dpkg --debug=65535 shows this:
---------
Setting up ca-certificates (20190110) ...
D020000: trigproc_activate_packageprocessing pkg=ca-certificates:all
D000002: fork/exec /var/lib/dpkg/info/ca-certificates.postinst (
configure 20170717 )
Updating certificates in /etc/ssl/certs...
dpkg: error processing package ca-certificates (--install):
installed ca-certificates package post-installation script subprocess
returned error exit status 1
D020000: post_script_tasks - ensure_diversions
---------
Running the postinst myself I see no real errors, but still get a
returncode 1 at the end:
---------
export DEBCONF_DEBUG=developer
/usr/share/debconf/frontend /var/lib/dpkg/info/ca-certificates.postinst
configure 20170717
[...]
debconf (developer): <-- FSET ca-certificates/new_crts seen false
debconf (developer): --> 0 false
debconf (developer): <-- STOP
Updating certificates in /etc/ssl/certs...
shodan:/# echo $?
1
---------
Running update-ca-certificates:
--------
shodan:/# update-ca-certificates -v
Updating certificates in /etc/ssl/certs...
Doing .
link D-TRUST_Root_Class_3_CA_2_EV_2009.pem -> d4dae3dd.0
link Amazon_Root_CA_1.pem -> ce5e74ef.0
link GLC.pem -> 9871e719.0
link Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem ->
3bde41ac.0
link Certum_Trusted_Network_CA_2.pem -> 40193066.0
link Global_Chambersign_Root_-_2008.pem -> 0c4c9b6c.0
link Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem ->
7719f463.0
link COMODO_Certification_Authority.pem -> 40547a79.0
link VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem ->
7d0b38bd.0
link EE_Certification_Centre_Root_CA.pem -> 128805a3.0
link LuxTrust_Global_Root_2.pem -> def36a68.0
link AC_RAIZ_FNMT-RCM.pem -> cd8c0d63.0
link DigiCert_Assured_ID_Root_CA.pem -> b1159c4c.0
link dovecot.pem -> f2d65788.0
link Buypass_Class_2_Root_CA.pem -> 54657681.0
link Amazon_Root_CA_4.pem -> de6d66f3.0
link Buypass_Class_3_Root_CA.pem -> e8de2f56.0
link thawte_Primary_Root_CA_-_G3.pem -> ba89ed3b.0
link VeriSign_Universal_Root_Certification_Authority.pem -> c01cdfa2.0
link Staat_der_Nederlanden_Root_CA_-_G3.pem -> 5a4d6896.0
link GlobalSign_ECC_Root_CA_-_R4.pem -> b0e59380.0
link Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem ->
1636090b.0
link T-TeleSec_GlobalRoot_Class_2.pem -> 1e09d511.0
link TrustCor_RootCert_CA-2.pem -> 3e44d2f7.0
link Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem ->
32888f65.0
link GlobalSign_Root_CA_-_R3.pem -> 062cdee6.0
link GeoTrust_Primary_Certification_Authority_-_G3.pem -> e2799e36.0
link ePKI_Root_Certification_Authority.pem -> ca6e4ad9.0
link QuoVadis_Root_CA_3_G3.pem -> e18bfb83.0
link ISRG_Root_X1.pem -> 4042bcee.0
link Starfield_Services_Root_Certificate_Authority_-_G2.pem ->
09789157.0
link TeliaSonera_Root_CA_v1.pem -> 5cd81ad7.0
link SZAFIR_ROOT_CA2.pem -> fe8a2cd8.0
link Amazon_Root_CA_2.pem -> 6d41d539.0
link ssl-cert-snakeoil.pem -> 2b97fccc.0
link Go_Daddy_Root_Certificate_Authority_-_G2.pem -> cbf06781.0
link COMODO_ECC_Certification_Authority.pem -> eed8c118.0
link Staat_der_Nederlanden_Root_CA_-_G2.pem -> 5c44d531.0
link Sonera_Class_2_Root_CA.pem -> 9c2e7d30.0
link Trustis_FPS_Root_CA.pem -> d853d49e.0
link SecureTrust_CA.pem -> f39fc864.0
link GeoTrust_Universal_CA_2.pem -> 8867006a.0
link Go_Daddy_Class_2_CA.pem -> f081611a.0
link Amazon_Root_CA_3.pem -> 8cb5ee0f.0
link Starfield_Root_Certificate_Authority_-_G2.pem -> 4bfab552.0
link QuoVadis_Root_CA_3.pem -> 76faf6c0.0
link GDCA_TrustAUTH_R5_ROOT.pem -> 0f6fa695.0
link OISTE_WISeKey_Global_Root_GA_CA.pem -> b1b8a7f3.0
link Entrust.net_Premium_2048_Secure_Server_CA.pem -> aee5f10d.0
link DigiCert_Global_Root_G3.pem -> dd8e9d41.0
link Cybertrust_Global_Root.pem -> 76cb8f92.0
link SSL.com_EV_Root_Certification_Authority_RSA_R2.pem -> 06dc52d5.0
link SSL.com_EV_Root_Certification_Authority_ECC.pem -> f0c70a8d.0
link DigiCert_Global_Root_G2.pem -> 607986c7.0
link Certplus_Class_2_Primary_CA.pem -> f060240e.0
link stunnel.pem -> eaf99eea.0
link GlobalSign_ECC_Root_CA_-_R5.pem -> 1d3472b9.0
link GlobalSign_Root_CA_-_R2.pem -> 4a6481c9.0
link Secure_Global_CA.pem -> b66938e9.0
