Control: tags -1 + moreinfo On 07/07/2018 10:21 AM, guidot wrote: > I just updated from 20141019+deb8u3 to 20141019+deb8u4 using > > aptitude safe-upgrade > > and got these errors: > > Updating certificates in /etc/ssl/certs... unable to load certificate > 140549699909264:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:tasn_dec.c:1219: > 140549699909264:error:0D07803A:asn1 encoding > routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=X509 > WARNING: dhparam.pem does not contain a certificate or CRL: skipping > 20 added, 42 removed; done. > > I don't understand what went wrong here. I'm pretty sure I didn't touch > anything in /etc/ssl/certs, my local certs are stored elsewhere.
This appears to be a warning from c_rehash on a non-certificate pem file `dhparam.pem` found in /etc/ssl/certs, then success on the 20 new and 42 removed CA certificates in this update. For clarity, did the installation of update packages complete successfully, or did it exit non-zero with an error from aptitude/dpkg? I'm pretty sure an `ls -l /etc/ssl/certs/dhparam.pem` would indeed return the file, which is not a part of the ca-certificates package. Searching around for dhparam.pem, it appears this is a Diffie-Hellman option file for using a larger key than the openssl default. I found quite a few web pages that say to put it there. The warning should be innocuous, but I'd suggest moving it to a better location. For instance, I found a number of nginx how-to pages that use the /etc/ssl/certs location, but I would think it should be appropriate to put the file at `/etc/nginx/ssl/dhparam.pem` and configure nginx to find it there. Setting bug to moreinfo. -- Kind regards, Michael
