Hi, to...@tuxteam.de wrote: > I assume Thomas knows pretty well what he's doing. He'd know much > better than me, in any case :-)
Regrettably my sysadmin skills are severely underdeveloped. I am qualified for the task only by being the guy who has Linux at home and by having made fun of upgrade woes with other kinds of system. > If I've understood you correctly, you only have to do with a limited > set of sites. I would prefer not to rely on an allow-list. So i currently ponder how to transplant the certificates from a Debian 10 machine. man update-ca-certificates talks of /etc/ssl/certs /etc/ca-certificates.conf /usr/share/ca-certificates In the latter i see on Debian 10: ./mozilla with 126 .crt files. The Debian 8 machine has 172 files in there. The ca-certificates.conf files seem just to list those files on both machines. So a brute force attempt would be to rename the two directories and the file to other names and to then copy the Debian 10 stuff to the original names. The new /etc/ssl/certs would start empty and be populated by update-ca-certificates(8). Well, same old question: How bad an idea is this ? What should i read before making such theories ? Have a nice day :) Thomas
