>> For example, the file /etc/ssl/certs/java/cacerts, managed by >> the package ca-certificates-java, won't be re-created correctly >> if it was removed before. > > The cacerts keystore was removed? Removed by what?
I actually manually removed /etc/ssl/java/cacerts myself. I tried to force the re-creation of /etc/ssl/java/cacerts, to cleanup old entries, among others. I thought I could do this by manually removing /etc/ssl/java/cacerts and running "update-ca-certificates --fresh" afterwards. It actually works, but only certificates available in /usr/share/ca-certificates ($CERTSDIR) are added to /etc/ssl/certs/java/cacerts. My approach seems not to be intended by update-ca-certificates (or by the package "ca-certificates-java, respectively). So I may just have used update-ca-certificates in a wrong way. In this sense, my bug report might not be valid at all. But still, I assume that ca-update-certificates should handle certificates in /usr/local/share/ca-certificatesin ($LOCALCERTSDIR) in a similar way as those in /usr/share/ca-certificates ($CERTSDIR). I think it doesn't do while calling the hooks in /etc/ca-certificates/update.d: >> But a subsequent execution of "update-ca-certificates --fresh" >> doesn't re-add "Test-CA": > > If it is already in the java keystore, there is nothing to add. The hooks in /etc/ca-certificates/update.d are called to re-add/ update/replace certificates in $CERTSDIR, but not for those in $LOCALCERTSDIR. Is this intended behaviour? Actually, the (enabled) certificates in $CERTSDIR should already be in the java keystore, too. (So it might not be needed to call the hooks at all.) >> The attached patch contains a fix that might solve the problem. > > I'll have a look, but do we create symlinks to $LOCALCERTSDIR CA > certificates? (I haven't looked at all, yet) Yes, the function add() creates such links. > Thanks for the bug report - I'll try to dig around on this as soon as I > can! Thank you for having a look at it. (But it's not urgent at all.) In case you think my bug report is not valid at all, because I used update-ca-certificates in a non-intended way, feel free to just close this bug. Best regards, Daniel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
