Comment 0 for bug 1931174

Forwarded from https://bugs.debian.org/989575

From the original report:
    I use "ca-certs" to supply additional certificates. With just one certiticate everything
    works as expected, however when provided more than one, cloud-init adds them into a single
    file which causes "openssl rehash" to fail as it expects exactly one certificate per file.
    As the result programmes using openssl doen not trus certificates issued by provided CAs.

The issue was reported against 20.2, but I have confirmed that the behavior is unchanged in 21.2.

One possible approach to the solution would be to store each certificate individually in files named something like cloud-init-ca-cert-0.pem, cloud-init-ca-cert-1.pem, etc.

Note that this breaks certificate usage only when performing verification using openssl's path-based verification functionality. Since all certificates in /etc/ssl/certs/ are concatenated into /etc/ssl/certs/ca-certificates.pem, that file can still be used to perform file-based verification. (See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_file.html for a description of these two modes, if you're not familiar.)