lfs/make-ca
1
0
Fork 0
mirror of https://github.com/lfs-book/make-ca.git synced 2026-01-09 14:17:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adjust make-ca to use hg-edge.mozilla.org instead of hg.mozilla.org.

Browse Source 
hg.mozilla.org now redirects to hg-edge.mozilla.org. This presents a
couple of unique challenges:

- OpenSSL s_client cannot follow redirects.
- hg-edge.mozilla.org is configured differently than hg.mozilla.org was.
- The certificate used for hg-edge.mozilla.org is signed by Let's
  Encrypt instead of the Mozilla CA root.

To fix this, we have done the following:

- Removed the mozilla CA root from the make-ca package, and replaced it
  with ISRG-Root-X1, which is the signing root certificate for Let's
  Encrypt certificates.
- Adjusted the Makefile to install the new signing root certificate.
- Changed the URL for downloading the certdata.txt file to
  hg-edge.mozilla.org
- Fixed problems with retrieving the certificate data from that website
  by specifying the HTTP version and turning off keep-alive support. As
  part of this we need to change from using "echo" to "printf" due to
  a behavior change in how "\n" is handled. Note that "\n" must be
  specified or else the connection will hang.

This will allow certificate data to be updated once again.
This commit is contained in:
Douglas R. Reno
2025-04-07 23:13:39 -05:00
committed by Douglas R. Reno
parent 8f59caf832
commit b651169925
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -55,7 +55,7 @@ install_conf:
install_mozilla_ca_root:
install -vdm755 $(DESTDIR)$(ETCDIR)
install -vm644 mozilla-ca-root.pem $(DESTDIR)$(ETCDIR)
install -vm644 ISRG_Root_X1.pem $(DESTDIR)$(ETCDIR)
uninstall:
rm -f $(DESTDIR)$(SBINDIR)/make-ca

8
make-ca
View File

@ -15,7 +15,7 @@ VERSION="1.15"
MAKE_CA_CONF="/etc/make-ca.conf"
# CA root for hg.mozilla.org
MOZILLA_CA_ROOT="/etc/make-ca/mozilla-ca-root.pem"
MOZILLA_CA_ROOT="/etc/make-ca/ISRG_Root_X1.pem"
# Get/set defaults
if test -f "${MAKE_CA_CONF}"; then
@ -40,7 +40,7 @@ else
NSSDB="${PKIDIR}/nssdb"
LOCALDIR="${SSLDIR}/local"
DESTDIR=""
URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
URL="https://hg-edge.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
fi
# Some data in the certs have UTF-8 characters
@ -669,7 +669,7 @@ if test "${GET}" == "1"; then
if test "${PROXY}x" != "x"; then
SARGS="${SARGS} -proxy ${PROXY}"
fi
echo GET ${_url} | \
printf "GET ${_url} HTTP/1.1\nConnection: no-keep-alive\n\n" | \
${OPENSSL} s_client ${SARGS} 2> /dev/null > "${TEMPDIR}/certdata.txt.log"
unset _url
echo "done."
@ -694,7 +694,7 @@ if test "${GET}" == "1"; then
# Download the new file
echo -n "Downloading certdata.txt..."
echo GET ${URL} | \
printf "GET ${URL} HTTP/1.1\nConnection: no-keep-alive\n\n" | \
${OPENSSL} s_client ${SARGS} 2> /dev/null >> "${CERTDATA}"
_line=$(( $(grep -n -m 1 "^#$" "${CERTDATA}" | cut -d ":" -f 1) - 1))
sed -e "1,${_line}d" -i "${CERTDATA}"