package ca-certificates 20180409 failed to install/upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 1

Bug #1767453 reported by kevinred
126
This bug affects 26 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Happened during upgrade to ubunut 18.04

ProblemType: Package
DistroRelease: Ubuntu 18.04
Package: ca-certificates 20180409
ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
Uname: Linux 4.15.0-20-generic x86_64
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Fri Apr 27 17:51:26 2018
ErrorMessage: installed ca-certificates package post-installation script subprocess returned error exit status 1
PackageArchitecture: all
Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3
PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1
RelatedPackageVersions:
 dpkg 1.19.0.5ubuntu2
 apt 1.6.1
SourcePackage: ca-certificates
Title: package ca-certificates 20180409 failed to install/upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 1
UpgradeStatus: Upgraded to bionic on 2018-04-27 (0 days ago)

Revision history for this message
kevinred (kevinred112) wrote :
tags: removed: need-duplicate-check
Revision history for this message
Brian Murray (brian-murray) wrote :

The fixed version of libssl is installed, and the error message is not about a duplicate certificate so this is not a duplicate of bug 1764848.

Updating certificates in /etc/ssl/certs...
rehash: skipping cacert.cer,it does not contain exactly one certificate or CRL
rehash: skipping req.pem,it does not contain exactly one certificate or CRL

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates (Ubuntu):
status: New → Confirmed
Revision history for this message
miguelquiros (mquiros) wrote :

The bug appeared while upgrading from Ubuntu 16 to Ubuntu 18. It is a very serious bug, since many other packages depend on ca-certificates and were left unconfigured. Lots of error messages in the screen.
When the upgrade finished, the system was left in a very bad situation with so many non-configured packages. No workable reboot-shutdown button, not functioning menus ... If moving to a virtual terminal (Alt-F1) the virtual console did not work either, so the configuration error of ca-certificates is a really serious bug.
I did not dare to perform a hard poweroff and poweron because I was not confident that the system was going to be able to boot at all.
Fortunately enough, right clicking in the screen worked and I was able to open a terminal. From that terminal, I keyed firefox (not accesible through non-working menus) and downloaded from ubuntu archive the version 20170717 of ca-certificates and install it replacing the buggy 20180409 using dpkg -i.
After this, I performed
dpkg --configure -a
and all not-fully installed packages got correctly configured.
I had to poweroff via the button (no other choice) and when powering on again, Ubuntu 18 appeared with no other issue so far.

Revision history for this message
miguelquiros (mquiros) wrote :

I also tried to install version 20180409 after Ubuntu 18 was already working and the error is still there. It is not a problem of the upgrade procedure but a problem of the package itself.

Revision history for this message
Maurice (maurice-debijl) wrote :

Same here. I downloaded ca-certificates_20170717~16.04.1_all.deb from https://packages.ubuntu.com/xenial/all/ca-certificates/download

Then did a:
dpkg -i ca-certificates_20170717~16.04.1_all.deb
dpkg --configure -a

After that I did a:
sudo apt-get upgrade

Which upgraded to 20180409 without problems

Revision history for this message
miguelquiros (mquiros) wrote :

No success in my case (difference with Maurice report). Tried again today to upgrade (via dpkg -i) to 20180409 and got an error message saying that post-installation script produces an output status of "1" (this means error when executing the postinst script, doesn't it?). Package left unconfigured and 20170717~16.04.1 needs to be reinstalled to get a system without broken packages.
Is there some way to get more verbose information about what is going wrong with the post installation script?

Revision history for this message
miguelquiros (mquiros) wrote :

I think I have found the culprit. It is a package called "autofirma", distributed by the Spanish Administration to perform digital signatures with the official certificates provided by the government.
Apparently, there is some kind of incompatibility between the files generated by this package and the postinstallation script of this version of ca-certificates.
I have just removed (purge) the autofirma package, then update ca-certificates to 20180409 without any problem and, after that, reinstalled autofirma (probably I may need to uninstall it again when another ca-certificates version comes out).
As autofirma is not an ubuntu-provided package, this should not be considered a bug after all. In any case, the information may be useful for any other Spanish user finding the same problem.

Revision history for this message
Jarl (jarl-dk) wrote :

@mquiros: Where can I download the autofirma package? I just ran into another source of certificates that have the same issue and I want to investigate.

Revision history for this message
Jarl (jarl-dk) wrote :

Even though comment #2 claims that this bug is not related to bug 1764848 it may actually be related to bug 1764848. It depends on the content of the autofirma package that apparently triggers this situation, it may be that the package contains duplicate certificates.

Revision history for this message
miguelquiros (mquiros) wrote :

The autofirma package can be downloaded from:

https://firmaelectronica.gob.es/Home/Descargas.html

You click in "Autofirma para Linux" and download a zip file that contains the deb package and some documentation in Spanish (if you think there might be something useful in the documentation or in the comments in the scripts or wherever, just ask me for translation).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.