On Mon, Oct 18, 2021 at 11:05:14PM +0200, Kurt Roeckx wrote: > On Mon, Oct 18, 2021 at 10:40:59PM +0200, Julien Cristau wrote: > > On Mon, Oct 18, 2021 at 02:50:50PM +0200, Benjamin Hof wrote: > > > Hi, > > > > > > I think the following change might be the relevant one: > > > > > > --- a/update-ca-certificates > > > +++ b/update-ca-certificates > > > @@ -164,8 +164,6 @@ > > > done > > > fi > > > > > > -rm -f "$CERTBUNDLE" > > > - > > > ADDED_CNT=$(wc -l < "$ADDED") > > > REMOVED_CNT=$(wc -l < "$REMOVED") > > > > > > It triggers this stderr output during openssl rehash (l. 184): > > > > > > rehash: warning: skipping ca-certificates.crt,it does not contain > > > exactly one certificate or CRL > > > > > Ah, that makes sense. Annoying... > > > > Kurt/Sebastian, do you think there's a chance openssl rehash could grow > > some sort of ignore option so update-ca-certificates could ask it to > > skip ca-certificates.crt, to avoid spitting out a warning for it? > > As in rehash all files in that directory, excluding a file? I > guess that's an option. I guess it's not an option to move the > file to a different location. > Exactly. /etc/ssl/certs/ca-certificates.crt is the package's main "interface" so I suspect it'd be quite painful to move. Likewise moving the certs and hash symlinks themselves would break packages/scripts looking them up that way.
The other option for me would be to revert the fix for bug #920348. Thanks, Julien
