Ca-bundle Questions

Home » CentOS » Ca-bundle Questions
CentOS 2 Comments

Sometime in Feb, yum updated something to do with ca-bundle. I didn’t notice at the time, but it put these two files on my machine:

/etc/pki/tls/certs/ca-bundle.trust.crt.rpmnew and

/etc/pki/tls/certs/ca-bundle.crt.rpmnew

Both of those on the existing system are symbolic links

ca-bundle.trust.crt ->
/etc/pki/ca-trust/extracted/openssl/ca-bundle-trust.crt and

ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

I’m not sure how exactly I’m supposed to use thes files to update those locations. one points to a .pem file, which the .rpmnew file is not, and there is no file of the corresponding name in the direstory pointed to by the link.

Shouldn’t the rpm have “done the right thing”, and put them where they belong?

-chuck

2 thoughts on - Ca-bundle Questions

  • If a file has been modified since the RPM package was last installed, then it won’t be over-written (it’s configurable, but that is the default) – the new file is installed with the .rpmnew extension so that the admin can decide what to do with it.

    This is a “good thing”. Most decent packages now have a mechanism for users to over-ride the default configuration without altering the installed files. But if you do decide, for some reason, that the installed config files need to be changed, the last thing you want is for those changes to be wipedout by an upgrade to the package.

    In this case, it is certainly within the bounds of possibility that you put in a different CA-Bundle and if you did, you wouldn’t want your version to be overwritten. From what you say, you possibly didn’t actually do so, but you may have updated the file in some other way
    (such as looked at it with an editor and saved it with trivial changes. that sort of thing, anything that makes it look like a different file). If you want to use the new files, just copy them over the top of the old files – make sure the symlinks still work as they should and everything will be OK.

    P.

  • You need to dig deeper – I will give you a start …

    The “something” is the ca-certificates.noarch rpm. It is updated every year around May. The last update was around May 16th this year. Not February.

    That is what is defined in the ca-certificates package. See the output of

    rpm -qv –list ca-certificates-2018.2.22-70.0.el7_5.noarch

    What do the .rpmnew files contain? The repository version of those files are symlinks, so to me it looks like some other package is trying to install those files.

    There is something that is stopping it from “doing the right thing”.

    The simple answer is possibly. The sensible answer is that you need to find out if anything has tried to add different certificate files (and why) and work around that to work out what the best thing to do is. Use the ‘rpm’ command to find out what provides that files that have a
    .rpmnew suffix:

    rpm -q –whatprovides /etc/pki/tls/certs/ca-bundle.trust.crt

    It should come up with just one package – the ca-certificates-2018
    package. If it returns multiple packages, then something else is causing confusion.

    P.