link TrustCor_RootCert_CA-1.pem -> 5d3033c5.0
link OISTE_WISeKey_Global_Root_GB_CA.pem -> e73d606e.0
link DigiCert_High_Assurance_EV_Root_CA.pem -> 244b5494.0
link COMODO_RSA_Certification_Authority.pem -> d6325660.0
link USERTrust_RSA_Certification_Authority.pem -> fc5a8f99.0
link CFCA_EV_ROOT.pem -> 0b1b94ef.0
link OISTE_WISeKey_Global_Root_GC_CA.pem -> 773e07ad.0
link Entrust_Root_Certification_Authority_-_EC1.pem -> 106f3e4d.0
link D-TRUST_Root_Class_3_CA_2_2009.pem -> c28a8a30.0
link SwissSign_Gold_CA_-_G2.pem -> 4f316efb.0
link thawte_Primary_Root_CA.pem -> 2e4eed3c.0
link Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem ->
c0ff1f52.0
link Atos_TrustedRoot_2011.pem -> e36a6752.0
link Deutsche_Telekom_Root_CA_2.pem -> 812e17de.0
link EC-ACC.pem -> 349f2832.0
link TWCA_Root_Certification_Authority.pem -> b7a5b843.0
link Certigna.pem -> e113c810.0
link DigiCert_Assured_ID_Root_G3.pem -> 7f3d5d1d.0
link ACCVRAIZ1.pem -> a94d09e5.0
link TrustCor_ECA-1.pem -> 7aaf71c0.0
link Actalis_Authentication_Root_CA.pem -> 930ac5d2.0
link NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem -> 988a38cb.0
link GeoTrust_Primary_Certification_Authority.pem -> 480720ec.0
link SwissSign_Silver_CA_-_G2.pem -> 57bcb2da.0
link QuoVadis_Root_CA_1_G3.pem -> 749e9e03.0
link GlobalSign_Root_CA_-_R6.pem -> dc4d6a89.0
link Microsec_e-Szigno_Root_CA_2009.pem -> 8160b96c.0
link DigiCert_Trusted_Root_G4.pem -> 75d1b2ed.0
link SSL.com_Root_Certification_Authority_ECC.pem -> 0bf05006.0
link QuoVadis_Root_CA.pem -> 080911ac.0
link Chambers_of_Commerce_Root_-_2008.pem -> c47d9980.0
link AffirmTrust_Commercial.pem -> 2b349938.0
link IdenTrust_Commercial_Root_CA_1.pem -> ef954a4e.0
link GlobalSign_Root_CA.pem -> 5ad8a5d6.0
link QuoVadis_Root_CA_2.pem -> d7e8dc79.0
link SSL.com_Root_Certification_Authority_RSA.pem -> 6fa5da56.0
link AddTrust_External_Root.pem -> 157753a5.0
link Taiwan_GRCA.pem -> 6410666e.0
link Izenpe.com.pem -> cc450945.0
link CA_Disig_Root_R2.pem -> 2ae6433e.0
link vsftpd_shodan.pem -> b8413967.0
link Starfield_Class_2_CA.pem -> f387163d.0
link GeoTrust_Global_CA.pem -> 2c543cd1.0
link Entrust_Root_Certification_Authority.pem -> 6b99d060.0
link Certum_Trusted_Network_CA.pem -> 48bec511.0
link E-Tugra_Certification_Authority.pem -> 5273a94c.0
link DST_Root_CA_X3.pem -> 2e5ac55d.0
link TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem -> ff34af3f.0
link VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem ->
b204d74a.0
link SecureSign_RootCA11.pem -> 18856ac4.0
link Hongkong_Post_Root_CA_1.pem -> 3e45d192.0
link DigiCert_Assured_ID_Root_G2.pem -> 9d04f354.0
link AffirmTrust_Premium_ECC.pem -> 9c8dfbd4.0
link thawte_Primary_Root_CA_-_G2.pem -> c089bbbd.0
link DigiCert_Global_Root_CA.pem -> 3513523f.0
link AffirmTrust_Premium.pem -> b727005e.0
link Security_Communication_RootCA2.pem -> cd58d51e.0
link Baltimore_CyberTrust_Root.pem -> 653b494a.0
link Staat_der_Nederlanden_EV_Root_CA.pem -> 03179a64.0
link Network_Solutions_Certificate_Authority.pem -> 4304c5e5.0
link Security_Communication_Root_CA.pem -> f3377b1b.0
link QuoVadis_Root_CA_2_G3.pem -> 064e0aa9.0
link Certinomis_-_Root_CA.pem -> 9f0f5fd6.0
link T-TeleSec_GlobalRoot_Class_3.pem -> 5443e9e3.0
link AffirmTrust_Networking.pem -> 93bc0acc.0
link XRamp_Global_CA_Root.pem -> 706f604c.0
link GeoTrust_Primary_Certification_Authority_-_G2.pem -> 116bf586.0
link GeoTrust_Universal_CA.pem -> ad088e1d.0
link USERTrust_ECC_Certification_Authority.pem -> f30dd6ad.0
link Entrust_Root_Certification_Authority_-_G2.pem -> 02265526.0
link Comodo_AAA_Services_root.pem -> ee64a828.0
link TWCA_Global_Root_CA.pem -> 5f15c80c.0
link IdenTrust_Public_Sector_Root_CA_1.pem -> 1e08bfd1.0
link certSIGN_ROOT_CA.pem -> 8d86cdd1.0
shodan:/# echo $?
1
--------
But running it with sh -x to debug it, it completes!
Tracing it further, it's "openssl rehash ." that is returning the error
code 1, so the fault is not with ca-certificates. (Though it could be
more verbose in where update-ca-certificates fails.)
You can close this bug. I'll dig further on the openssl side.
- Michel
