Unable to update ca-certificates (/etc/ssl/certs isn't writable)
282 views
Skip to first unread message
Evan Farrell
Oct 15, 2014, 1:04:45 PM10/15/14
to coreo...@googlegroups.com
I'm adding a custom CA cert that I created for signing to coreos. I added the .pem file to the directory `/etc/ssl/certs` and than tried running `update-ca-certificates` to update them. If I run it while I am user `core`, it throws an error saying `Error: SSL certificate directory /etc/ssl/certs isn't writable`.
If I run it as sudo, the new ca doesn't get updated. In the output it appears to work, but it is never symlinked and testing out throws a authority error.
Michael Marineau
Oct 15, 2014, 1:32:54 PM10/15/14
to Evan Farrell, coreos-user
On Wed, Oct 15, 2014 at 10:04 AM, Evan Farrell <eva...@gastrograph.com> wrote:
> I'm adding a custom CA cert that I created for signing to coreos. I added
> the .pem file to the directory `/etc/ssl/certs` and than tried running
> `update-ca-certificates` to update them. If I run it while I am user
> `core`, it throws an error saying `Error: SSL certificate directory
> /etc/ssl/certs isn't writable`.
Well, that much is expected. You have to be root, not core.
> I'm adding a custom CA cert that I created for signing to coreos. I added
> the .pem file to the directory `/etc/ssl/certs` and than tried running
> `update-ca-certificates` to update them. If I run it while I am user
> `core`, it throws an error saying `Error: SSL certificate directory
> /etc/ssl/certs isn't writable`.
>
> If I run it as sudo, the new ca doesn't get updated. In the output it
> appears to work, but it is never symlinked and testing out throws a
> authority error.
The new cert is indeed named with the .pem extension so the fill path
> If I run it as sudo, the new ca doesn't get updated. In the output it
> appears to work, but it is never symlinked and testing out throws a
> authority error.
is something like /etc/ssl/certs/something.pem? Anything else will be
ignored. Does the contents of the file look correct and is in PEM
format with the '-----BEGIN CERTIFICATE-----' header? Perhaps check
that 'openssl x509 -in /etc/ssl/certs/something.pem -text' looks
correct too.
If update-ca-certificates is successful there will now be a symlink in
that directory pointing to something.pem and it will appear in
/etc/ssl/certs/ca-certificates.crt which should now be a regular file
instead of a symlink to the original copy in /usr
Evan Farrell
Oct 15, 2014, 3:27:27 PM10/15/14
to coreo...@googlegroups.com, eva...@gastrograph.com
So, it does appear to be working. I made the mistake of thinking there was a symlink missing from the original cert. It turns out it was working. Now, why it is still throwing an error on my private docker registry, I have no idea. It works on my personal computer, but not on the servers.
Reply all
Reply to author
Forward
0 new messages