From nobody Fri Dec 17 07:12:18 2021 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D212618FFD52 for ; Fri, 17 Dec 2021 07:12:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JFgCx4x1Gz3Fxt for ; Fri, 17 Dec 2021 07:12:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f172.google.com (mail-qk1-f172.google.com [209.85.222.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 86CAE252F for ; Fri, 17 Dec 2021 07:12:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f172.google.com with SMTP id t6so1327921qkg.1 for ; Thu, 16 Dec 2021 23:12:29 -0800 (PST) X-Gm-Message-State: AOAM533oKtNdsl0aBNjR24O4Oom+QenuOmn3WYgsVMgZF4XFHobnetL2 W/EhcqOnvfqK30cAR+uGv7ld4iGyJxcoQGrZ6tk= X-Google-Smtp-Source: ABdhPJyPQdmrQmVu0euWEcLtH/AG9I9uR4EXZUJEepHuY2chLG832nNnAV0DaHMA30FM7N07ZAFcRw59VJC7RmZc1VM= X-Received: by 2002:ae9:e515:: with SMTP id w21mr902446qkf.462.1639725149085; Thu, 16 Dec 2021 23:12:29 -0800 (PST) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <86ed5dab-6476-efa7-5ecf-7477bfefc1e9@netfence.it> In-Reply-To: <86ed5dab-6476-efa7-5ecf-7477bfefc1e9@netfence.it> From: Kyle Evans Date: Fri, 17 Dec 2021 01:12:18 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: How to populate /etc/ssl/certs To: Andrea Venturoli Cc: FreeBSD Mailing List Content-Type: text/plain; charset="UTF-8" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639725149; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=akcJnIAnmIwtZff8wj6qsWxkmEEGrKeBoCygEMBOojM=; b=U1aonQdwggx4bIMgglpvog3KjQXWWpS58VBfRhH0eb+ZloZFKSKlRrUI7CjnB1r53wSPrx B93ZlZIqzQA0sBwrkMBUHVNSJNBRSQ14niFIsnJ1K1qY4L5VSrsGvvsgTVSQ/nOg8ZimGX DVJQwnCQQQBDMDsSxbTdd4tvuy1W9tQYPBsRjdn1fpvdwu17dJBWspG8GjI6y3hpI6gxJp Q9bzll8VbV2zInRt6mohO/2zbSDtwmPsX2IcpvChYe6WRU0VK9HSHvZTtWaEXeIqegK55h 0/g9FKOaGM05l9J5YssmORgOZnBrDcyeBz6HtxvnIts622Y9sLnMAonmi3KK0w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639725149; a=rsa-sha256; cv=none; b=Yhz2+QTU0EjNJtsQDu6mk3hjVJk9CIy8rJYpN+SZtUMlJcwsMIPtTayNSCZUmEZsSbJsB9 HQ59GvRrGN+DdSfU6EI0nysWwrCQ5Pj8o9Gs1mbCAeHd55JzU6myxYxLJ2sZNcEYlY2IPM C5TqoD6CSE6M5uh88s2FysQI+hOxXmM5JB8xfUvcPLWBgr0+kKbKJjEtDqigXmORbaxUWw /w9xCDiSAhJK5l64XFVY0zVxF/+yrCTEVSyW7ppDYkpZGnalZ/5rrdMD/QlSsrBeUKaTQe rN3FZNKs0h3ymKc4pnJKYspJ4lF7+MkePajnYzhiGPV8t4dZ5cK666HV4ItJQg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On Thu, Dec 16, 2021 at 9:22 AM Andrea Venturoli wrote: > > > On 12/16/21 03:03, Kyle Evans wrote: > > Hello. > (And thanks for you time). > > > > > Both; installworld rehashes once and the DESTDIR becomes populated > > with whatever's present at the time for the purposes of populating an > > image root or what-have-you. etcupdate will do it again, operating > > under the theory that it's running on the live system, which may have > > more roots present to grab than we did previously. > > So are we expected to run etcupdate after, e.g., installing > security/ca_root_nss? > Negative; certctl in-fact doesn't do anything with security/ca_root_nss as of yet. The current incarnation of security/ca_root_nss will likely go away in the near-to-mid future and might be replaced with a version that installs certctl compatible roots at some point. > > > > installworld has done it more or less since introduction, > > freebsd-update will do it as of more recent versions if that's how > > you're updating jails. > > I'm not using freebsd-update at all (only source updates). > For jails I use: > _ first, "ezjail-update -i" which should do something like "make -D > /usr/jails/basejail installworld"; > _ then, for each jail, "etcupdate -D /usr/jails/{$JAIL}". > > This doesn't seem to do the trick. > Is /usr/share/certs/* populated *in the jail*? You can always try running `certctl rehash` manually, maybe with a -v thrown in there for verbosity. Thanks, Kyle Evans