[Bug 1764848] Re: Upgrade to ca-certificates to 20180409 causes ca-certificates.crt to be removed if duplicate certs found

[Paul]

I know as an end-user it would be nice to be prompted about what to do
with a duplicate certificate. That way when you are install more than
one packages you will not have to run "apt install -f" to get things
working.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1764848

Title:
  Upgrade to ca-certificates to 20180409 causes ca-certificates.crt to
  be removed if duplicate certs found

Status in Ubuntu Single Sign On Client:
  New
Status in ca-certificates package in Ubuntu:
  Invalid
Status in openssl package in Ubuntu:
  Fix Released
Status in ca-certificates source package in Bionic:
  Invalid
Status in openssl source package in Bionic:
  Fix Released
Status in ca-certificates package in Debian:
  New

Bug description:
  The certificate /usr/share/ca-
  certificates/mozilla/Go_Daddy_Class_2_CA.crt in package ca-
  certificates is conflicting with /etc/ssl/certs/UbuntuOne-
  Go_Daddy_Class_2_CA.pem from package python-ubuntu-sso-client.

  This results in the postinst trigger for ca-certificates to remove the
  /etc/ssl/certs/ca-certificates.crt file.  This happens because the
  postinst trigger runs update-ca-certificates --fresh.

  If I run update-ca-certificates without the --fresh flag, the conflict
  is a non-issue and the ca-certificates.crt file is restored.

  If I understand some of the postinst code correctly, --fresh should
  only be run if called directly or if upgrading from a ca-certificates
  version older than 2011.

  Running bionic with daily -updates channel and ran into this this
  morning due to the release of ca-certificates version 20180409.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-sso-client/+bug/1764848/+subscriptions