dropping Of cert.pem file

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Wiki
Announced

Summary

In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default.

Owner

Name: František Krenželok
Email: fkrenzel@redhat.com

Detailed Description

In order to improve the loading time of OpenSSL, a directory-hash support was added to ca-certificates. In order for OpenSSL to use the directory-hash format by default we need to stop it from trying to load /etc/pki/tls/cert.pem by deleting it.

Feedback

Benefit to Fedora

Applications using OpenSSL(possibly other libraries as well) will benefit from much faster initialization of OpenSSL.

Scope

• Other developers:

Any package loading the root certificates from /etc/pki/tls/cert.pem file need to preferably use the defaults of the library or if they must, use the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file instead.

• Release engineering: #Releng issue number
• Policies and guidelines: N/A (not needed for this Change)
• Trademark approval: N/A (not needed for this Change)
• Alignment with the Fedora Strategy: neither does nor doesn’t

Upgrade/compatibility impact

Once this change is intergrated, the packages/software using /etc/pki/tls/cert.pem as a root certificate bundle file might encounter connectivity issues.

How To Test

Target behavior: OpenSSL initialization takes less time when the file isn’t present compared to it being there.

1. The following will create a symlink for testing after the change has been integrated(i.e. the .../tls/cert.pem file is missing)

ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/cert.pem

2. Test the time of OpenSSL initialization or a package using it with and without the aforementioned symlink. (If there is no difference for package then it is most likely due to OpenSSL not being configured to search for certs in default location)

User Experience

Packages using a OpenSSL will have faster initialization time.

Dependencies

Any package using /etc/pki/tls/cert.pem file are affected. It is required that the maintainers change this so that user experience is not compromised.

Contingency Plan

• Contingency mechanism: We will postpone the change if majority or critical package owners will be unable to make appropriate changes.
• Contingency deadline: before end of beta freeze(2025-02-18).
• Blocks release? The feature doesn’t block release.

Documentation

The change is documented as a part of ca-certificates package changelog.

Release Notes

The /etc/pki/tls/cert.pem file has been deprecated

Last edited by @amoloney 2024-11-01T14:34:33Z

Last edited by @amoloney 2024-11-01T14:34:33Z

How do you feel about the proposal as written?

If you are in favor but have reservations, or are opposed but something could change your mind, please explain in a reply.

We want everyone to be heard, but many posts repeating the same thing actually makes that harder. If you have something new to say, please say it. If, instead, you find someone has already covered what you’d like to express, please simply give that post a instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.

Please note that this is an advisory “straw poll” meant to gauge sentiment. It isn’t a vote or a scientific survey. See About the Change Proposals category for more about the Change Process and moderation policy.

For compatibility purposes, would it be possible to just modify Fedora’s OpenSSL package to not read that file at all, instead of removing it? We could then generate it with the compiled bundle (or just carry a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem) and avoid breaking packages that expect the file to exist there.

No owner? @amoloney

Weird, that didn’t copy across or else I accidentally edited it out when cross posting from the wiki.

I’ve updated the owner section now, good catch!

Aoife Moloney
Fedora Operations Architect

would it be possible to just modify Fedora’s OpenSSL package to not read that file at all, instead of removing it?

We’d really like to avoid more downstream patches for Fedora on OpenSSL. Many users reference upstream documentation and are surprised when OpenSSL in Fedora does not behave in the same way.

Other packages should never have used /etc/pki/tls/cert.pem, that path was always owned by OpenSSL, and while we probably didn’t do a great job of making that obvious, other packages and tools should be fixed not to rely on the existence of OpenSSL’s default path.

Note that although this is a proposed Change, it has already been done. There is no /etc/pki/tls/cert.pem in Rawhide. The Change was filed retroactively.

I did just happen across another thing this broke, today: httpd package tests. They use beakerlib, and our beakerlib-libraries package uses /etc/pki/tls/cert.pem. This caused tests of the most recent httpd update to fail with:

:: [ 12:50:27 ] :: [  ERROR   ] :: rlFileBackup: File /etc/pki/tls/cert.pem does not exist.
:: [ 12:50:27 ] :: [   FAIL   ] :: creating backup of /etc/pki/tls/cert.pem (Expected 0, got 8)

This was addressed in the beakerlib libraries used for RHEL - though I wouldn’t say that’s the best fix - but not in the ones used for Fedora yet (I don’t know why we don’t use the same beakerlib libraries, this seems like a bad design). I’m sending a PR now I’ve found this.

It’s almost been a month for this change. This should be move to FESCo for voting. cc @amoloney

This is strange, we have reverted the change, and are waiting for the change proposal
https://src.fedoraproject.org/rpms/ca-certificates/c/a3407acb8618b44bc484cd794be14e7cf3490497?branch=rawhide

oh, there is no build for it… let me fix that real quick

This change proposal has now been submitted to FESCo with ticket #3293 for voting.

