On 2019-02-11 20:43, Michael Shuler wrote:
Thanks for the debugging info. I tried to reproduce a non-zero exit
from
both the old c_rehash and new openssl rehash calls, in order to see if
we've found another behavior difference, but each call ended up with a
clean 0 exit for me with a key file in the same place.
I put that keyfile back in and immediately get the code 1 exit again:
shodan:/etc/ssl/certs# openssl rehash .
rehash: warning: skipping ca-certificates.crt,it does not contain
exactly one certificate or CRL
shodan:/etc/ssl/certs# echo $?
1
There's no warning about that particular pem file.
The file is very old (dates from 2003-05-05 and is 1679 bytes in size
for a 2048 key), so it must've been lying around there for a while. That
would mean that some more or less recent change in OpenSSL (between this
version of ca-certificates and the previous one) is causing the new exit
code. (The file also isn't referenced in any of my configs, so I don't
even know which cert, if any, it goes with. There's a subdirectory in
/etc/ssl/certs called stunnel-trusted and it contains a cert from the
same day called stunnel-client.pem, but the modulus doesn't match with
the key. I can only guess that this is a remnant of me playing around
with stunnel back when I was oblivious about how any of OpenSSL or even
Linux worked.)
- Michel
