Upgrade to ca-certificates to 20180409 causes ca-certificates.crt to be removed if duplicate certs found

perhaps a proper fix is for ubuntu-sso-client to release a new python-ubuntu-sso-client package in bionic that doesn't include this UbuntuOne-Go_Daddy_Class_2_CA.pem now that ca-certificates package has the CA.

However, I'd still like to see duplicate certs not causing ca-certificates.crt to be deleted.

I was able to recreate this when upgrading a Ubuntu 16.04 chroot to Ubuntu 18.04 by editing /etc/apt/sources.list from xenial to bionic and running 'apt-get dist-upgrade'.

Setting up ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
rehash: skipping duplicate certificate in Go_Daddy_Class_2_CA.pem
dpkg: error processing package ca-certificates (--configure):
 installed ca-certificates package post-installation script subprocess returned error exit status 1

I added some commentary to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895473

I haven't tested this, but probably reverting https://salsa.debian.org/debian/ca-certificates/commit/1bc87e0b41a04551a93d4e784e158b044c18792a would get us back to a working state.

Here's the thread on debian-devel that describes the motivation for the change:

https://lists.debian.org/debian-devel/2018/04/msg00058.html

Thanks

For people experiencing this bug if the duplicate certificate is Go_Daddy_Class_2_CA.pem provided by python-ubuntu-sso-client you can resolve this by purging the package e.g.

"sudo apt-get purge python-ubuntu-sso-client"

Reverting the commit Laney identified did resolve the issue for me.

(xenial-amd64)root@impulse:/home/bdmurray/tmp# dpkg -i ca-certificates_20180409ubuntu1_all.deb
(Reading database ... 34380 files and directories currently installed.)
Preparing to unpack ca-certificates_20180409ubuntu1_all.deb ...
Unpacking ca-certificates (20180409ubuntu1) over (20170717~16.04.1) ...
Setting up ca-certificates (20180409ubuntu1) ...
Updating certificates in /etc/ssl/certs...
WARNING: Skipping duplicate certificate Go_Daddy_Class_2_CA.pem
WARNING: Skipping duplicate certificate Go_Daddy_Class_2_CA.pem
8 added, 23 removed; done.
Processing triggers for ca-certificates (20180409ubuntu1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Digging into this further openssl's code apps/rehash.c returns 1 when a duplicate certificate is found.

https://github.com/openssl/openssl/blob/master/apps/rehash.c#L126

While c_rehash.c just returns.

https://github.com/openssl/openssl/blob/master/tools/c_rehash.in#L172

This bug was fixed in the package openssl - 1.1.0g-2ubuntu4

---------------
openssl (1.1.0g-2ubuntu4) bionic; urgency=medium

  * debian/patches/rehash-pass-on-dupes.patch: Don't return 1 when a duplicate
    certificate is found. (LP: #1764848)

 -- Brian Murray <email address hidden> Wed, 25 Apr 2018 10:03:48 -0700

"Wenn Sie in diesen weiteren Code von openssl eintauchen, gibt apps / rehash.c 1 zurück, wenn ein doppeltes Zertifikat gefunden wird.

https: // github. com / openssl / openssl / blob / master / apps / rehash. c # L126

Während c_rehash.c gerade zurückkehrt.

https: // github. com / openssl / openssl / blob / master / tools / c_ rehash. in # L172"

Sorry, my Ubuntu knowledge is obviously not as good as yours. Can you help me to implement your proposal. How can I change the code of openssl?

I know as an end-user it would be nice to be prompted about what to do with a duplicate certificate. That way when you are install more than one packages you will not have to run "apt install -f" to get things working.

The code of openssl does not need changing a new version of the package has been uploaded to the archive for Ubuntu 18.04.