Upgrade to ca-certificates to 20180409 causes ca-certificates.crt to be removed if duplicate certs found

Bug #1764848 reported by Drew Freiberger on 2018-04-17
214
This bug affects 59 people
Affects Status Importance Assigned to Milestone
Ubuntu Single Sign On Client
Undecided
Unassigned
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
openssl (Ubuntu)
High
Brian Murray
Bionic
High
Brian Murray

Bug Description

The certificate /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt in package ca-certificates is conflicting with /etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem from package python-ubuntu-sso-client.

This results in the postinst trigger for ca-certificates to remove the /etc/ssl/certs/ca-certificates.crt file. This happens because the postinst trigger runs update-ca-certificates --fresh.

If I run update-ca-certificates without the --fresh flag, the conflict is a non-issue and the ca-certificates.crt file is restored.

If I understand some of the postinst code correctly, --fresh should only be run if called directly or if upgrading from a ca-certificates version older than 2011.

Running bionic with daily -updates channel and ran into this this morning due to the release of ca-certificates version 20180409.

Drew Freiberger (afreiberger) wrote :

perhaps a proper fix is for ubuntu-sso-client to release a new python-ubuntu-sso-client package in bionic that doesn't include this UbuntuOne-Go_Daddy_Class_2_CA.pem now that ca-certificates package has the CA.

However, I'd still like to see duplicate certs not causing ca-certificates.crt to be deleted.

Brian Murray (brian-murray) wrote :

I was able to recreate this when upgrading a Ubuntu 16.04 chroot to Ubuntu 18.04 by editing /etc/apt/sources.list from xenial to bionic and running 'apt-get dist-upgrade'.

Setting up ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
rehash: skipping duplicate certificate in Go_Daddy_Class_2_CA.pem
dpkg: error processing package ca-certificates (--configure):
 installed ca-certificates package post-installation script subprocess returned error exit status 1

Changed in ca-certificates (Ubuntu):
status: New → Confirmed
tags: added: bionic rls-bb-incoming
Iain Lane (laney) wrote :

I added some commentary to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895473

I haven't tested this, but probably reverting https://salsa.debian.org/debian/ca-certificates/commit/1bc87e0b41a04551a93d4e784e158b044c18792a would get us back to a working state.

Seth Arnold (seth-arnold) wrote :

Here's the thread on debian-devel that describes the motivation for the change:

https://lists.debian.org/debian-devel/2018/04/msg00058.html

Thanks

tags: added: id-5ada3680136e07b5b524b90d
Changed in ca-certificates (Debian):
status: Unknown → New
Brian Murray (brian-murray) wrote :

For people experiencing this bug if the duplicate certificate is Go_Daddy_Class_2_CA.pem provided by python-ubuntu-sso-client you can resolve this by purging the package e.g.

"sudo apt-get purge python-ubuntu-sso-client"

Brian Murray (brian-murray) wrote :

Reverting the commit Laney identified did resolve the issue for me.

(xenial-amd64)root@impulse:/home/bdmurray/tmp# dpkg -i ca-certificates_20180409ubuntu1_all.deb
(Reading database ... 34380 files and directories currently installed.)
Preparing to unpack ca-certificates_20180409ubuntu1_all.deb ...
Unpacking ca-certificates (20180409ubuntu1) over (20170717~16.04.1) ...
Setting up ca-certificates (20180409ubuntu1) ...
Updating certificates in /etc/ssl/certs...
WARNING: Skipping duplicate certificate Go_Daddy_Class_2_CA.pem
WARNING: Skipping duplicate certificate Go_Daddy_Class_2_CA.pem
8 added, 23 removed; done.
Processing triggers for ca-certificates (20180409ubuntu1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Brian Murray (brian-murray) wrote :

Digging into this further openssl's code apps/rehash.c returns 1 when a duplicate certificate is found.

https://github.com/openssl/openssl/blob/master/apps/rehash.c#L126

While c_rehash.c just returns.

https://github.com/openssl/openssl/blob/master/tools/c_rehash.in#L172

Changed in openssl (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Brian Murray (brian-murray)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 1.1.0g-2ubuntu4

---------------
openssl (1.1.0g-2ubuntu4) bionic; urgency=medium

  * debian/patches/rehash-pass-on-dupes.patch: Don't return 1 when a duplicate
    certificate is found. (LP: #1764848)

 -- Brian Murray <email address hidden> Wed, 25 Apr 2018 10:03:48 -0700

Changed in openssl (Ubuntu Bionic):
status: In Progress → Fix Released
Changed in ca-certificates (Ubuntu Bionic):
status: Confirmed → Invalid
derisolde (derisolde-h) wrote :

"Wenn Sie in diesen weiteren Code von openssl eintauchen, gibt apps / rehash.c 1 zurück, wenn ein doppeltes Zertifikat gefunden wird.

https: // github. com / openssl / openssl / blob / master / apps / rehash. c # L126

Während c_rehash.c gerade zurückkehrt.

https: // github. com / openssl / openssl / blob / master / tools / c_ rehash. in # L172"

Sorry, my Ubuntu knowledge is obviously not as good as yours. Can you help me to implement your proposal. How can I change the code of openssl?

Paul (paul-fuller) wrote :

I know as an end-user it would be nice to be prompted about what to do with a duplicate certificate. That way when you are install more than one packages you will not have to run "apt install -f" to get things working.

Brian Murray (brian-murray) wrote :

The code of openssl does not need changing a new version of the package has been uploaded to the archive for Ubuntu 18.04.

Changed in ca-certificates (Debian):
status: New → Fix Committed
Changed in ca-certificates (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.