Bug 248314 - security/ca_root_nss: Wrong link for cert.pem
Summary: security/ca_root_nss: Wrong link for cert.pem
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jochen Neumeister
URL:
Keywords: regression
Depends on:
Blocks: 222262
  Show dependency treegraph
 
Reported: 2020-07-28 09:11 UTC by Jonas Palm
Modified: 2023-10-16 05:46 UTC (History)
14 users (show)

See Also:
jbeich: maintainer-feedback+


Attachments
v1 (628 bytes, patch)
2020-10-04 13:21 UTC, Mikael Urankar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Palm 2020-07-28 09:11:36 UTC
With ca_root_nss version 3.54 the do-install-ETCSYMLINK-on target changed from:

${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem

to

${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem

which creates the following symlink in /usr/local/etc/ssl now:
cert.pem@ -> ../../usr/local/share/certs/ca-root-nss.crt
which obviously doesn't exist.

The ../.. in front should be removed.
Comment 1 Jonas Palm 2020-07-28 09:15:38 UTC
(In reply to Jonas Palm from comment #0)

sorry, not the update to 3.54 but the update after (revision 542936) caused this
Comment 2 Jan Beich freebsd_committer freebsd_triage 2020-07-28 13:02:45 UTC
(In reply to Jonas Palm from comment #0)
> creates ... symlink ... which obviously doesn't exist.

I can't reproduce in 12.1 amd64 jail: all symlinks are valid as of 3.55.

$ pkg install ca_root_nss

$ head -2 /usr/local/etc/ssl/cert.pem.sample
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ head -2 /usr/local/openssl/cert.pem.sample
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ head -2 /etc/ssl/cert.pem
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates
Comment 3 Jonas Palm 2020-07-28 14:18:53 UTC
Yes, sorry. My assertion about the update was wrong. I somehow saw another ${PREFIX} in the links target.


My problem still exists though. If I install the most recent version of ca_root_nss the links target of /usr/local/etc/ssl/cert.pem changes to ../../usr/local/share/certs/ca-root-nss.crt

I can reproduce the following on multiple servers:

$ ln -s /usr/local/share/certs/ca-root-nss.crt cert.pem

$ head -2 /usr/local/etc/ssl/cert.pem
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ pkg install -f ca_root_nss
Updating jail repository catalogue...
jail repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
	ca_root_nss-3.55

Number of packages to be reinstalled: 1

Proceed with this action? [Y/n]: 
[myserver] [1/1] Reinstalling ca_root_nss-3.55...
[myserver] [1/1] Extracting ca_root_nss-3.55: 100%
cp: /usr/local/etc/ssl/cert.pem: No such file or directory

$ ls -l /usr/local/etc/ssl/cert.pem
lrwxr-xr-x  1 root  wheel  43 28 Juli 15:11 /usr/local/etc/ssl/cert.pem -> ../../usr/local/share/certs/ca-root-nss.crt

$ head -2 /usr/local/etc/ssl/cert.pem
head: /usr/local/etc/ssl/cert.pem: No such file or directory
Comment 4 Jan Beich freebsd_committer freebsd_triage 2020-07-28 14:38:19 UTC
(In reply to Jonas Palm from comment #3)
> If I install the most recent version of ca_root_nss the links target of
> /usr/local/etc/ssl/cert.pem changes to ../../usr/local/share/certs/ca-root-nss.crt

Likely caused by ports r542936 which landed after 3.54 but before 3.55 update. A fix maybe to convert ${LN} -sf ../../ to ${RLN}.
Comment 5 peter.larsen 2020-08-11 07:14:29 UTC
# ls -la /etc/local/ssl/cert.pem
ls: /etc/local/ssl/cert.pem: No such file or directory
# ls -la /usr/local/openssl/cert.pem
-rw-r--r--  1 root  wheel  785744 Aug 10 12:22 /usr/local/openssl/cert.pem


on a fresh build, so yes, file is missing on 3.55

I did not deep dive into why
Comment 6 Mikael Urankar freebsd_committer freebsd_triage 2020-10-04 12:35:37 UTC
same problem here:

rm /usr/local/etc/ssl/*
make -C /usr/ports/security/ca_root_nss clean deinstall install
cat /usr/local/etc/ssl/cert.pem
##
##  ca-root-nss.crt -- Bundle 

With strange perm: 
-rwxr-xr-x /usr/local/etc/ssl/cert.pem

fetch https://github.com
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://github.com: Authentication error


Is it a problem with pkg and sample file (running pkg 1.15.8)?


Strangely the official binary package doesn't have the problem:
rm /usr/local/etc/ssl/*
pkg install -fy security/ca_root_nss
cat /usr/local/etc/ssl/cert.pem
snip, lots of stuff

with correct perm: -rw-r--r--

fetch https://github.com
fetch: https://github.com: size of remote file is not known
Comment 7 Mikael Urankar freebsd_committer freebsd_triage 2020-10-04 13:21:44 UTC
Created attachment 218514 [details]
v1

Seems to be ok if the sample is not a symlink.
Comment 8 Mikael Urankar freebsd_committer freebsd_triage 2020-10-04 13:31:41 UTC
(In reply to Mikael Urankar from comment #7)
The patch is not needed, it's caused by r550860 (Keywords/sample.ucl)

r550860 | manu | 2020-10-01 20:32:29 +0200 (Thu, 01 Oct 2020) | 8 lines

Lua version of the @sample

The bonus of this version being: sandboxed
Natively rootdir compliant.

