Hot to update CA certificates?

[Mark van Leeuwen]

Hello,

I saw that in this commit https://sourceforge.net/p/alt-f/code/3840/ there is an attempt to get new CA certificates at (what I understand) build time.

+ca_bundle=customroot/etc/ssl/ca-bundle.crt
+if test $(expr $(stat -c %Y $ca_bundle 2> /dev/null) + 2592000) -lt $(date +%s); then
+	curl -o $ca_bundle --time-cond $ca_bundle https://curl.haxx.se/ca/cacert.pem
+	cp $ca_bundle $ROOTFS/etc/ssl/ca-bundle.crt
+fi

On my setup the header of the /etc/ssl/ca-bundle.crt file reads

## Certificate data from Mozilla as of: Wed Jun  7 03:12:05 2017 GMT

whereas the one from https://curl.haxx.se/ca/cacert.pem currently reads:

## Certificate data from Mozilla as of: Wed Jan 23 04:12:09 2019 GMT

Any existing functinnality to do the same automatic/regular update in a running Alt-F environment, or is the solution to create a cronjob running parts of the commands above (basically the "curl -o ...") ?

Best, Mark

[João Cardoso]

The fastest track is to setup a  cronjob, say, once a week or month to not overload their site.

At https://curl.haxx.se/docs/caextract.html they say:

We don't mind you downloading the PEM file from us in an automated fashion, but please don't do it more often than once per day. It is only updated once every few months anyway.

A suitable curl command line to only download it when it has changed:

  curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem

Remember that when saved to /etc/ssl/ it will be really stored on disk, under the /Alt-F directory (that you should not directly manipulate, read its README.txt). 

Can you file a request at siurceforge? or else the idea will vanish

Best, Mark

[Mark van Leeuwen]

Sourceforge feature request ticket: https://sourceforge.net/p/alt-f/featurerequests/52/