certctl_init revision 1.1
1 #!/bin/sh 2 # 3 # $NetBSD: certctl_init,v 1.1 2023/09/27 00:24:13 riastradh Exp $ 4 # 5 # PROVIDE: certctl_init 6 # REQUIRE: mountcritremote 7 # 8 # This script ensures that we run `certctl rehash' on first boot of a 9 # live image to configure TLS trust anchors for OpenSSL in 10 # /etc/openssl/certs. We do this only on first boot by testing whether 11 # /etc/openssl/certs is an empty directory. 12 # 13 # Requires mountcritremote for /usr/sbin/certctl. 14 # 15 # This is a stop-gap measure to ensure we get TLS trust anchors with 16 # live images, which we can't prepare at build time because the 17 # preparation requires running openssl(1) as a tool. This stop-gap 18 # measure should perhaps be replaced by a more general-purpose way to 19 # run postinstall on first boot of the image, but that's a riskier 20 # proposition to implement on short notice for netbsd-10. 21 22 $_rc_subr_loaded . /etc/rc.subr 23 24 name="certctl_init" 25 rcvar=${name} 26 start_cmd="certctl_init" 27 stop_cmd=":" 28 29 certctl_init() 30 { 31 local certsdir 32 33 certsdir=/etc/openssl/certs 34 35 # If /etc/openssl/certs is a symlink, or exists but is not a 36 # directory, or is a directory but is nonempty, then we're not 37 # in the first boot's initial configuration. So do nothing. 38 if [ -h "$certsdir" ] || 39 [ -e "$certsdir" -a ! -d "$certsdir" ] || 40 ([ -d "$certsdir" ] && 41 find -f "$certsdir" -- \ 42 -maxdepth 0 -type d -empty -exit 1) 43 then 44 return 45 fi 46 47 # Otherwise, if /etc/openssl/certs is nonexistent or is an 48 # empty directory, run `certctl rehash'. 49 echo "Configuring TLS trust anchors." 50 certctl rehash 51 } 52 53 load_rc_config $name 54 run_rc_command "$1" 55
Indexes created Tue Sep 30 11:09:46 GMT 2025