NetBSD Problem Report #59778

From www@netbsd.org  Thu Nov 20 07:29:55 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 7B58C1A9239
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 20 Nov 2025 07:29:55 +0000 (UTC)
Message-Id: <20251120072953.CF0731A923A@mollari.NetBSD.org>
Date: Thu, 20 Nov 2025 07:29:53 +0000 (UTC)
From: cryintothebluesky@gmail.com
Reply-To: cryintothebluesky@gmail.com
To: gnats-bugs@NetBSD.org
Subject: postinstall: opensslcertsrehash limited to DEST_DIR=/
X-Send-Pr-Version: www-1.0

>Number:         59778
>Category:       bin
>Synopsis:       postinstall: opensslcertsrehash limited to DEST_DIR=/
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 20 07:30:00 +0000 2025
>Last-Modified:  Thu Nov 20 08:00:02 +0000 2025
>Originator:     Sad Clouds
>Release:        10.1_STABLE
>Organization:
>Environment:
NetBSD rp3 10.1_STABLE NetBSD 10.1_STABLE (GENERIC64) #0: Mon Nov 17 17:11:27 UTC 2025  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm
>Description:
I have two NetBSD root partition - primary and secondary. These are used as boot environments, if an upgrade goes wrong on the primary, I can boot into secondary and repair files on the primary.

When I perform OS upgrades, I boot into the primary boot environment and upgrade the secondary, then boot into the secondary and upgrade the primary. Everything works apart from the postinstall script:

postinstall checks failed: opensslcertsrehash
To fix, run:
    sh /mnt/usr/sbin/postinstall -s sets/etc.tar.xz -d /mnt fix opensslcertsrehash
Note that this may overwrite local changes.
*** All done
rp3# sh /mnt/usr/sbin/postinstall -s sets/etc.tar.xz -d /mnt fix opensslcertsrehash
Note: Creating temporary directory /tmp/_postinstall.1716.0/etc.tgz
Note: Extracting files from sets/etc.tar.xz
Source directory: /tmp/_postinstall.1716.0/etc.tgz
 (extracted from: sets/etc.tar.xz)
Target directory: /mnt
opensslcertsrehash fix:
        opensslcertsrehash limited to DEST_DIR=/
postinstall fixes passed:
postinstall fixes failed: opensslcertsrehash

I get the comment in the postinstall script which executes "certctl rehash" - "This runs openssl(1), which is not available as a build-time tool." However in some cases (like mine) it is the same machine architecture just a different root hierarchy located on the primary or secondary partition.

I can work around this manually, but can I make a suggestion for a small enhancement. It would be quite easy to check at runtime if certctl is either not available or not executable and only then fail with the above error message. Alternatively, call certctl unconditionally and return error if that fails.
>How-To-Repeat:

>Fix:

>Audit-Trail:
From: Sad Clouds <cryintothebluesky@gmail.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org
Subject: Re: bin/59778: postinstall: opensslcertsrehash limited to
 DEST_DIR=/
Date: Thu, 20 Nov 2025 07:55:55 +0000

 Forgot to add, this is what I would suggest to add to postinstall:

 If $DEST_DIR != "/" during etcupdate/postinstall
 then
   Check if $DEST_DIR/usr/sbin/certctl exists and can be executed, then

   [ ! -d $DEST_DIR/dev ] && mkdir $DEST_DIR/dev
   mount_null /dev $DEST_DIR/dev && chroot $DEST_DIR certctl rehash
   umount $DEST_DIR/dev
 fi

Home	PR Database Search