upgrading ca-certificates results in broken certificate chains

Bug #1472378 reported by LaMont Jones on 2015-07-07
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Undecided
Unassigned

Bug Description

Found this (finally) upgrading a web server from lucid to precise (via do-release-upgrade):

Preparing to replace ca-certificates 20141019ubuntu0.10.04.1 (using .../ca-certificates_20141019ubuntu0.12.04.1_all.deb) ...^M
Unpacking replacement ca-certificates ...^M
...
Setting up openssl (1.0.1-4ubuntu5.31) ...^M
Installing new version of config file /etc/ssl/openssl.cnf ...^M
Setting up ca-certificates (20141019ubuntu0.12.04.1) ...^M
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.^M
Running hooks in /etc/ca-certificates/update.d....done.^M
Setting up netbase (4.47ubuntu1) ...^M
...

And everything is broken. sometime between lucid and precise, the hash function seems to have changed (there are 2 hashes per pemfile in precise, and 1 per pemfile in lucid), and update-ca-certificates goes "nothing to do here" instead of "hey, I need to rerun c_rehash to generate the other symlink".

to reproduce: install a lucid box, and do-release-upgrade

lamont

LaMont Jones (lamont) wrote :

Looking at the changelog:
 20111025: Drop bogus c_rehash on upgrades, ...
 20110421: * Depend on openssl 1.0.0 and force a call of c_rehash so that we have both the old and new style of symlinks. (Closes: #611102)

I fully suspect that the bug was introduced upstream in oct 2011.
If that's the case, then ubuntu introduced it 2014-03-05 with the security update to 20130906ubuntu0.12.04.1.

At this point in time, this bug only affects machines upgrading from lucid to precise, and can be worked around by running c_rehash manually after do-release-upgrades finishes. It probably deserves to languish without fixes until precise EOL in 2017, and then get closed as fully uninteresting.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers