diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index b93ab056a..a5bca3b9c 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -985,7 +985,10 @@ function system_trust_configure($verbose = false) $ca_bundle[] = file_get_contents($file); } $ca_bundle = join("\n", $ca_bundle); - foreach (['/etc/ssl/cert.pem', '/usr/local/openssl/cert.pem', '/usr/local/etc/ssl/cert.pem'] as $pem) { + foreach (['/etc/ssl/cert.pem', '/usr/local/openssl/cert.pem'] as $pem) { + @unlink($pem); /* remove permanently as we use the directory */ + } + foreach (['/usr/local/etc/ssl/cert.pem'] as $pem) { @unlink($pem); /* do not clobber symlink target */ file_put_contents($pem, $ca_bundle); chmod($pem, 0644); @@ -1142,7 +1145,7 @@ function system_cron_configure($verbose = false) $crontab_contents .= "# /etc/crontab, see the crontab(5) manual page.\n"; $crontab_contents .= "SHELL=/bin/sh\n"; $crontab_contents .= "PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin\n"; - $crontab_contents .= "REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem\n"; + $crontab_contents .= "REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem\n"; $crontab_contents .= "#minute\thour\tmday\tmonth\twday\tcommand\n"; foreach ($autocron as $item) { diff --git a/src/etc/rc b/src/etc/rc index d434b601e..6a6ded20a 100755 --- a/src/etc/rc +++ b/src/etc/rc @@ -38,7 +38,7 @@ trap "echo 'Boot interrupted'; exit 1" 3 HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem +REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem ZPOOL_IMPORT_PATH=/dev export HOME PATH REQUESTS_CA_BUNDLE ZPOOL_IMPORT_PATH diff --git a/src/etc/rc.syshook b/src/etc/rc.syshook index 2135b87e4..0bdc44552 100755 --- a/src/etc/rc.syshook +++ b/src/etc/rc.syshook @@ -42,7 +42,7 @@ # suffix is moved to the new subdirectory during a request. PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin -REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem +REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem SYSDIR="/usr/local/etc/rc.syshook.d" SYSLEVEL="${1}" diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php index 0bbc95846..7feea4b83 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php @@ -349,7 +349,7 @@ class LDAP extends Base implements IAuthConnector // Note: All TLS options must be set before ldap_connect is called if ($this->ldapURLType != "standard") { ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD); - ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem"); + ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, '/usr/local/etc/ssl/cert.pem'); } else { ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER); } diff --git a/src/opnsense/service/conf/configd.conf b/src/opnsense/service/conf/configd.conf index 350c1b558..fa6d2287b 100644 --- a/src/opnsense/service/conf/configd.conf +++ b/src/opnsense/service/conf/configd.conf @@ -4,5 +4,5 @@ pid_filename:/var/run/configd.pid [environment] PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin -REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem +REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem HOME=/ diff --git a/src/opnsense/site-python/tls_helper.py b/src/opnsense/site-python/tls_helper.py index a4cf7680b..aba65eee3 100644 --- a/src/opnsense/site-python/tls_helper.py +++ b/src/opnsense/site-python/tls_helper.py @@ -73,7 +73,7 @@ class PlatformTLSAdaptor(HTTPAdapter): ctx_args['ciphers'] = openssl_conf['cipherstring'] cls.ssl_context = create_urllib3_context(**ctx_args) - cls.ssl_context.load_verify_locations('/etc/ssl/cert.pem') + cls.ssl_context.load_verify_locations('/usr/local/etc/ssl/cert.pem') if openssl_conf['minprotocol']: for item in openssl_conf['minprotocol'].split("\n"): if item == 'TLSv1':