Am 07.07.2018 um 20:23 schrieb Michael Shuler:
Control: tags -1 + moreinfo
On 07/07/2018 10:21 AM, guidot wrote:
I just updated from 20141019+deb8u3 to 20141019+deb8u4 using
aptitude safe-upgrade
and got these errors:
Updating certificates in /etc/ssl/certs... unable to load certificate
140549699909264:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1219:
140549699909264:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=X509
WARNING: dhparam.pem does not contain a certificate or CRL: skipping
20 added, 42 removed; done.
I don't understand what went wrong here. I'm pretty sure I didn't touch
anything in /etc/ssl/certs, my local certs are stored elsewhere.
This appears to be a warning from c_rehash on a non-certificate pem file
`dhparam.pem` found in /etc/ssl/certs, then success on the 20 new and 42
removed CA certificates in this update.
For clarity, did the installation of update packages complete
successfully, or did it exit non-zero with an error from aptitude/dpkg?
Damn, I didn't think of checking that.
I'm pretty sure an `ls -l /etc/ssl/certs/dhparam.pem` would indeed
return the file, which is not a part of the ca-certificates package.
Correct.
Searching around for dhparam.pem, it appears this is a Diffie-Hellman
option file for using a larger key than the openssl default. I found
quite a few web pages that say to put it there. The warning should be
innocuous, but I'd suggest moving it to a better location. For instance,
I found a number of nginx how-to pages that use the /etc/ssl/certs
location
Michael, you're right, I remember now I once followed some how-to while setting
up nginx for tls.
Thanks for the clarification.
Regards
Guido
