Bug 248314 - security/ca_root_nss wrong link for cert.pem
Summary: security/ca_root_nss wrong link for cert.pem
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL:
Keywords: needs-patch, regression
Depends on:
Blocks: 222262
  Show dependency treegraph
 
Reported: 2020-07-28 09:11 UTC by Jonas Palm
Modified: 2020-08-11 07:14 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)
jbeich: maintainer-feedback+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Palm 2020-07-28 09:11:36 UTC
With ca_root_nss version 3.54 the do-install-ETCSYMLINK-on target changed from:

${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem

to

${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem

which creates the following symlink in /usr/local/etc/ssl now:
cert.pem@ -> ../../usr/local/share/certs/ca-root-nss.crt
which obviously doesn't exist.

The ../.. in front should be removed.
Comment 1 Jonas Palm 2020-07-28 09:15:38 UTC
(In reply to Jonas Palm from comment #0)

sorry, not the update to 3.54 but the update after (revision 542936) caused this
Comment 2 Jan Beich freebsd_committer 2020-07-28 13:02:45 UTC
(In reply to Jonas Palm from comment #0)
> creates ... symlink ... which obviously doesn't exist.

I can't reproduce in 12.1 amd64 jail: all symlinks are valid as of 3.55.

$ pkg install ca_root_nss

$ head -2 /usr/local/etc/ssl/cert.pem.sample
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ head -2 /usr/local/openssl/cert.pem.sample
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ head -2 /etc/ssl/cert.pem
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates
Comment 3 Jonas Palm 2020-07-28 14:18:53 UTC
Yes, sorry. My assertion about the update was wrong. I somehow saw another ${PREFIX} in the links target.


My problem still exists though. If I install the most recent version of ca_root_nss the links target of /usr/local/etc/ssl/cert.pem changes to ../../usr/local/share/certs/ca-root-nss.crt

I can reproduce the following on multiple servers:

$ ln -s /usr/local/share/certs/ca-root-nss.crt cert.pem

$ head -2 /usr/local/etc/ssl/cert.pem
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ pkg install -f ca_root_nss
Updating jail repository catalogue...
jail repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
	ca_root_nss-3.55

Number of packages to be reinstalled: 1

Proceed with this action? [Y/n]: 
[myserver] [1/1] Reinstalling ca_root_nss-3.55...
[myserver] [1/1] Extracting ca_root_nss-3.55: 100%
cp: /usr/local/etc/ssl/cert.pem: No such file or directory

$ ls -l /usr/local/etc/ssl/cert.pem
lrwxr-xr-x  1 root  wheel  43 28 Juli 15:11 /usr/local/etc/ssl/cert.pem -> ../../usr/local/share/certs/ca-root-nss.crt

$ head -2 /usr/local/etc/ssl/cert.pem
head: /usr/local/etc/ssl/cert.pem: No such file or directory
Comment 4 Jan Beich freebsd_committer 2020-07-28 14:38:19 UTC
(In reply to Jonas Palm from comment #3)
> If I install the most recent version of ca_root_nss the links target of
> /usr/local/etc/ssl/cert.pem changes to ../../usr/local/share/certs/ca-root-nss.crt

Likely caused by ports r542936 which landed after 3.54 but before 3.55 update. A fix maybe to convert ${LN} -sf ../../ to ${RLN}.
Comment 5 peter.larsen 2020-08-11 07:14:29 UTC
# ls -la /etc/local/ssl/cert.pem
ls: /etc/local/ssl/cert.pem: No such file or directory
# ls -la /usr/local/openssl/cert.pem
-rw-r--r--  1 root  wheel  785744 Aug 10 12:22 /usr/local/openssl/cert.pem


on a fresh build, so yes, file is missing on 3.55

I did not deep dive into why