← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #88325

[Bug 1472378] Re: upgrading ca-certificates results in broken certificate chains

  Thread PreviousDate PreviousThread Next 
Looking at the changelog:
 20111025: Drop bogus c_rehash on upgrades, ...
 20110421:   * Depend on openssl 1.0.0 and force a call of c_rehash so that we have both the old and new style of symlinks.  (Closes: #611102)

I fully suspect that the bug was introduced upstream in oct 2011.
If that's the case, then ubuntu introduced it 2014-03-05 with the security update to 20130906ubuntu0.12.04.1.

At this point in time, this bug only affects machines upgrading from
lucid to precise, and can be worked around by running c_rehash manually
after do-release-upgrades finishes.  It probably deserves to languish
without fixes until precise EOL in 2017, and then get closed as fully
uninteresting.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1472378

Title:
  upgrading ca-certificates results in broken certificate chains

Status in ca-certificates package in Ubuntu:
  New

Bug description:
  Found this (finally) upgrading a web server from lucid to precise (via
  do-release-upgrade):

  Preparing to replace ca-certificates 20141019ubuntu0.10.04.1 (using .../ca-certificates_20141019ubuntu0.12.04.1_all.deb) ...^M
  Unpacking replacement ca-certificates ...^M
  ...
  Setting up openssl (1.0.1-4ubuntu5.31) ...^M
  Installing new version of config file /etc/ssl/openssl.cnf ...^M
  Setting up ca-certificates (20141019ubuntu0.12.04.1) ...^M
  Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.^M
  Running hooks in /etc/ca-certificates/update.d....done.^M
  Setting up netbase (4.47ubuntu1) ...^M
  ...

  And everything is broken.  sometime between lucid and precise, the
  hash function seems to have changed (there are 2 hashes per pemfile in
  precise, and 1 per pemfile in lucid), and update-ca-certificates goes
  "nothing to do here" instead of "hey, I need to rerun c_rehash to
  generate the other symlink".

  to reproduce: install a lucid box, and do-release-upgrade

  lamont

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1472378/+subscriptions

References

  Thread PreviousDate PreviousThread Next