upgrading ca-certificates results in broken certificate chains
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ca-certificates (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Found this (finally) upgrading a web server from lucid to precise (via do-release-
Preparing to replace ca-certificates 20141019ubuntu0
Unpacking replacement ca-certificates ...^M
...
Setting up openssl (1.0.1-4ubuntu5.31) ...^M
Installing new version of config file /etc/ssl/
Setting up ca-certificates (20141019ubuntu
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.^M
Running hooks in /etc/ca-
Setting up netbase (4.47ubuntu1) ...^M
...
And everything is broken. sometime between lucid and precise, the hash function seems to have changed (there are 2 hashes per pemfile in precise, and 1 per pemfile in lucid), and update-
to reproduce: install a lucid box, and do-release-upgrade
lamont
| LaMont Jones (lamont) wrote | #1 |
Looking at the changelog:
20111025: Drop bogus c_rehash on upgrades, ...
20110421: * Depend on openssl 1.0.0 and force a call of c_rehash so that we have both the old and new style of symlinks. (Closes: #611102)
I fully suspect that the bug was introduced upstream in oct 2011.
If that's the case, then ubuntu introduced it 2014-03-05 with the security update to 20130906ubuntu0
At this point in time, this bug only affects machines upgrading from lucid to precise, and can be worked around by running c_rehash manually after do-release-upgrades finishes. It probably deserves to languish without fixes until precise EOL in 2017, and then get closed as fully uninteresting.