Sometime in Feb, yum updated something to do with ca-bundle. I didn't notice at the time, but it put these two files on my machine: /etc/pki/tls/certs/ca-bundle.trust.crt.rpmnew and /etc/pki/tls/certs/ca-bundle.crt.rpmnew Both of those on the existing system are symbolic links ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle-trust.crt and ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem I'm not sure how exactly I'm supposed to use thes files to update those locations. one points to a .pem file, which the .rpmnew file is not, and there is no file of the corresponding name in the direstory pointed to by the link. Shouldn't the rpm have "done the right thing", and put them where they belong? -chuck --
On Tue, 2018-09-11 at 19:38 -0500, Chuck Campbell wrote:> Sometime in Feb, yum updated something to do with ca-bundle. I didn't > notice at the time, but it put these two files on my machine: > > /etc/pki/tls/certs/ca-bundle.trust.crt.rpmnew and > > /etc/pki/tls/certs/ca-bundle.crt.rpmnew > > Both of those on the existing system are symbolic links > > ca-bundle.trust.crt -> > /etc/pki/ca-trust/extracted/openssl/ca-bundle-trust.crt and > > ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > > I'm not sure how exactly I'm supposed to use thes files to update those > locations. one points to a .pem file, which the .rpmnew file is not, and > there is no file of the corresponding name in the direstory pointed to > by the link. > > Shouldn't the rpm have "done the right thing", and put them where they > belong? >If a file has been modified since the RPM package was last installed, then it won't be over-written (it's configurable, but that is the default) - the new file is installed with the .rpmnew extension so that the admin can decide what to do with it. This is a "good thing". Most decent packages now have a mechanism for users to over-ride the default configuration without altering the installed files. But if you do decide, for some reason, that the installed config files need to be changed, the last thing you want is for those changes to be wipedout by an upgrade to the package. In this case, it is certainly within the bounds of possibility that you put in a different CA-Bundle and if you did, you wouldn't want your version to be overwritten. From what you say, you possibly didn't actually do so, but you may have updated the file in some other way (such as looked at it with an editor and saved it with trivial changes. that sort of thing, anything that makes it look like a different file). If you want to use the new files, just copy them over the top of the old files - make sure the symlinks still work as they should and everything will be OK. P.
You need to dig deeper - I will give you a start ...> > > Sometime in Feb, yum updated something to do with ca-bundle.The "something" is the ca-certificates.noarch rpm. It is updated every year around May. The last update was around May 16th this year. Not February.> > > I didn't > > > notice at the time, but it put these two files on my machine: > > > > > > /etc/pki/tls/certs/ca-bundle.trust.crt.rpmnew and > > > > > > /etc/pki/tls/certs/ca-bundle.crt.rpmnew > > > > > > Both of those on the existing system are symbolic links > > > > > > ca-bundle.trust.crt -> > > > /etc/pki/ca-trust/extracted/openssl/ca-bundle-trust.crt and > > > > > > ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pemThat is what is defined in the ca-certificates package. See the output of rpm -qv --list ca-certificates-2018.2.22-70.0.el7_5.noarch> > > > > > I'm not sure how exactly I'm supposed to use thes files to update those > > > locations. one points to a .pem file, which the .rpmnew file is not, and > > > there is no file of the corresponding name in the direstory pointed to > > > by the link.What do the .rpmnew files contain? The repository version of those files are symlinks, so to me it looks like some other package is trying to install those files.> > > > > > Shouldn't the rpm have "done the right thing", and put them where they > > > belong?There is something that is stopping it from "doing the right thing".> > > > Except as noted above, there is no ca-bundle.crt file in the tree, only > this: > > tls-ca-bundle.pem > > > > Do I rename it, or what? >The simple answer is possibly. The sensible answer is that you need to find out if anything has tried to add different certificate files (and why) and work around that to work out what the best thing to do is. Use the 'rpm' command to find out what provides that files that have a .rpmnew suffix: rpm -q --whatprovides /etc/pki/tls/certs/ca-bundle.trust.crt It should come up with just one package - the ca-certificates-2018 package. If it returns multiple packages, then something else is causing confusion. P.