| Summary: | rootcerts is missing /etc/pki/tls/rootcerts/ directory and contents. | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Alan Richter <arichter> |
| Component: | RPM Packages | Assignee: | David Walser <luigiwalser> |
| Status: | RESOLVED INVALID | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | ouaurelien |
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | rootcerts-20200911.00-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Alan Richter
2020-10-01 18:15:00 CEST
Hi thanks reporting this. On my M7 systems, I see /etc/pki/tls/rootcerts directory empty. I would like to say Citrix is not in our distribution. David Walser has updated this recently. Assigning him to forensic this. CC:
(none) =>
ouaurelien The package has changed dramatically. It now matches the Fedora ca-certificates package. See the fedoraproject references in our recent advisory: https://advisories.mageia.org/MGASA-2020-0377.html Status:
NEW =>
RESOLVED Quite right about Citrix not being part of your distribution, it is an unfortunate piece of proprietary software I'm stuck with using. I suppose that I'll need to harvest the files from /etc/pki/tls/rootcerts/ using 20200612 and put them somewhere Citrix can access them. Like most proprietary software they don't specify where to get the required certs to operate. I agree with your closure on this. The /etc/pki/tls/rootcerts directory is actually specific to Mageia, so Citrix wouldn't be using that directory unless you configured it to (you may have done so years ago and forgotten the details). Likely what you had done is put a CA certificate for the site you're connecting to with Citrix in that directory and then run c_rehash, and configured it to use that directory for CA certificates. The way it works now is you add CA certificates to /etc/pki/ca-trust/source/anchors and then you run update-ca-trust. You would then configure Citrix to use a CA bundle rather than a CA directory (openssl lets you use either, and I'm guessing Citrix uses a bundled openssl). I believe you would point it to one of the following: /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.trust.crt Thank you for the help, what I did was create symbolic links from /etc/pki/tls/rootcerts/* to /opt/Citrix/ICAClient/keystore/cacerts/. Whatever Citrix was looking for was in that directory and it was happy. Citrix is certainly not Mageia's problem and I'm probably one of the few Mageia users that uses Citrix. It appears that Citrix uses the "entrust_" certificates. Thank you for helping me figure out how to get the certificates with the new rootcerts. I'm always dumbfounded at how many aspects there are to maintaining a distribution. It sounds like it was designed to primarily run on Debian/Ubuntu, which has typically favored the CA directory over the CA bundle. There's probably a way to extract the current rootcerts. Yeah maintaining a distro is crazy, though this one was pretty unique. I am not happy that we had to make this change during a stable branch, but I tried to find a way around it and could not. Firefox itself has had larger changes in the past (UI redesigns, dropping plugins, etc), but this is by far the biggest packaging change we've ever had to make for it. |