Description of problem: The 2020 09 11 rootcerts RPM is missing the /etc/pki/tls/rootcerts/ directory and contents. This breaks Citrix. Version-Release number of selected component (if applicable): The source RPMS are different sizes. rootcerts-20200612.00-1.mga7.src.rpm 02-Jul-2020 19:42 420K rootcerts-20200911.00-1.mga7.src.rpm 24-Sep-2020 10:12 269K 20200612 works, 20200911 does not. How reproducible: Always. Steps to Reproduce: 1. Use Citrix with 20200612, and successfully connect. 2. Use Citrix with 20200911 and not successfully connect. 3. Revert to 20200612 and successfully connect.
Hi thanks reporting this. On my M7 systems, I see /etc/pki/tls/rootcerts directory empty. I would like to say Citrix is not in our distribution. David Walser has updated this recently. Assigning him to forensic this.
CC: (none) => ouaurelienAssignee: bugsquad => luigiwalser
The package has changed dramatically. It now matches the Fedora ca-certificates package. See the fedoraproject references in our recent advisory: https://advisories.mageia.org/MGASA-2020-0377.html
Status: NEW => RESOLVEDResolution: (none) => INVALID
Quite right about Citrix not being part of your distribution, it is an unfortunate piece of proprietary software I'm stuck with using. I suppose that I'll need to harvest the files from /etc/pki/tls/rootcerts/ using 20200612 and put them somewhere Citrix can access them. Like most proprietary software they don't specify where to get the required certs to operate. I agree with your closure on this.
The /etc/pki/tls/rootcerts directory is actually specific to Mageia, so Citrix wouldn't be using that directory unless you configured it to (you may have done so years ago and forgotten the details). Likely what you had done is put a CA certificate for the site you're connecting to with Citrix in that directory and then run c_rehash, and configured it to use that directory for CA certificates. The way it works now is you add CA certificates to /etc/pki/ca-trust/source/anchors and then you run update-ca-trust. You would then configure Citrix to use a CA bundle rather than a CA directory (openssl lets you use either, and I'm guessing Citrix uses a bundled openssl). I believe you would point it to one of the following: /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.trust.crt
Thank you for the help, what I did was create symbolic links from /etc/pki/tls/rootcerts/* to /opt/Citrix/ICAClient/keystore/cacerts/. Whatever Citrix was looking for was in that directory and it was happy. Citrix is certainly not Mageia's problem and I'm probably one of the few Mageia users that uses Citrix. It appears that Citrix uses the "entrust_" certificates. Thank you for helping me figure out how to get the certificates with the new rootcerts. I'm always dumbfounded at how many aspects there are to maintaining a distribution.
It sounds like it was designed to primarily run on Debian/Ubuntu, which has typically favored the CA directory over the CA bundle. There's probably a way to extract the current rootcerts. Yeah maintaining a distro is crazy, though this one was pretty unique. I am not happy that we had to make this change during a stable branch, but I tried to find a way around it and could not. Firefox itself has had larger changes in the past (UI redesigns, dropping plugins, etc), but this is by far the biggest packaging change we've ever had to make for it.