On 02/13/2018 03:35 PM, Brendan L wrote:
Hey, I think I've spotted an issue with the update-pki.service file in
the make-ca package. On my system the update would always fail, when
looking at my logs it was because it would try to run before I had a
network connection. My solution after reading this:
https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
Change this:
After=local-fs.target
Before=shutdown.target
To this:
After=local-fs.target network-online.target
Before=shutdown.target
Wants=network-online.target
Finally added this in git version. Sorry it took me so long.
Another issue I have, and might be something blfs doesn't support, is
when updating the certificates it deletes my
/etc/ssl/certs/ca-certificates.crt link to ca-bundle.crt. I need that
link because steam requires it. Not a huge deal, just annoying to
have to remember to recreate it when it's deleted.
Please open yet another bug report with Debian to get that part fixed
properly. :-) I'm kidding. Debian has had a slightly broken setup for
several years now, not that we didn't at one time either, but I imagine
it's a much more difficult problem to solve for them - quite a few more
packages - coordination would be a royal pain.
Anyway, with current make-ca, you don't want it there before the script
completes (so the directory is overwritten each time). I can't do this
for LFS proper, but if you can commit to never running 'openssl
c-rehash' on the directory manually, a suitable workaround is to simply
add the following line to the end of the /usr/sbin/make-ca script (or
really, anywhere after c_rehash is run in that script):
ls -s ../ca-bundle.crt "${DESTDIR}${CERTDIR}/ca-certificates.crt"
I'll be ditching c_rehash in the next version of that script (0.9), but
p11-kit does the same thing with the directory in our use case
(overwrite). Same workaround should be good, however, it must be moved
to just before the last "fi" in the 0.9 version of make-ca, which should
land in the development BLFS in a couple of days.
HTH
--DJ
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
