On 04/28/2015 07:26 AM, Daniel Lutz wrote:
If "update-ca-certificates" is called with the "--fresh" option, it doesn't correctly re-add certificates in /usr/local/share/ca-certificates. These are ignored.
They are not ignored. If they exist, they are trusted. Period.
Although /etc/ssl/certs/ca-certificates.crt is re-created correctly, extension scripts in /etc/ca-certificates/update.d are not notified about added certificates. For example, the file /etc/ssl/certs/java/cacerts, managed by the package ca-certificates-java, won't be re-created correctly if it was removed before.
The cacerts keystore was removed? Removed by what?
The main cause seems to be that "update-ca-certificates" doesn't remove symlinks pointing to certificates in /usr/local/share/ca-certificates ($LOCALCERTSDIR), but only those pointing to /usr/share/ca-certificates (CERTSDIR). This causes that the add() function doesn't add all certificates to $ADDED. The following example shows the problem: The CA certificate "Test-CA" is stored to /usr/local/share/ca-certificates/test/Test-CA.crt: The first run of "update-ca-certificates --fresh" adds "Test-CA" as expected: # update-ca-certificates -f Clearing symlinks in /etc/ssl/certs...done. Updating certificates in /etc/ssl/certs... 3 added, 0 removed; done.
Just FYI, from this point, ca-certificates run is complete, with the exception of calling hooks.
From this point, ca-certificates-java takes its run from the hook.
Running hooks in /etc/ca-certificates/update.d.... Replacing debian:QuoVadis_Root_CA.pem Replacing debian:QuoVadis_Root_CA_2.pem Adding debian:Test-CA.pem done.
ca-certificates-java done.
done.
ca-certificates done.
But a subsequent execution of "update-ca-certificates --fresh" doesn't re-add "Test-CA":
If it is already in the java keystore, there is nothing to add.
# update-ca-certificates -f Clearing symlinks in /etc/ssl/certs...done. Updating certificates in /etc/ssl/certs... 2 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Replacing debian:QuoVadis_Root_CA.pem Replacing debian:QuoVadis_Root_CA_2.pem done. done.
Is it in the keystore already? It should be.
The attached patch contains a fix that might solve the problem.
I'll have a look, but do we create symlinks to $LOCALCERTSDIR CA certificates? (I haven't looked at all, yet)
Thanks for the bug report - I'll try to dig around on this as soon as I can! -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
