54 lines
1.5 KiB
Bash
54 lines
1.5 KiB
Bash
#!/bin/sh
|
|
#
|
|
# $NetBSD: certctl_init,v 1.3 2023/12/25 07:46:12 kre Exp $
|
|
#
|
|
# PROVIDE: certctl_init
|
|
# REQUIRE: mountcritremote
|
|
#
|
|
# This script ensures that we run `certctl rehash' on first boot of a
|
|
# live image to configure TLS trust anchors for OpenSSL in
|
|
# /etc/openssl/certs. We do this only on first boot by testing whether
|
|
# /etc/openssl/certs is an empty directory.
|
|
#
|
|
# Requires mountcritremote for /usr/sbin/certctl.
|
|
#
|
|
# This is a stop-gap measure to ensure we get TLS trust anchors with
|
|
# live images, which we can't prepare at build time because the
|
|
# preparation requires running openssl(1) as a tool. This stop-gap
|
|
# measure should perhaps be replaced by a more general-purpose way to
|
|
# run postinstall on first boot of the image, but that's a riskier
|
|
# proposition to implement on short notice for netbsd-10.
|
|
|
|
$_rc_subr_loaded . /etc/rc.subr
|
|
|
|
name="certctl_init"
|
|
rcvar=${name}
|
|
start_cmd="certctl_init"
|
|
stop_cmd=":"
|
|
|
|
certctl_init()
|
|
{
|
|
local certsdir
|
|
|
|
certsdir=/etc/openssl/certs
|
|
|
|
# If /etc/openssl/certs is a symlink, or exists but is not a
|
|
# directory, or is a directory but is nonempty, then we're not
|
|
# in the first boot's initial configuration. So do nothing.
|
|
if [ -h "$certsdir" ] ||
|
|
{ [ -e "$certsdir" ] && ! [ -d "$certsdir" ] ; } ||
|
|
( [ -d "$certsdir" ] &&
|
|
find -f "$certsdir" -- -maxdepth 0 -type d -empty -exit 1 )
|
|
then
|
|
return
|
|
fi
|
|
|
|
# Otherwise, if /etc/openssl/certs is nonexistent or is an
|
|
# empty directory, run `certctl rehash'.
|
|
echo "Configuring TLS trust anchors."
|
|
certctl rehash
|
|
}
|
|
|
|
load_rc_config $name
|
|
run_rc_command "$1"
|