On Sat, Jul 07, 2018 at 01:23:39PM -0500, Michael Shuler wrote: > Control: tags -1 + moreinfo > > On 07/07/2018 10:21 AM, guidot wrote: > > I just updated from 20141019+deb8u3 to 20141019+deb8u4 using > > > > aptitude safe-upgrade > > > > and got these errors: > > > > Updating certificates in /etc/ssl/certs... unable to load certificate > > 140549699909264:error:0D0680A8:asn1 encoding > > routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1219: > > 140549699909264:error:0D07803A:asn1 encoding > > routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=X509 > > WARNING: dhparam.pem does not contain a certificate or CRL: skipping > > 20 added, 42 removed; done. > > > > I don't understand what went wrong here. I'm pretty sure I didn't touch > > anything in /etc/ssl/certs, my local certs are stored elsewhere. > > This appears to be a warning from c_rehash on a non-certificate pem file > `dhparam.pem` found in /etc/ssl/certs, then success on the 20 new and 42 > removed CA certificates in this update. > > For clarity, did the installation of update packages complete > successfully, or did it exit non-zero with an error from aptitude/dpkg? > > I'm pretty sure an `ls -l /etc/ssl/certs/dhparam.pem` would indeed > return the file, which is not a part of the ca-certificates package. > > Searching around for dhparam.pem, it appears this is a Diffie-Hellman > option file for using a larger key than the openssl default.
OpenSSL really doesn't have default parameters. The default size that dhparam used in the past might now be too small, but it would still be parameters someone created. > I found > quite a few web pages that say to put it there. The warning should be > innocuous, but I'd suggest moving it to a better location. For instance, > I found a number of nginx how-to pages that use the /etc/ssl/certs > location, but I would think it should be appropriate to put the file at > `/etc/nginx/ssl/dhparam.pem` and configure nginx to find it there. /etc/ssl/certs/ really isn't the place to put such files, it really should only contain certificates. But it only generated a warning on it as far as I can see, so this does not seem related to to the errors some people are seeing. Kurt
