Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Dec 2021 01:12:18 -0600
From:      Kyle Evans <kevans@freebsd.org>
To:        Andrea Venturoli <ml@netfence.it>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: How to populate /etc/ssl/certs
Message-ID:  <CACNAnaFijz1ibsk13LQT38ErguNAf13d6v8MqZt%2Beg%2BOGt2ZbA@mail.gmail.com>
In-Reply-To: <86ed5dab-6476-efa7-5ecf-7477bfefc1e9@netfence.it>
References:  <aeb690a3-00bd-1edc-5e36-7b94d63e2730@netfence.it> <CACNAnaH1GkZn0RkVEdLTLdnc82O1h=c-Vvh6=aApGMDfAWBvbg@mail.gmail.com> <86ed5dab-6476-efa7-5ecf-7477bfefc1e9@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Dec 16, 2021 at 9:22 AM Andrea Venturoli <ml@netfence.it> wrote:
>
>
> On 12/16/21 03:03, Kyle Evans wrote:
>
> Hello.
> (And thanks for you time).
>
>
>
> > Both; installworld rehashes once and the DESTDIR becomes populated
> > with whatever's present at the time for the purposes of populating an
> > image root or what-have-you. etcupdate will do it again, operating
> > under the theory that it's running on the live system, which may have
> > more roots present to grab than we did previously.
>
> So are we expected to run etcupdate after, e.g., installing
> security/ca_root_nss?
>

Negative; certctl in-fact doesn't do anything with
security/ca_root_nss as of yet. The current incarnation of
security/ca_root_nss will likely go away in the near-to-mid future and
might be replaced with a version that installs certctl compatible
roots at some point.

>
>
> > installworld has done it more or less since introduction,
> > freebsd-update will do it as of more recent versions if that's how
> > you're updating jails.
>
> I'm not using freebsd-update at all (only source updates).
> For jails I use:
> _ first, "ezjail-update -i" which should do something like "make -D
> /usr/jails/basejail installworld";
> _ then, for each jail, "etcupdate -D /usr/jails/{$JAIL}".
>
> This doesn't seem to do the trick.
>

Is /usr/share/certs/* populated *in the jail*? You can always try
running `certctl rehash` manually, maybe with a -v thrown in there for
verbosity.

Thanks,

Kyle Evans

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaFijz1ibsk13LQT38ErguNAf13d6v8MqZt%2Beg%2BOGt2ZbA>