Bug#783615: "update-ca-certificates --fresh" doesn't correctly re-add certificates in /usr/local/share/ca-certificates

Tue, 28 Apr 2015 05:33:42 -0700 

Package: ca-certificates
Version: 20141019
Tags: patch

If "update-ca-certificates" is called with the "--fresh" option,
it doesn't correctly re-add certificates in
/usr/local/share/ca-certificates. These are ignored.
Although /etc/ssl/certs/ca-certificates.crt is re-created
correctly, extension scripts in /etc/ca-certificates/update.d
are not notified about added certificates.

For example, the file /etc/ssl/certs/java/cacerts, managed by
the package ca-certificates-java, won't be re-created correctly
if it was removed before.

The main cause seems to be that "update-ca-certificates"
doesn't remove symlinks pointing to certificates in
/usr/local/share/ca-certificates ($LOCALCERTSDIR),
but only those pointing to /usr/share/ca-certificates
(CERTSDIR). This causes that the add() function
doesn't add all certificates to $ADDED.

The following example shows the problem:

The CA certificate "Test-CA" is stored to
/usr/local/share/ca-certificates/test/Test-CA.crt:

The first run of "update-ca-certificates --fresh" adds
"Test-CA" as expected:

# update-ca-certificates -f
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs... 3 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Replacing debian:QuoVadis_Root_CA.pem
Replacing debian:QuoVadis_Root_CA_2.pem
Adding debian:Test-CA.pem
done.
done.

But a subsequent execution of "update-ca-certificates --fresh"
doesn't re-add "Test-CA":

# update-ca-certificates -f
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs... 2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Replacing debian:QuoVadis_Root_CA.pem
Replacing debian:QuoVadis_Root_CA_2.pem
done.
done.

The attached patch contains a fix that might solve the problem.

--- update-ca-certificates.old  2015-04-28 14:11:11.327796700 +0200
+++ update-ca-certificates      2015-04-28 14:12:50.895857560 +0200
@@ -89,7 +89,7 @@
   find . -type l -print | while read symlink
   do
     case $(readlink $symlink) in
-      $CERTSDIR*) rm -f $symlink;;
+      $CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
     esac
   done
   find . -type l -print | while read symlink

Reply via email to