To find out more, please visit our Changes Policy documentation.

I’m aware of two Python packages that will need to be adjusted to work with the different path to the certificate bundle:

• python-certifi: Tree - rpms/python-certifi - src.fedoraproject.org
• python-requests: Tree - rpms/python-requests - src.fedoraproject.org

Because the path we use /etc/pki/tls/certs/ca-bundle.crt is already a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, I don’t expect any troubles.

Just grepping through the specs shows a couple more uses:

rpm-specs/kdelibs3.spec
580:      -f /etc/pki/tls/certs/ca-bundle.crt ]; then
581:  ln -sf /etc/pki/tls/certs/ca-bundle.crt \

rpm-specs/kdelibs.spec
607:      -f /etc/pki/tls/certs/ca-bundle.crt ]; then
608:  ln -sf /etc/pki/tls/certs/ca-bundle.crt \

rpm-specs/kf5-kdelibs4support.spec
142:      -f /etc/pki/tls/certs/ca-bundle.crt ]; then
143:  ln -sf /etc/pki/tls/certs/ca-bundle.crt \

rpm-specs/mercurial.spec
203:cacerts = /etc/pki/tls/certs/ca-bundle.crt

rpm-specs/mono.spec
508:cert-sync --quiet /etc/pki/tls/certs/ca-bundle.crt

rpm-specs/perl-Crypt-SSLeay.spec
37:BuildRequires:  /etc/pki/tls/certs/ca-bundle.crt
59:Requires:       /etc/pki/tls/certs/ca-bundle.crt
99:ln -s /etc/pki/tls/certs/ca-bundle.crt certs/ca-bundle.crt

rpm-specs/python-certifi.spec
13:# Require the system certificate bundle (/etc/pki/tls/certs/ca-bundle.crt)
69:test $(%{__python3} -m certifi) == /etc/pki/tls/certs/ca-bundle.crt
70:test $(%{__python3} -c 'import certifi; print(certifi.where())') == /etc/pki/tls/certs/ca-bundle.crt
72:diff --ignore-blank-lines /etc/pki/tls/certs/ca-bundle.crt contents

rpm-specs/python-requests.spec
28:# Fix crash on import if /etc/pki/tls/certs/ca-bundle.crt is missing

rpm-specs/python-virtualenv.spec
115:PIP_CERT=/etc/pki/tls/certs/ca-bundle.crt \

(That’s not grepping the actual patches or sources at all.)

Thanks! I will contact the package maintainers.

Plus at least the following packages contain the string /etc/pki/tls/certs/ca-bundle.crt in /usr on my Fedora 41 system. This could include documentation, comments, etc. and is nowhere complete, just a random example:

$ rpm -qf $(rg -uuulF '/etc/pki/tls/certs/ca-bundle.crt' /usr 2>/dev/null ) | sort -u
biber-2.19-6.fc41.noarch
buildah-1.38.0-2.fc41.x86_64
containernetworking-plugins-1.6.0-1.fc41.x86_64
gh-2.63.2-1.fc41.x86_64
git-lfs-3.5.1-2.fc41.x86_64
grpc-1.48.4-41.fc41.x86_64
guestfs-tools-1.53.5-1.fc41.x86_64
gvisor-tap-vsock-0.8.1-1.fc41.x86_64
hub-2.14.2-16.fc41.x86_64
libcurl-devel-8.9.1-2.fc41.x86_64
libcurl-8.9.1-2.fc41.x86_64
libreoffice-core-24.8.4.2-2.fc41.x86_64
micro-2.0.11-10.fc41.x86_64
mock-6.0-1.fc41.noarch
perl-HTTP-Tiny-0.090-1.fc41.noarch
perl-Mozilla-CA-20240730-1.fc41.noarch
podman-5.3.1-1.fc41.x86_64
pypy-libs-7.3.17-1.fc41.x86_64
pypy3.10-libs-7.3.17-3.3.10.fc41.x86_64
pypy3.9-libs-7.3.16-1.3.9.fc41.x86_64
python3-certifi-2023.05.07-7.fc41.noarch
python3-grpcio-1.48.4-41.fc41.x86_64
python3-httplib2-0.21.0-8.fc41.noarch
python3-pip-24.2-1.fc41.noarch
python3-pyOpenSSL-24.2.1-1.fc41.noarch
python3-requests-2.32.3-3.fc41.noarch
qt5-qtbase-5.15.15-3.fc41.x86_64
VirtualBox-server-7.1.4-1.fc41.x86_64