Reviewed by:    portmgr (bapt@, mat@)
Differential Revision:  https://reviews.freebsd.org/D23617

cc'ing manu
Comment 9 commit-hook freebsd_committer freebsd_triage 2020-10-04 14:16:09 UTC
A commit references this bug:

Author: manu
Date: Sun Oct  4 14:14:51 UTC 2020
New revision: 551416
URL: https://svnweb.freebsd.org/changeset/ports/551416

Log:
  ports-mgmt/pkg: Update to 1.15.9

  Changes from 1.15.8 to 1.15.9:
  - lua_pkg_copy when copying a symlink

  PR:		248314
  Approved by:	bapt (implicit)

Changes:
  head/ports-mgmt/pkg/Makefile
  head/ports-mgmt/pkg/distinfo
Comment 10 commit-hook freebsd_committer freebsd_triage 2020-10-12 06:52:21 UTC
A commit references this bug:

Author: bapt
Date: Mon Oct 12 06:51:55 UTC 2020
New revision: 552099
URL: https://svnweb.freebsd.org/changeset/ports/552099

Log:
  MFH: r551167 r551211 r551416 r552059

  ports-mgmt/pkg: Update to 1.15.7

  Changes from 1.15.6 to 1.15.7:
   - Fix %# expand in script

  Approved by:	bapt (implicit)

  Update to 1.15.8

  Fixes a typo which results in pkg ignoring some lua script in some particular
  circumpstancies: shell script also available in certain types

  ports-mgmt/pkg: Update to 1.15.9

  Changes from 1.15.8 to 1.15.9:
  - lua_pkg_copy when copying a symlink

  PR:		248314
  Approved by:	bapt (implicit)

  ports-mgmt/pkg: Update to 1.15.10

  Add a workaround for https://bugs.freebsd.org/250271

  PR:		250059
  Approved by:	bapt (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/ports-mgmt/pkg/Makefile
  branches/2020Q4/ports-mgmt/pkg/distinfo
Comment 11 Jonas Palm 2021-02-11 09:38:10 UTC
Could anyone with a deeper understanding of the responsible port mechanics please have another look into this? At the moment I have to fix all my jails manually after each ca_root_nss update (which happens quite often) or the jails won't be able to use TLS.
Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2022-04-27 10:23:39 UTC
^Triage: This issue appears to have been resolved in via commits (comment 9 and comment 10) but not closed. However there was a followup after in comment 11 (by Reporter).

Assign to last committer accordingly and close.

@Reporter (Jonas) If there remains any outstanding issues with respect to your report as originally provided on supported freebsd versions and up to date ports/package trees, please re-open the issue with additional detail.

Apologies for the lack of an earlier response.
Comment 13 Matt Meyer 2022-09-10 15:11:46 UTC
(In reply to Kubilay Kocak from comment #12)
Issue was never fixed.

Easiest way to reproduce issue is to symlink the /etc/ssl directory elsewhere:
  # mkdir -p /test/conf
  # mv /etc/ssl /test/conf/
  # ln -s /test/conf/ssl /etc/ssl
Install the port after those changes and try to cat /etc/ssl/cert.pem - the bug will present itself.

The core issue is the port incorrectly assumes that the real ssl directory always lives 2 deep from root.  The Makefile tries to use relative paths to create symlinks, pointing them to non-existent locations.  The Makefile should be using absolute paths to reference its own files.

This also affect all symlinks created by this port, not just /etc/ssl/cert.pem.
Comment 14 Jochen Neumeister freebsd_committer freebsd_triage 2022-09-10 21:46:10 UTC
i will take a look
Comment 15 Tatsuki Makino 2023-08-10 06:16:16 UTC
Currently, /usr/local/openssl/cert.pem is placed by security/ca_root_nss, but isn't it better to do this with security/openssl?

openssl of security/openssl tries to use cert in the directory of "/usr/local/bin/openssl version -d" result.
So I think security/openssl should have a RUN_DEPENDS=ca_root_nss line.

And it also begins to mean that security/openssl can switch to using base root certs instead of ca_root_nss.
There was also the following topic
https://lists.freebsd.org/archives/freebsd-ports/2023-January/003277.html
Comment 16 George Mitchell 2023-09-18 15:07:40 UTC
I think this is the same bug in a different guise.  I had ca_root_nss 3.91 installed up to this morning and just now built and installed 3.93.  Things looked fine until deinstalling 3.91, and this happened:

[1/1] Deinstalling ca_root_nss-3.91...
[1/1] Deleting files for ca_root_nss-3.91:  11%
ca_root_nss-3.91: missing file /usr/local/etc/ssl/cert.pem
[1/1] Deleting files for ca_root_nss-3.91:  33%
ca_root_nss-3.91: missing file /usr/local/openssl/cert.pem
[1/1] Deleting files for ca_root_nss-3.91: 100%

Is this the problem reported here?  Can I ignore this for now?  I'm using base openssl from 13.2-RELEASE-p3.