`make installworld'` calls usr.sbin/certctl/certctl.sh at the end. On my stable/14 machine it creates stale symlinks to /tmp sudo usr.sbin/certctl/certctl.sh rehash; ./tools/build/stale-symlink-buildworld.sh certctl.sh: Skipping untrusted certificate 5e98733a (/etc/ssl/untrusted/5e98733a.0) certctl.sh: Skipping untrusted certificate 57bcb2da (/etc/ssl/untrusted/57bcb2da.0) certctl.sh: Skipping untrusted certificate f3377b1b (/etc/ssl/untrusted/f3377b1b.0) certctl.sh: Skipping untrusted certificate 08063a00 (/etc/ssl/untrusted/08063a00.0) certctl.sh: Skipping untrusted certificate 18856ac4 (/etc/ssl/untrusted/18856ac4.0) stale symlink detected: lrwxr-xr-x 1 root wheel 31 Nov 11 17:48 /etc/ssl/certs/2ccbdda3.0 -> ../../../tmp/tmp.GHPUFdE4Sq/xer stale symlink detected: lrwxr-xr-x 1 root wheel 31 Nov 11 17:48 /etc/ssl/certs/9e654b62.0 -> ../../../tmp/tmp.GHPUFdE4Sq/xeh stale symlink detected: lrwxr-xr-x 1 root wheel 31 Nov 11 17:48 /etc/ssl/certs/b0d5255e.0 -> ../../../tmp/tmp.GHPUFdE4Sq/xes looking at the source code usr.sbin/certctl/certctl.sh ---------------------------------------------------------------------------------- verbose "Multiple certificates found, splitting..." SPLITDIR=$(mktemp -d) eolcvt "$CFILE" | egrep '^(---|[0-9A-Za-z/+=]+$)' | \ split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x" for CERT in $(find "$SPLITDIR" -type f) ; do "$CFUNC" "$CERT" done rm -rf "$SPLITDIR" ---------------------------------------------------------------------------------- It creates a temp directory, put files inside, link from /etc/ssl/certs/ to the temp files, deletes the temp directory - *boom* In my case CFILE is /usr/local/share/certs/ca-root-nss.crt from the package ca_root_nss
Created attachment 265726 [details] patch to certctl.sh Same here. It happens if there are certs in e.g. /usr/local/share/certs/ca-root-nss.crt which are not in base. I fixed it with the attached patch by enfor cing a copy instead of a symlink for those certs.
Also read: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284901
Sorry for taking so long, I've been focused on the release and on $DAYJOB. I have a patch in the works. In the meantime, you can work around the problem by manually running `sudo certctl rehash -c`.
Correction: `sudo certctl -c rehash`
https://reviews.freebsd.org/D54081
Can you please confirm that the patch works for you?
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ce1e7a7921b27b82d8cda499058e685250cc695a commit ce1e7a7921b27b82d8cda499058e685250cc695a Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2025-12-10 14:40:22 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2025-12-10 14:40:22 +0000 certctl: Always copy bundle fragments When processing a bundle, we split it into individual certificates stored in temporary files, then pass the name of each temporary file to the creation function. Since the temporary files will later be deleted, we need to force the creation function to copy rather than symlink these files. PR: 290957 Fixes: 986c43bd80e7 ("certctl: Add an option to copy files.") Reviewed by: allanjude Differential Revision: https://reviews.freebsd.org/D54081 usr.sbin/certctl/certctl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)