[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt

Wed Sep 28 13:23:25 UTC 2011

While this wont happen with current ca-certificates, I think we should revert the changes which caused this bug:
in Debian's 20110421 QA upload, a c_rehash call was added to postinst for upgrades from versions <= 20090814+nmu3, this was an attempt to rebuild the symlinks in /etc/ssl/certs, but because update-ca-certificates wasn't removing /etc/ssl/cert/ca-certificates.crt, it did generate one symlink to this file for the first certificate.  With the Debian change from openssl 1.0.0e-1 to support multiple certificates in one file, this probably took even worse proportions.  However this probably depended on the order in which c_rehash processed files; it just does readdir() and generates links for the first certificate of each .pem and .crt file it finds.

Now in 20110502+nmu1ubuntu1/20110502+nmu1ubuntu2, a call was added to
properly regenerate the links, but kept the plain c_rehash call *after*
it in the postinst, so that it might trigger when upgrading from <=
20090814+nmu3 (so upgrades from natty or lucid will cause this).

Because of the new call I've added in20110502+nmu1ubuntu4  to
regenerates certs when upgrading from <= 20110502+nmu1ubuntu4, this
should be fixed for oneiric users.

Now, what needs to be fixed:
* plain c_rehash is wrong in any case; also an issue in Debian (and the rm needs to be copied there too)
* postinst has tons of update-ca-certificates calls, mine is the strongest one as it affects all updates (from natty); all of these should be dropped after oneiric

Now this could be fixed in oneiric + 1, but it would be clearer to
remove these now to prevent any regression when removing the postinst
snippets (e.g. leaving the plain c_rehash call alone after oneiric would
be wrong).

** Changed in: ca-certificates (Ubuntu Oneiric)
       Status: Fix Released => Triaged

** Changed in: ca-certificates (Ubuntu Oneiric)
    Milestone: ubuntu-11.10-beta-2 => None

** Changed in: ca-certificates (Ubuntu Oneiric)
     Assignee: Steve Langasek (vorlon) => Loïc Minier (lool)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/854927

Title:
  c_rehash creating bogus links to ca-certificates.crt

Status in “ca-certificates” package in Ubuntu:
  Triaged
Status in “openssl” package in Ubuntu:
  Fix Released
Status in “ca-certificates” source package in Oneiric:
  Triaged
Status in “openssl” source package in Oneiric:
  Fix Released
Status in “ca-certificates” package in Debian:
  New

Bug description:
  $ wget https://www.google.com
  --2011-09-20 18:12:46--  https://www.google.com/
  Resolving www.google.com... 209.85.169.105, 209.85.169.106, 209.85.169.147, ...
  Connecting to www.google.com|209.85.169.105|:443... connected.
  ERROR: cannot verify www.google.com's certificate, issued by `/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
    Unable to locally verify the issuer's authority.
  To connect to www.google.com insecurely, use `--no-check-certificate'.

  $ curl -sS https://launchpad.net 
  curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: openssl 1.0.0e-2ubuntu1
  ProcVersionSignature: User Name 3.0.0-11.18-virtual 3.0.4
  Uname: Linux 3.0.0-11-virtual i686
  ApportVersion: 1.23-0ubuntu1
  Architecture: i386
  Date: Tue Sep 20 18:11:11 2011
  Ec2AMI: ami-00000090
  Ec2AMIManifest: FIXME
  Ec2AvailabilityZone: nova
  Ec2InstanceType: m1.small
  Ec2Kernel: unavailable
  Ec2Ramdisk: unavailable
  ProcEnviron:
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: openssl
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions