Mail archive

[alpine-devel] Notes on fetch-crl apk

From: Nathan Angelacos <>
Date: Thu, 19 Feb 2009 16:45:18 -0500

These notes are for the fetch-crl-2.7.0-r0.apk from dev.a.o/~ncopa/alpine

If you just want the "what needs to be fixed" bit, skip to the bottom.

The test system is using racoon with a cert bundle and a client cert
(all in pem format, all in /etc/racoon) - they should probably be
somewhere else .. but whatever.


It needs the hashes of all the certs; here's a quick awk script to do it:

--- /dev/null Thu Feb 19 21:20:21 2009
+++ split.awk Thu Feb 19 20:27:33 2009
_at_@ -0,0 +1,17 @@
+# split a certificate bundle into individual certificates
+{ content = content $0 "\n" }
+/^subject=/ {
+ subject=$0
+ sub("^.*CN=", "", subject)
+ }
+/^-----END/ {
+ x=subject ".pem"
+ print content > x
+ close(x)
+ system("ln -s " x " `openssl x509 -noout -hash -in " x "`.0 2>/dev/null")
+ content = ""
+ }

The client cert needs a hash as well:

ln -s mycert.pem `openssl x509 -in mycert.pem -noout -hash`.0

Create the fetch-crl.crl_url files. The files go where the certs are.
To find the crl location, you can try this:

for a in *.pem; do echo In $a:; openssl x509 -in $a -text -noout 2>/dev/null| grep crl ; done

The files can have any name, as long as they end in ".crl_url" So I chose mycert.crl_url, my_ca.crl_url, etc.
But you could use the hash as well.

edit /etc/conf.d/fetch-crl. The minimum is:


Fetch-crl *requires* real wget because of the -t -T -N options.

(replacing wget binary with a shell script #!/bin/echo $0 $_at_" shows the following)

/usr/bin/wget -t -T 10 -q -N 2 -P /tmp/3e25f602d2aedb251e08f79e3e1db34dc388927a <location of crl>

Setting the Timeout and Retry options in the fetch-crl config file does not seem to make things better.

Once all that is done, run fetch-crl, and it will retrieve the crls and put them in the same directory as the certs, with the same name as the hash, but a .r0 extension.

Things that need fixing

If we want to use busybox wget, either: bb wget should support (or ignore) -t -T and -N; or fetch-crl should not use -N , -t -T when the config entries for WGET_RETRIES and WGET_TIMEOUT are set to "nil" (not 0)

the fetch-crl conf file for alpinelinux should be in /etc/fetch-crl/fetch-crl, and not /etc/conf.d/fetch-crl

Other than that, it works well!

Received on Thu Feb 19 2009 - 16:45:18 UTC