fixup! fixup! add common errors section for update-ca-certificates wh…

…en rehashing fails Signed-off-by: Reuben Miller <[email protected]>
thin-edge · Jul 12, 2024 · e68965e · e68965e
1 parent 75781dc
commit e68965e
Showing 1 changed file with 5 additions and 38 deletions.
diff --git a/docs/src/operate/security/cloud-authentication.md b/docs/src/operate/security/cloud-authentication.md
@@ -108,51 +108,18 @@ Older **openssl** versions (e.g. `OpenSSL 1.0.2d 9 Jul 2015`), don't support the
 ```sh
 Updating certificates in /etc/ssl/certs...
 openssl:Error: 'rehash' is an invalid command.
-
-Standard commands
-asn1parse         ca                ciphers           cms               
-crl               crl2pkcs7         dgst              dh                
-dhparam           dsa               dsaparam          ec                
-ecparam           enc               engine            errstr            
-gendh             gendsa            genpkey           genrsa            
-nseq              ocsp              passwd            pkcs12            
-pkcs7             pkcs8             pkey              pkeyparam         
-pkeyutl           prime             rand              req               
-rsa               rsautl            s_client          s_server          
-s_time            sess_id           smime             speed             
-spkac             srp               ts                verify            
-version           x509              
-
-Message Digest commands (see the `dgst' command for more details)
-md4               md5               mdc2              rmd160            
-sha               sha1              
-
-Cipher commands (see the `enc' command for more details)
-aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
-aes-256-cbc       aes-256-ecb       base64            bf                
-bf-cbc            bf-cfb            bf-ecb            bf-ofb            
-camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
-camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
-cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
-des               des-cbc           des-cfb           des-ecb           
-des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
-des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
-des-ofb           des3              desx              idea              
-idea-cbc          idea-cfb          idea-ecb          idea-ofb          
-rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
-rc2-cfb           rc2-ecb           rc2-ofb           rc4               
-rc4-40            seed              seed-cbc          seed-cfb          
-seed-ecb          seed-ofb
 ```
 
-By default, mosquitto requires each ca-certificate to be hashed and without it mosquitto will not be able to connect to the cloud due to SSL verify errors (visible from the mosquitto logs).
-
-The problem can be fixed by running the following one-liner which generates the ca-certificate hashes manually. Beware you, will have to run the one-liner each time you add/remove a ca-certificate using `update-ca-certificates`:
+In this case, use the following steps to add a new certificate, where the ca-certificates rehashing will be manually executed using a one-liner:
 
 ```sh
+sudo cp <full_path_to_the_certificate> /usr/local/share/ca-certificates/
+update-ca-certificates
 sudo sh -c 'cd /etc/ssl/certs; for file in *.pem; do ln -sf "$file" "$(openssl x509 -hash -noout -in "$file")".0; done'
 ```
 
+If you don't rehash the ca-certificates, then mosquitto will not be able to connect to the cloud due to SSL verify errors. Such errors are typically visible from the mosquitto logs, or by starting mosquitto manually on the command console.
+
 :::tip
 You can check if there are any ca-certificate hashes by using the following command: