Welcome to CRUX bug tracking.

FS#1684 - improve the default configuration for p11-kit / gnutls

Attached to Project: CRUX
Opened by Fun (fun) - Sunday, 07 October 2018, 12:11 GMT
Last edited by Danny Rawlins (Romster) - Saturday, 04 May 2019, 05:05 GMT
Task Type Improvement
Category ports → core/opt
Status Closed
Assigned To Danny Rawlins (Romster)
Operating System CRUX
Severity Low
Priority Normal
Reported Version 3.4
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


gnutls and any other program linking against it will fail with the default configuration if they rely on p11-kit alone to verify certificates.

For example:

gnutls-cli -p 443

will fail with:

The certificate is NOT trusted. The certificate issuer is unknown.

strace shows that /etc/ssl/cert.pem is read (probably by p11-kit), but no CA certificate is considered ('Processed 0 CA certificate(s)').

The following commands make gnutls-cli work:

cd /etc/ssl
mkdir anchors
cp cert.pem anchors/
trust extract --filter=ca-anchors --format=pem-bundle /etc/ssl/extracted
for f in /etc/ssl/extracted/*; do ln -fsr -t /etc/ssl/certs "$f"; done

A README or a post-install script will be appreciated by anyone stumbling on this issue. It is not clear to me how p11-kit works, but the next links might help improve these ports:

opt/gnutls and contrib/gcr are the only official ports depending on p11-kit, but gnutls is picked up by more ports (including gnupg) as a soft dependency.
This task depends upon

Closed by  Danny Rawlins (Romster)
Saturday, 04 May 2019, 05:05 GMT
Reason for closing:  Fixed
Additional comments about closing:  this should be working correctly now