Package: ca-certificates
Version: 20180409
Severity: serious
Upgrading ca-certificates from 20170717 to 20180409 fails for me as
follows on one machine:
Before unpacking, I have been shown this dialog, which I acknowledged
by pressing enter:
┌────────────────────────┤ ca-certificates configuration
├─────────────────────────┐
│ During upgrades, new certificates will be added. Please choose
those you trust. │
│
│
│ New certificates to activate:
│
│
│
│ [ ] mozilla/GDCA_TrustAUTH_R5_ROOT.crt
│
│ [ ] mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt
│
│ [ ] mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
│
│ [ ] mozilla/SSL.com_Root_Certification_Authority_ECC.crt
│
│ [ ] mozilla/SSL.com_Root_Certification_Authority_RSA.crt
│
│ [ ] mozilla/TrustCor_ECA-1.crt
│
│ [ ] mozilla/TrustCor_RootCert_CA-1.crt
│
│ [ ] mozilla/TrustCor_RootCert_CA-2.crt
│
│
│
│
│
│ <Ok>
│
│
│
└──────────────────────────────────────────────────────────────────────────────────┘
Unpacking went fine:
Preparing to unpack .../04-ca-certificates_20180409_all.deb ...
Unpacking ca-certificates (20180409) over (20170717) ...
The first as well as the second try to configure ca-certificates
failed identically:
Setting up ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt not
found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt
not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt not
found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt not found, but listed
in /etc/ca-certificates.conf.
rehash: skipping DST_ACES_CA_X6.pem, cannot open file
rehash: skipping AddTrust_Qualified_Certificates_Root.pem, cannot open file
rehash: skipping UTN_USERFirst_Hardware_Root_CA.pem, cannot open file
rehash: skipping AddTrust_Public_Services_Root.pem, cannot open file
dpkg: error processing package ca-certificates (--configure):
installed ca-certificates package post-installation script subprocess returned
error exit status 4
[…]
Errors were encountered while processing:
ca-certificates
[…]
E: Sub-process /usr/bin/dpkg returned an error code (1)
[…]
Setting up ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt not
found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt
not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt not
found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt not found, but listed
in /etc/ca-certificates.conf.
rehash: skipping DST_ACES_CA_X6.pem, cannot open file
rehash: skipping AddTrust_Qualified_Certificates_Root.pem, cannot open file
rehash: skipping UTN_USERFirst_Hardware_Root_CA.pem, cannot open file
rehash: skipping AddTrust_Public_Services_Root.pem, cannot open file
dpkg: error processing package ca-certificates (--configure):
installed ca-certificates package post-installation script subprocess returned
error exit status 4
Errors were encountered while processing:
ca-certificates
On other sid installations (including architectures amd64, i386 and
armhf), the upgrade worked fine, despite most (if not all) of my
systems have similar ca-certificates settings, namely
"ca-certificates/trust_new_crts: ask" and just a few CAs
selected. It's though very likely that the actual list of CAs differs
from installation to installation as I enabled further ones per
machine as needed.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'),
(500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1,
'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages ca-certificates depends on:
ii debconf [debconf-2.0] 1.5.66
ii openssl 1.1.0h-2
ca-certificates recommends no packages.
ca-certificates suggests no packages.
-- debconf information:
ca-certificates/new_crts:
ca-certificates/title:
* ca-certificates/enable_crts: CAcert/class3.crt, CAcert/root.crt,
mozilla/AddTrust_External_Root.crt, mozilla/AddTrust_Public_Services_Root.crt,
mozilla/AddTrust_Qualified_Certificates_Root.crt, mozilla/DST_ACES_CA_X6.crt,
mozilla/DST_Root_CA_X3.crt, mozilla/Deutsche_Telekom_Root_CA_2.crt,
mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt,
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/GeoTrust_Global_CA.crt,
mozilla/GlobalSign_ECC_Root_CA_-_R4.crt,
mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt,
mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt,
mozilla/Go_Daddy_Class_2_CA.crt,
mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt,
mozilla/QuoVadis_Root_CA.crt, mozilla/QuoVadis_Root_CA_1_G3.crt,
mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt,
mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt,
mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt,
mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt,
mozilla/USERTrust_ECC_Certification_Authority.crt,
mozilla/USERTrust_RSA_Certification_Authority.crt,
mozilla/UTN_USERFirst_Hardware_Root_CA.crt,
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt,
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt,
mozilla/VeriSign_Universal_Root_Certification_Authority.crt,
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt,
* ca-certificates/trust_new_crts: ask
