mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-24 07:51:03 +02:00
12d093e8b1
This kills the massive time-waster we currently have during boot to cleanup/refresh OpenSSL's certificate directory in /etc/ssl/certs. System provided certs are now hashed at build time and tempfiles is used to install the proper links. The certificate bundle is also created at build time and provided as a symlink. Since tempfiles does not help us clean up broken links to certs that have been removed that task has been moved to clean-ca-certificates.service which is still run on every boot. The update-ca-certificates.service is now only responsible for recreating the certificate bundle if required. On systems where the user has never run update-ca-certificates the certificate bundle is just a symlink to the copy in /usr and update-ca-certificates.service never runs on boot. If the user does run update-ca-certificates then update-ca-certificates.service will rewrite the bundle only if the directory has not been modified since the last time it ran. There are a few edge cases where if stale hash links may be left if a system provided cert was replaced a subject that is different enough to change the hash but not change the file name. I don't expect that to ever happen though. Also hash collisions between the system certs and each other or user provided certs are not handled gracefully but should be rare. tempfiles will report wrong symlink errors in that case.