1#!/bin/sh 2# 3# $NetBSD: certctl_init,v 1.3 2023/12/25 07:46:12 kre Exp $ 4# 5# PROVIDE: certctl_init 6# REQUIRE: mountcritremote 7# 8# This script ensures that we run `certctl rehash' on first boot of a 9# live image to configure TLS trust anchors for OpenSSL in 10# /etc/openssl/certs. We do this only on first boot by testing whether 11# /etc/openssl/certs is an empty directory. 12# 13# Requires mountcritremote for /usr/sbin/certctl. 14# 15# This is a stop-gap measure to ensure we get TLS trust anchors with 16# live images, which we can't prepare at build time because the 17# preparation requires running openssl(1) as a tool. This stop-gap 18# measure should perhaps be replaced by a more general-purpose way to 19# run postinstall on first boot of the image, but that's a riskier 20# proposition to implement on short notice for netbsd-10. 21 22$_rc_subr_loaded . /etc/rc.subr 23 24name="certctl_init" 25rcvar=${name} 26start_cmd="certctl_init" 27stop_cmd=":" 28 29certctl_init() 30{ 31 local certsdir 32 33 certsdir=/etc/openssl/certs 34 35 # If /etc/openssl/certs is a symlink, or exists but is not a 36 # directory, or is a directory but is nonempty, then we're not 37 # in the first boot's initial configuration. So do nothing. 38 if [ -h "$certsdir" ] || 39 { [ -e "$certsdir" ] && ! [ -d "$certsdir" ] ; } || 40 ( [ -d "$certsdir" ] && 41 find -f "$certsdir" -- -maxdepth 0 -type d -empty -exit 1 ) 42 then 43 return 44 fi 45 46 # Otherwise, if /etc/openssl/certs is nonexistent or is an 47 # empty directory, run `certctl rehash'. 48 echo "Configuring TLS trust anchors." 49 certctl rehash 50} 51 52load_rc_config $name 53run_rc_command "$1" 54