Ca-bundle Questions
Sometime in Feb, yum updated something to do with ca-bundle. I didn’t notice at the time, but it put these two files on my machine:
/etc/pki/tls/certs/ca-bundle.trust.crt.rpmnew and
/etc/pki/tls/certs/ca-bundle.crt.rpmnew
Both of those on the existing system are symbolic links
ca-bundle.trust.crt ->
/etc/pki/ca-trust/extracted/openssl/ca-bundle-trust.crt and
ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
I’m not sure how exactly I’m supposed to use thes files to update those locations. one points to a .pem file, which the .rpmnew file is not, and there is no file of the corresponding name in the direstory pointed to by the link.
Shouldn’t the rpm have “done the right thing”, and put them where they belong?
-chuck
2 thoughts on - Ca-bundle Questions
If a file has been modified since the RPM package was last installed, then it won’t be over-written (it’s configurable, but that is the default) – the new file is installed with the .rpmnew extension so that the admin can decide what to do with it.
This is a “good thing”. Most decent packages now have a mechanism for users to over-ride the default configuration without altering the installed files. But if you do decide, for some reason, that the installed config files need to be changed, the last thing you want is for those changes to be wipedout by an upgrade to the package.
In this case, it is certainly within the bounds of possibility that you put in a different CA-Bundle and if you did, you wouldn’t want your version to be overwritten. From what you say, you possibly didn’t actually do so, but you may have updated the file in some other way
(such as looked at it with an editor and saved it with trivial changes. that sort of thing, anything that makes it look like a different file). If you want to use the new files, just copy them over the top of the old files – make sure the symlinks still work as they should and everything will be OK.
P.
You need to dig deeper – I will give you a start …
The “something” is the ca-certificates.noarch rpm. It is updated every year around May. The last update was around May 16th this year. Not February.
That is what is defined in the ca-certificates package. See the output of
rpm -qv –list ca-certificates-2018.2.22-70.0.el7_5.noarch
What do the .rpmnew files contain? The repository version of those files are symlinks, so to me it looks like some other package is trying to install those files.
There is something that is stopping it from “doing the right thing”.
The simple answer is possibly. The sensible answer is that you need to find out if anything has tried to add different certificate files (and why) and work around that to work out what the best thing to do is. Use the ‘rpm’ command to find out what provides that files that have a
.rpmnew suffix:
rpm -q –whatprovides /etc/pki/tls/certs/ca-bundle.trust.crt
It should come up with just one package – the ca-certificates-2018
package. If it returns multiple packages, then something else is causing confusion.
P.