iocage jails: how to properly install x509 root certificates?

[Dwarf Cavendish]

Today I mostly successfully managed to create new iocage jails based on FreeBSD 11.1 so that I do not have to stay stuck on FreeBSD 11 in my jails. One small, yet important thing though: I found out that iocage jails do not come with x509 root certificates. I tried installing openssl (using pkg), but that didn't work. By accident I discovered that installing curl also sets up root certificates, albeit with the warning that the FreeBSD team cannot take responsibility for the complaince of those certificates.

So... is this just a standard disclaimer or should I actually take action to install certificates the proper way? And in the latter case: how?

 

[Jailer]

pkg install ca_root_nss

https://www.freshports.org/security/ca_root_nss/

 

[Dwarf Cavendish]

pkg install ca_root_nss

https://www.freshports.org/security/ca_root_nss/

Ah, thanks! I tried this and it reported back that the packages were already installed, so I suppose that I'm all good then. Is there any way to inspect whether the proper certificates are being used?

 

[danb35]

ca_root_nss is installed as a dependency of curl, which is why you now have it. It’s the “standard” bundle of root certs.

 

[Dwarf Cavendish]

I see. I take it that curl doesn't know about the certificates installed as its dependency and hence shows the warning, but it still feels a bit silly. But good to know that it's all fine :) .

 

[danb35]

curl doesn't know about the certificates

It should. What warning are you seeing?

 

[Dwarf Cavendish]

It should. What warning are you seeing?

Something about that the FreeBSD team cannot take responsibility for RFC something compliance. I'll recreate it in a test jail once I'm home today.

 

[danb35]

You should see that when you install the ca_root_nss package, but not afterward.

 

[Dwarf Cavendish]

Well, since it was installed as a dependency it makes sense that I saw it as I installed curl :) .

 

[danb35]

Oh, that message showed when you installed curl? Yes, that’s perfectly normal. I thought you meant it showed when you ran curl, which wouldn’t be normal.