't a CA cert. But it's obviously unintended and surprising behavior.
You could argue it suggests sloppy coding in ca-certificates as well,
but ssl-cert's behavior is just asking for trouble.
[*] The "standard", documented way is to copy certs to
/usr/local/share/ca-certificates (huh?) and run update-ca-certificates.
> Should local certs go in some other directory,
> or should other packages
> stop trusting everything in /etc/ssl/certs?
Btw I don't mind an extra step to trust local certs, so long as there's
a documented method I can have confidence in.