Make sure any new certificate files added for the trust have a line break at the
end, otherwise the begin/end header/footer will be joined to the same line and
openssl (Nix’s) won’t like that. I haven’t verified if macOS’s openssl
isn’t. Make sure to add that line break at the end.
You may have to sudo edit /etc/ssl/certs/ca-certificates.crt because the
main trust file is broken and Nix won’t be able to download from sources such as
github.com anymore.
Look for a line like this, which should be able to be at the bottom:
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
This doesn’t work yet, but this is the idea.
echo $host 1>&2
leaf=$(mktemp)
echo | \
openssl s_client \
-servername $host \
-connect $host:443 \
-showcerts \
| openssl x509 -out $leaf
# There is a linebreak missing sometimes, so just add one.
echo $'\n' >> $leaf
namei -l $leaf
# chmod 777 $leaf
cat $leaf 1>&2
echo "^^^^ the cert should be above where the arrows point, not on this line."
echo $cafile 1>&2
echo "openssl verify -CAfile $cafile -untrusted $leaf" 1>&2
cat $leaf | openssl verify -CAfile $cafile
rm -f $leafI still can’t get this to work.
My fake substitution will probably have to be corrected to test this again.