[Pkg-openssl-devel] Bug#996048: Bug#996048: postfix-mta-sts-resolver: autopkgtest doesn't handle new version of ca-certificates nicely: rehash: warning: skipping ca-certificates.crt, it does not contain exactly one certificate or CRL

Julien Cristau jcristau at debian.org
Tue Jan 11 17:58:46 GMT 2022 

Control: reassign -1 postfix-mta-sts-resolver

On Mon, Nov 08, 2021 at 03:57:00PM +0200, Adrian Bunk wrote:
> On Tue, Oct 19, 2021 at 09:13:56AM +0200, Julien Cristau wrote:
> > On Mon, Oct 18, 2021 at 11:05:14PM +0200, Kurt Roeckx wrote:
> > > On Mon, Oct 18, 2021 at 10:40:59PM +0200, Julien Cristau wrote:
> > > > On Mon, Oct 18, 2021 at 02:50:50PM +0200, Benjamin Hof wrote:
> > > > > Hi,
> > > > > 
> > > > > I think the following change might be the relevant one:
> > > > > 
> > > > >     --- a/update-ca-certificates
> > > > >     +++ b/update-ca-certificates
> > > > >     @@ -164,8 +164,6 @@
> > > > >        done
> > > > >      fi
> > > > > 
> > > > >     -rm -f "$CERTBUNDLE"
> > > > >     -
> > > > >      ADDED_CNT=$(wc -l < "$ADDED")
> > > > >      REMOVED_CNT=$(wc -l < "$REMOVED")
> > > > > 
> > > > > It triggers this stderr output during openssl rehash (l. 184):
> > > > > 
> > > > >     rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
> > > > > 
> > > > Ah, that makes sense.  Annoying...
> > > > 
> > > > Kurt/Sebastian, do you think there's a chance openssl rehash could grow
> > > > some sort of ignore option so update-ca-certificates could ask it to
> > > > skip ca-certificates.crt, to avoid spitting out a warning for it?
> > > 
> > > As in rehash all files in that directory, excluding a file? I
> > > guess that's an option. I guess it's not an option to move the
> > > file to a different location.
> > > 
> > Exactly.  /etc/ssl/certs/ca-certificates.crt is the package's main
> > "interface" so I suspect it'd be quite painful to move.  Likewise moving
> > the certs and hash symlinks themselves would break packages/scripts
> > looking them up that way.
> > 
> > The other option for me would be to revert the fix for bug #920348.
> 
> In any case, there is nothing happening here specific to 
> postfix-mta-sts-resolver, the same problem would happen with
> any other package that does not permit stderr output in the
> autopkgtest when upgrading ca-certificates is tested.
> 
> The failing part of the autopkgtest is a testing->unstable upgrade of
> ca-certificates.
> 
> Any objections to reassigning this to ca-certificates?
> 
After thinking about this a bit more I think ca-certificates is doing
the right thing here, and permitting this stderr output is a reasonable
workaround for affected packages until we can avoid the warning with an
openssl change.

Cheers,
Julien

More information about the Pkg-openssl-devel mailing list