On 1/24/19 7:54 AM, Dimitris Aragiorgis wrote: > > It seems that update-ca-certificates temporarily removes the > /etc/ssl/certs/ca-certificates.crt bundle.
I remember this bug. c_rehash behavior was "fixed" at some point and resulted in multiple symlinks to ca-certificates.crt, so moving it out of the way first was the workaround. https://bugs.debian.org/643667 and the linked LP bug within have the details. > As a result, whoever uses this file explicitly, e.g. python-requests via > DEFAULT_CA_BUNDLE_PATH, might fail during a system-wide > update-ca-certificates. > > Removing this file is practically unesseccery since a few lines below, > the script replaces it atomically using mv. > > Note, that currently, if we skip the removal of the bundle we get the > following openssl rehash warning: > > rehash: warning: skipping ca-certificates.crt,it does not contain exactly > one certificate or CRL > > Still `openssl rehash` exits normally. The above warning will show up > only in debug mode (with --verbose). Nice. > Attached is a patch that fixes the above "racy" behavior. Thanks for the bug report and patch, this is a good cleanup from dropping c_rehash that I hadn't considered looking for. -- Kind regards, Michael
signature.asc
Description: OpenPGP digital signature
