Skip to content

Sync certs from newer location in RPM package#4642

Merged
HebaruSan merged 2 commits into
KSP-CKAN:masterfrom
HebaruSan:fix/rpm-cert-step
May 21, 2026
Merged

Sync certs from newer location in RPM package#4642
HebaruSan merged 2 commits into
KSP-CKAN:masterfrom
HebaruSan:fix/rpm-cert-step

Conversation

@HebaruSan

@HebaruSan HebaruSan commented May 21, 2026

Copy link
Copy Markdown
Member

Background

Mono has its own cert store, which ships empty, and CKAN doesn't work without certs. The cert-sync utility can import certs from the sytem store into Mono's:

Problem

The install of the RPM package fails on Fedora 44.

mai 15 18:27:57 fedora rpm-ostree(ckan.post)[8480]: Unknown option or file not found '/etc/pki/tls/certs/ca-bundle.crt'.
mai 15 18:27:57 fedora rpm-ostree(ckan.post)[8480]: Mono Certificate Store Sync - version 6.14.1.0
mai 15 18:27:57 fedora rpm-ostree(ckan.post)[8480]: Populate Mono certificate store from a concatenated list of certificates.
mai 15 18:27:57 fedora rpm-ostree(ckan.post)[8480]: Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
mai 15 18:27:57 fedora rpm-ostree(ckan.post)[8480]: Usage: cert-sync [--quiet] [--user] system-ca-bundle.crt
mai 15 18:27:57 fedora rpm-ostree(ckan.post)[8480]: Where system-ca-bundle.crt is in PEM format
mai 15 18:27:58 fedora rpm-ostree(ckan.post)[8484]: Unknown option or file not found '/etc/pki/tls/cert.pem'.
mai 15 18:27:58 fedora rpm-ostree(ckan.post)[8484]: Mono Certificate Store Sync - version 6.14.1.0
mai 15 18:27:58 fedora rpm-ostree(ckan.post)[8484]: Populate Mono certificate store from a concatenated list of certificates.
mai 15 18:27:58 fedora rpm-ostree(ckan.post)[8484]: Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
mai 15 18:27:58 fedora rpm-ostree(ckan.post)[8484]: Usage: cert-sync [--quiet] [--user] system-ca-bundle.crt
mai 15 18:27:58 fedora rpm-ostree(ckan.post)[8484]: Where system-ca-bundle.crt is in PEM format

Cause

Fedora deleted /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/cert.pem, and replaced them with /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, see:

Our RPM package's %post step tries to import the deleted files into Mono's cert store, which fails.

Changes

Now we sync certs from /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem instead, which is the replacement path according the above documentation. I confirmed that this file exists in the fedora:latest Docker image and that cert-sync doesn't fail to import it.
(It did say I already trust 146, your new list has 146, which suggests to me that the certs are already imported, but I don't trust that we can rely on that always being the case for all users on all RPM-based distros.)

Fixes #4632.

@HebaruSan HebaruSan added Linux Issues specific for Linux Mono Issues specific for Mono Package: rpm Issues affecting RPM packaging labels May 21, 2026
@coveralls

This comment was marked as off-topic.

Sign in to view
@HebaruSan HebaruSan merged commit aec91ae into KSP-CKAN:master May 21, 2026
7 of 9 checks passed
@HebaruSan HebaruSan deleted the fix/rpm-cert-step branch May 21, 2026 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Linux Issues specific for Linux Mono Issues specific for Mono Package: rpm Issues affecting RPM packaging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Unknown option or file not found '/etc/pki/tls/cert.pem' on Fedora 44

2 participants

@HebaruSan @coveralls