From nobody Thu Dec 16 02:03:50 2021
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 18AEF18EAE4F
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Thu, 16 Dec 2021 02:04:02 +0000 (UTC)
	(envelope-from kevans@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JDwQT63sZz3sJW
	for <freebsd-questions@freebsd.org>; Thu, 16 Dec 2021 02:04:01 +0000 (UTC)
	(envelope-from kevans@freebsd.org)
Received: from mail-qt1-f173.google.com (mail-qt1-f173.google.com [209.85.160.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	(Authenticated sender: kevans)
	by smtp.freebsd.org (Postfix) with ESMTPSA id AA3DB247EB
	for <freebsd-questions@freebsd.org>; Thu, 16 Dec 2021 02:04:01 +0000 (UTC)
	(envelope-from kevans@freebsd.org)
Received: by mail-qt1-f173.google.com with SMTP id m25so23898746qtq.13
        for <freebsd-questions@freebsd.org>; Wed, 15 Dec 2021 18:04:01 -0800 (PST)
X-Gm-Message-State: AOAM530hNgCZ1sDLX+flJxrieX/M8bh8oKFSVfookTq6x7UP3WPN7WC2
	3tT6S5mb37zqNm2rkdLe5ShTvWE7VU733KGrapc=
X-Google-Smtp-Source: ABdhPJz5kC+RT6LVC463BoWLv0RlEmyVB2POAy5+ScupNRCEXHzUkGDfZBPaAs0SFjUmkjBGt4z4nsXj7pcdajUakWY=
X-Received: by 2002:a05:622a:2d5:: with SMTP id a21mr14964429qtx.509.1639620241172;
 Wed, 15 Dec 2021 18:04:01 -0800 (PST)
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
References: <aeb690a3-00bd-1edc-5e36-7b94d63e2730@netfence.it>
In-Reply-To: <aeb690a3-00bd-1edc-5e36-7b94d63e2730@netfence.it>
From: Kyle Evans <kevans@freebsd.org>
Date: Wed, 15 Dec 2021 20:03:50 -0600
X-Gmail-Original-Message-ID: <CACNAnaH1GkZn0RkVEdLTLdnc82O1h=c-Vvh6=aApGMDfAWBvbg@mail.gmail.com>
Message-ID: <CACNAnaH1GkZn0RkVEdLTLdnc82O1h=c-Vvh6=aApGMDfAWBvbg@mail.gmail.com>
Subject: Re: How to populate /etc/ssl/certs
To: Andrea Venturoli <ml@netfence.it>
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1639620241;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=PY3UttxBvsf/EIhSc8dqJaStQqPWKmsaeLf70qHeR28=;
	b=iJLweAZ+uJCHCjdeYBN0cHskD0JpN6Bd2eLBjx2/4c+ilIlvCqn3Aecrw5PTXLjYvolxkB
	fF/IVkIHzlQj2hh3JSpEtTCmesx+87KAGUOJafq5vwnLQ8tQ1ejeADNdnWgmeXJzupbz8e
	GZJiY0q3MLrfyadDmo8JZQxUrU8upzBLwIkhH+6X6Yo21Pc1KumKBaadyK7g+szYbP8dEI
	0Kcz218XUBSLste7tk91L/pZL2veH+KM+nmg/1h9PZDOXTjEjYsUWOBFdDabP5U1/RNRHg
	PPCwtGbEPo4iktQa/yZXM0upAKz/pxfqDx8QjZOLiQgYGwacI7GCQRTJxvEprw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639620241; a=rsa-sha256; cv=none;
	b=T0DBBjrreaeWUK40fxHxnW0V0uiEsVE6mdRo1MIorm5iYTvwaInZOIK9wH/Ebbt+fibU5O
	0qCx5py+XXp1tJrbQHWKcyArgbCzMSRZoVPRokvJFM4mcmoSULGfl7zKxSVAgvrFBr26WO
	hisjY9qovFO8ptJXNflgXdsKBIFbXh7SJkw7TzWZOL9nrMQeXp7up5DmEWngt7ZKqmk6xc
	QhCoFG3zbmjyIzF3SHqvglLOQB/4tjUFIlIev/PyU369nSbjc1MgSFfDw+b122oS14jJ06
	WnwRrLkYmbPPJWEr/8OjWCfTW+mtH0ibuJ05psgn/uchpqbdQbJb4ovfDp1QoA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

On Wed, Dec 15, 2021 at 4:20 PM Andrea Venturoli <ml@netfence.it> wrote:
>
>
> Hello.
>
> I've searched for this, but I didn't find an answer.
>
> How is /etc/ssl/certs populated?
>
> Does "make installworld" create the links for certificates in
> /usr/share/certs/trusted?
> Or should etcupdate?
>

Both; installworld rehashes once and the DESTDIR becomes populated
with whatever's present at the time for the purposes of populating an
image root or what-have-you. etcupdate will do it again, operating
under the theory that it's running on the live system, which may have
more roots present to grab than we did previously.

> What about /usr/local/share/certs/?
> I see on some of my machines a link to
> /usr/local/share/certs/ca-root-nss.crt: the latter is installed by
> security/ca_root_nss, but it doesn't seem to be the port that creates
> the link...
>
> Also, I'm using ezjail and older jails have /etc/ssl/certs empty!
> Newer jails' /etc/ssl/certs is almost identical to base's, although some
> certs are missing (I suspect it was correctly created, but doesn't get
> updated).
>

installworld has done it more or less since introduction,
freebsd-update will do it as of more recent versions if that's how
you're updating jails. 11.x didn't end up with any certs installed, we
started with 12.2 (IIRC).

Thanks,

Kyle Evans