Re: Again on security/gnutls certificate store

On Sat, 13 Aug 2022 10:35:21 +0200 Andrea Venturoli <ml@netfence.it>
wrote:
> Hello.
> 
> I'm building my ports with Poudriere using quarterly branch. Also I need 
> a private CA (whose cert is is correctly hashed in /etc/ssl/certs).
> 
> Some time ago, since gnutls didn't pick up my cert, I reported #260723 
> (security/gnutls uses only security/ca_root_nss as certificate store)
> This bug was referring to the case where P11KIT option was off.
> 
> Recently, however, building net/glib-networking will fail unless P11KIT 
> option is ON.
> In this latter case gnutls delegates certificate management to p11-kit 
> (forgive me if this is not 100% correct, but I think this is enough in 
> this context), which, again, doesn't pick up my cert.
> 
> So I'm asking what to do:
> _ reopen the old bug (the problem is still the same, but with a 
> different configuration)?
> _ open a new bug, still against gnutls?
> _ open a bug against p11-kit?
> 
>   bye & Thanks
> 	av.

Try this patch for p11-kit.  If it works you can file a bug against
p11-kit, because I believe ports are supposed to move away from
ca_root_nss.

--- a/security/p11-kit/Makefile
+++ b/security/p11-kit/Makefile
@@ -25,7 +25,7 @@ MESON_ARGS=   -Dbash_completion=enabled \
                -Dlibffi=enabled \
                -Dnls=false \
                -Dtrust_module=enabled \
-               -Dtrust_paths=${LOCALBASE}/share/certs/ca-root-nss.crt
+               -Dtrust_paths=/etc/ssl/certs
 
 OPTIONS_DEFINE=                DOCS MANPAGES TEST
 OPTIONS_SUB=           yes