touch-packages team mailing list archive

Thread
Date

[Bug 1472378] [NEW] upgrading ca-certificates results in broken certificate chains

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: LaMont Jones <lamont.jones@xxxxxxxxxxxxx>
Date: Tue, 07 Jul 2015 19:38:40 -0000
Reply-to: Bug 1472378 <1472378@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Found this (finally) upgrading a web server from lucid to precise (via
do-release-upgrade):

Preparing to replace ca-certificates 20141019ubuntu0.10.04.1 (using .../ca-certificates_20141019ubuntu0.12.04.1_all.deb) ...^M
Unpacking replacement ca-certificates ...^M
...
Setting up openssl (1.0.1-4ubuntu5.31) ...^M
Installing new version of config file /etc/ssl/openssl.cnf ...^M
Setting up ca-certificates (20141019ubuntu0.12.04.1) ...^M
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.^M
Running hooks in /etc/ca-certificates/update.d....done.^M
Setting up netbase (4.47ubuntu1) ...^M
...

And everything is broken.  sometime between lucid and precise, the hash
function seems to have changed (there are 2 hashes per pemfile in
precise, and 1 per pemfile in lucid), and update-ca-certificates goes
"nothing to do here" instead of "hey, I need to rerun c_rehash to
generate the other symlink".

to reproduce: install a lucid box, and do-release-upgrade

lamont

** Affects: ca-certificates (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1472378

Title:
  upgrading ca-certificates results in broken certificate chains

Status in ca-certificates package in Ubuntu:
  New

Bug description:
  Found this (finally) upgrading a web server from lucid to precise (via
  do-release-upgrade):

  Preparing to replace ca-certificates 20141019ubuntu0.10.04.1 (using .../ca-certificates_20141019ubuntu0.12.04.1_all.deb) ...^M
  Unpacking replacement ca-certificates ...^M
  ...
  Setting up openssl (1.0.1-4ubuntu5.31) ...^M
  Installing new version of config file /etc/ssl/openssl.cnf ...^M
  Setting up ca-certificates (20141019ubuntu0.12.04.1) ...^M
  Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.^M
  Running hooks in /etc/ca-certificates/update.d....done.^M
  Setting up netbase (4.47ubuntu1) ...^M
  ...

  And everything is broken.  sometime between lucid and precise, the
  hash function seems to have changed (there are 2 hashes per pemfile in
  precise, and 1 per pemfile in lucid), and update-ca-certificates goes
  "nothing to do here" instead of "hey, I need to rerun c_rehash to
  generate the other symlink".

  to reproduce: install a lucid box, and do-release-upgrade

  lamont

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1472378/+subscriptions

Follow ups

[Bug 1472378] Re: upgrading ca-certificates results in broken certificate chains
From: LaMont Jones, 2015-07-07