[Pkg-openssl-devel] Bug#996048: postfix-mta-sts-resolver: autopkgtest doesn't handle new version of ca-certificates nicely: rehash: warning: skipping ca-certificates.crt, it does not contain exactly one certificate or CRL
Julien Cristau
jcristau at debian.org
Tue Oct 19 08:13:56 BST 2021
On Mon, Oct 18, 2021 at 11:05:14PM +0200, Kurt Roeckx wrote:
> On Mon, Oct 18, 2021 at 10:40:59PM +0200, Julien Cristau wrote:
> > On Mon, Oct 18, 2021 at 02:50:50PM +0200, Benjamin Hof wrote:
> > > Hi,
> > >
> > > I think the following change might be the relevant one:
> > >
> > > --- a/update-ca-certificates
> > > +++ b/update-ca-certificates
> > > @@ -164,8 +164,6 @@
> > > done
> > > fi
> > >
> > > -rm -f "$CERTBUNDLE"
> > > -
> > > ADDED_CNT=$(wc -l < "$ADDED")
> > > REMOVED_CNT=$(wc -l < "$REMOVED")
> > >
> > > It triggers this stderr output during openssl rehash (l. 184):
> > >
> > > rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
> > >
> > Ah, that makes sense. Annoying...
> >
> > Kurt/Sebastian, do you think there's a chance openssl rehash could grow
> > some sort of ignore option so update-ca-certificates could ask it to
> > skip ca-certificates.crt, to avoid spitting out a warning for it?
>
> As in rehash all files in that directory, excluding a file? I
> guess that's an option. I guess it's not an option to move the
> file to a different location.
>
Exactly. /etc/ssl/certs/ca-certificates.crt is the package's main
"interface" so I suspect it'd be quite painful to move. Likewise moving
the certs and hash symlinks themselves would break packages/scripts
looking them up that way.
The other option for me would be to revert the fix for bug #920348.
Thanks,
Julien
More information about the Pkg-openssl-devel
mailing list