Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificates issue with update_all.sh that security_fixes.sh does not address #116

Open
pepie34 opened this issue Sep 18, 2024 · 1 comment
Open

Certificates issue with update_all.sh that security_fixes.sh does not address #116

pepie34 opened this issue Sep 18, 2024 · 1 comment

Comments

@pepie34
Copy link

pepie34 commented Sep 18, 2024

If you delete /etc/ssl/certs and then run security_fixes.sh, it should recreate a clean certificate database.
But when update_all.sh is run its fails on:

curl: (77) error setting certificate verify locations:  CAfile: /etc/ssl/certs/cacert.pem CApath: /etc/ssl/certs
Couldn't download https://raw.githubusercontent.com/Toryalai1/MiSTer_ArcadeDatabase/db/mad_db.json.zip : Network Problem

security_fixes.sh already download that file line 185:

curl -kL "https://curl.se/ca/cacert.pem"

put pipes it through an awk script that splits it.

In order to avoid the error on update_all.sh the file cacert.pem should be recorded in /etc/ssl/certs/ not only pipes and split...
@iso70x
Copy link

iso70x commented Oct 10, 2024
edited
Loading

I agree that this script should ideally be fixed, but I think the "fix CA certs" part of it could also be removed completely now unless anyone knows different. There is already a function in downloader / update_all that fixes the contents of the /etc/ssl/certs folder in a more correct way if the folder is empty for some reason, and this approach matches the stock / default config (ie after a fresh install / linux img upgrade).

The only files needed for a working setup (and which are provided as part of the linux img) are:

/etc/ssl/cert.pem (symbolic link pointing at /etc/ssl/certs/cacert.pem

and

/etc/ssl/certs/cacert.pem (file containing all the root certs in a single file).

Fixing CA certs should only ever involve downloading a copy of cacert.pem to /etc/ssl/certs/cacert.pem, and nothing else, which is what update_all.sh does if it detects an empty certs folder.

All the additional stuff created by security_fixes.sh (when it chops up the cacert.pem places each individual cert in /etc/ssl/certs, and doesn't create the /etc/ssl/certs/cacert.pem file), is probably redundant and just causes problems. I don't want to say I'm 100% correct on this though, it's just the way it looks to me. The other features of security_fixes.sh are very useful though and definitely worth keeping in there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pepie34 @iso70x