[Pkg-openssl-devel] Bug#996048: Bug#996048: postfix-mta-sts-resolver: autopkgtest doesn't handle new version of ca-certificates nicely: rehash: warning: skipping ca-certificates.crt, it does not contain exactly one certificate or CRL

Adrian Bunk bunk at debian.org
Mon Nov 8 13:57:00 GMT 2021


On Tue, Oct 19, 2021 at 09:13:56AM +0200, Julien Cristau wrote:
> On Mon, Oct 18, 2021 at 11:05:14PM +0200, Kurt Roeckx wrote:
> > On Mon, Oct 18, 2021 at 10:40:59PM +0200, Julien Cristau wrote:
> > > On Mon, Oct 18, 2021 at 02:50:50PM +0200, Benjamin Hof wrote:
> > > > Hi,
> > > > 
> > > > I think the following change might be the relevant one:
> > > > 
> > > >     --- a/update-ca-certificates
> > > >     +++ b/update-ca-certificates
> > > >     @@ -164,8 +164,6 @@
> > > >        done
> > > >      fi
> > > > 
> > > >     -rm -f "$CERTBUNDLE"
> > > >     -
> > > >      ADDED_CNT=$(wc -l < "$ADDED")
> > > >      REMOVED_CNT=$(wc -l < "$REMOVED")
> > > > 
> > > > It triggers this stderr output during openssl rehash (l. 184):
> > > > 
> > > >     rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
> > > > 
> > > Ah, that makes sense.  Annoying...
> > > 
> > > Kurt/Sebastian, do you think there's a chance openssl rehash could grow
> > > some sort of ignore option so update-ca-certificates could ask it to
> > > skip ca-certificates.crt, to avoid spitting out a warning for it?
> > 
> > As in rehash all files in that directory, excluding a file? I
> > guess that's an option. I guess it's not an option to move the
> > file to a different location.
> > 
> Exactly.  /etc/ssl/certs/ca-certificates.crt is the package's main
> "interface" so I suspect it'd be quite painful to move.  Likewise moving
> the certs and hash symlinks themselves would break packages/scripts
> looking them up that way.
> 
> The other option for me would be to revert the fix for bug #920348.

In any case, there is nothing happening here specific to 
postfix-mta-sts-resolver, the same problem would happen with
any other package that does not permit stderr output in the
autopkgtest when upgrading ca-certificates is tested.

The failing part of the autopkgtest is a testing->unstable upgrade of
ca-certificates.

Any objections to reassigning this to ca-certificates?

> Thanks,
> Julien

cu
Adrian



More information about the Pkg-openssl-devel mailing list