Hi Michael, Thanks for looking at the issue so quick.
On 07/27/2013 03:05 AM, Michael Shuler wrote: > On 07/24/2013 12:07 PM, Paolo Scarabelli wrote: >> If I add a new cerificate with blanks in the file name in >> /usr/share/ca-certificates, when I run: >> >> dpkg-reconfigure ca-certificates > > Why did you do it this way? > > Locally installed certificates should be placed in > /usr/local/share/ca-certificates/ and they will be trusted. From > README.Debian: > > If you want to install local certificate authorities to be implicitly > trusted, please put the certificate files as single files ending with > “.crt“ into “/usr/local/share/ca-certificates” and re-run > “update-ca-certificates”. Thanks, I overlooked that. When I tried to install the certificates copying them in /usr/local/share/ca-certificates I saw none of them in the list proposed by dpkg-reconfigure ca-certificates so I assumed the right way was to copy them in /usr/share/ca-certificates. I should have read the documentation better. >> it adds a line for every part of the file name in ca-certificates.conf . >> >> In example, if I try to add the certificate: >> >> Actalis Authentication Root CA.crt >> >> it adds the following lines to ca-certificates.conf: >> >> Actalis >> Authentication >> Root >> CA.crt > > OK. I'll look to see if this can be escaped, but it really is > unnecessary, since you wrote the file somewhere it really should not > have been written to. In addition, the CA you wrote is already in the > Mozilla bundle, if you were not aware of this. That was just an example, I took the first I found in the list. I installed about 100 root certificates from the Italian digital signature issuers and I couldn't remember which I installed and which I didn't. > A quick test to see what happens when written with spaces to the correct > local install location (c_rehash emits the warning about a duplicate > cert) - it is added correctly symlinked in /etc/ssl/certs/ directory as > well as appended to /etc/ssl/certs/ca-certificates.crt: > > mshuler@mana:~$ sudo cp -p > /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt > /usr/local/share/ca-certificates/"Actalis Authentication Root > CA.withspaces.crt" > mshuler@mana:~$ ls -l /usr/local/share/ca-certificates/ > total 4 > -rw-r--r-- 1 root root 2049 Jun 10 13:21 Actalis Authentication Root > CA.withspaces.crt > mshuler@mana:~$ sudo update-ca-certificates > Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate > certificate Actalis_Authentication_Root_CA.withspaces.pem > WARNING: Skipping duplicate certificate > Actalis_Authentication_Root_CA.withspaces.pem > 1 added, 0 removed; done. > Running hooks in /etc/ca-certificates/update.d....done. > > mshuler@mana:~$ ls -l /etc/ssl/certs/|grep Actalis > lrwxrwxrwx 1 root root 34 Jul 26 13:34 5f47b495.0 -> > Actalis_Authentication_Root_CA.pem > lrwxrwxrwx 1 root root 34 Jul 26 13:34 930ac5d2.0 -> > Actalis_Authentication_Root_CA.pem > lrwxrwxrwx 1 root root 69 Jul 26 13:32 > Actalis_Authentication_Root_CA.pem -> > /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt > lrwxrwxrwx 1 root root 78 Jul 26 13:34 > Actalis_Authentication_Root_CA.withspaces.pem -> > /usr/local/share/ca-certificates/Actalis Authentication Root > CA.withspaces.crt > > mshuler@mana:~$ grep > MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE > /etc/ssl/certs/ca-certificates.crt > MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE > MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE > > All the files installed by the package do not have spaces - these are > the files configured by the package. I'll consider whether this bug > should just be closed or if some further escaping is needed after > looking more closely. To me the problem is solved, thanks! However, copying a file with spaces in /usr/share/ca-certificates probably shouldn't result in a broken config file. Thanks again and have a nice day, Paolo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
