These notes are for the fetch-crl-2.7.0-r0.apk from dev.a.o/~ncopa/alpine
If you just want the "what needs to be fixed" bit, skip to the bottom.
The test system is using racoon with a cert bundle and a client cert
(all in pem format, all in /etc/racoon) - they should probably be
somewhere else .. but whatever.
apk_add http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-2.7.0-r0.apk
It needs the hashes of all the certs; here's a quick awk script to do it:
--- /dev/null Thu Feb 19 21:20:21 2009
+++ split.awk Thu Feb 19 20:27:33 2009
@@ -0,0 +1,17 @@
+# split a certificate bundle into individual certificates
+
+{ content = content $0 "\n" }
+
+/^subject=/ {
+ subject=$0
+ sub("^.*CN=", "", subject)
+ }
+
+/^-----END/ {
+ x=subject ".pem"
+ print content > x
+ close(x)
+ system("ln -s " x " `openssl x509 -noout -hash -in " x "`.0 2>/dev/null")
+ content = ""
+ }
+
The client cert needs a hash as well:
ln -s mycert.pem `openssl x509 -in mycert.pem -noout -hash`.0
Create the fetch-crl.crl_url files. The files go where the certs are.
To find the crl location, you can try this:
for a in *.pem; do echo In $a:; openssl x509 -in $a -text -noout 2>/dev/null| grep crl ; done
The files can have any name, as long as they end in ".crl_url" So I chose mycert.crl_url, my_ca.crl_url, etc.
But you could use the hash as well.
edit /etc/conf.d/fetch-crl. The minimum is:
CRLDIR=/etc/racoon
QUIET=yes
CACHEDIR=/tmp
Fetch-crl *requires* real wget because of the -t -T -N options.
(replacing wget binary with a shell script #!/bin/echo $0 $@" shows the following)
/usr/bin/wget -t -T 10 -q -N 2 -P /tmp/3e25f602d2aedb251e08f79e3e1db34dc388927a <location of crl>
Setting the Timeout and Retry options in the fetch-crl config file does not seem to make things better.
Once all that is done, run fetch-crl, and it will retrieve the crls and put them in the same directory as the certs, with the same name as the hash, but a .r0 extension.
-----------------------
Things that need fixing
-----------------------
If we want to use busybox wget, either: bb wget should support (or ignore) -t -T and -N; or fetch-crl should not use -N , -t -T when the config entries for WGET_RETRIES and WGET_TIMEOUT are set to "nil" (not 0)
the fetch-crl conf file for alpinelinux should be in /etc/fetch-crl/fetch-crl, and not /etc/conf.d/fetch-crl
Other than that, it works well!
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On Thu, 2009-02-19 at 16:45 -0500, Nathan Angelacos wrote:
> These notes are for the fetch-crl-2.7.0-r0.apk from dev.a.o/~ncopa/alpine
>
>
> If you just want the "what needs to be fixed" bit, skip to the bottom.
...
> -----------------------
> Things that need fixing
> -----------------------
>
>
> If we want to use busybox wget, either: bb wget should support (or ignore) -t -T and -N; or fetch-crl should not use -N , -t -T when the config entries for WGET_RETRIES and WGET_TIMEOUT are set to "nil" (not 0)
>
>
> the fetch-crl conf file for alpinelinux should be in /etc/fetch-crl/fetch-crl, and not /etc/conf.d/fetch-crl
>
>
> Other than that, it works well!
I added a patch that
* only add -t if WGET_RETRIES is set
* only add -T if WGET_TIMEOUT is set
* only add -N if WGET_TIMESTAMPING is set and is not equal "no". This is
a new an undocumented "feature".
Also moved the config file to /etc/fetch-crl/ as requested.
I have an apk that is scheduled for 1.8.1 here:
http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-2.7.0.apk
and for 1.9.x here:
http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-2.7.0-r1.apk
http://dev.alpinelinux.org/~ncopa/alpine/fetch-crl-doc-2.7.0-r1.apk
since there are 2 differnt build environments both would need to be
tested. Could you please help me with that?
Thanks alot!
btw... im not sure if we maybe should just let the script be unpacthed
and just add GNU wget as a depend. what do you think?
-nc
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---