1 #!/bin/sh 2 # 3 # $NetBSD: certctl_init,v 1.3 2023/12/25 07:46:12 kre Exp $ 4 # 5 # PROVIDE: certctl_init 6 # REQUIRE: mountcritremote 7 # 8 # This script ensures that we run `certctl rehash' on first boot of a 9 # live image to configure TLS trust anchors for OpenSSL in 10 # /etc/openssl/certs. We do this only on first boot by testing whether 11 # /etc/openssl/certs is an empty directory. 12 # 13 # Requires mountcritremote for /usr/sbin/certctl. 14 # 15 # This is a stop-gap measure to ensure we get TLS trust anchors with 16 # live images, which we can't prepare at build time because the 17 # preparation requires running openssl(1) as a tool. This stop-gap 18 # measure should perhaps be replaced by a more general-purpose way to 19 # run postinstall on first boot of the image, but that's a riskier 20 # proposition to implement on short notice for netbsd-10. 21 22 $_rc_subr_loaded . /etc/rc.subr 23 24 name="certctl_init" 25 rcvar=${name} 26 start_cmd="certctl_init" 27 stop_cmd=":" 28 29 certctl_init() 30 { 31 local certsdir 32 33 certsdir=/etc/openssl/certs 34 35 # If /etc/openssl/certs is a symlink, or exists but is not a 36 # directory, or is a directory but is nonempty, then we're not 37 # in the first boot's initial configuration. So do nothing. 38 if [ -h "$certsdir" ] || 39 { [ -e "$certsdir" ] && ! [ -d "$certsdir" ] ; } || 40 ( [ -d "$certsdir" ] && 41 find -f "$certsdir" -- -maxdepth 0 -type d -empty -exit 1 ) 42 then 43 return 44 fi 45 46 # Otherwise, if /etc/openssl/certs is nonexistent or is an 47 # empty directory, run `certctl rehash'. 48 echo "Configuring TLS trust anchors." 49 certctl rehash 50 } 51 52 load_rc_config $name 53 run_rc_command "$1" 54
Indexes created Sat Sep 20 22:09:52 GMT 2025