Package: freeipa-client Version: 4.7.2-2 Severity: wishlist My FreeIPA's CA certificate is signed by an external root CA certificate. Consequenty, ipa-client-install puts both the external root CA certificate and the intermediate CA certificate into /usr/local/share/ca-certificates/ipa-ca.crt.
This has caused problems with the clients of ca-certificates in the past. For instance, p11-kit expects the files in that directory to not contain any comments or other text. When it encountered the file that ipa-client-install put there, it 'failed shut' and as a result the trust list ended up being empty! This was fixed on the p11-kit end, but on reflection I feel that even though the exact specification of what is valid in /usr/local/share/ca-certificates is not written down anywhere, freeipa-client should not violate the following rules: 1. .crt files in that directory should only contain root CA certificates 2. .crt files in that directory should not contain comments or any non-certificate data 3. .crt files in that directory should contain only one certificate You might argue that if update-ca-certificates wants to enforce any or all of the above rules, that it should at least warn when they are violated and skip the file, rather than silently including it into /etc/ssl/certs/ca-certificates.crt for it to confuse clients. I wouldn't necessarily disagree; feel free to reassign this to ca-certificates if that is the case, for the maintainers of that package to consider if what freeipa-client is doing is right or wrong. :) -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (570, 'testing-debug'), (570, 'testing'), (540, 'unstable-debug'), (540, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages freeipa-client depends on: ii bind9utils 1:9.11.5.P4+dfsg-1 ii certmonger 0.79.6-1 ii curl 7.64.0-1 ii dnsutils 1:9.11.5.P4+dfsg-1 ii freeipa-common 4.7.2-2 ii krb5-user 1.17-2 ii libbasicobjects0 0.6.1-2 ii libc6 2.28-8 ii libcollection4 0.6.1-2 ii libcom-err2 1.44.5-1 ii libini-config5 0.6.1-2 ii libk5crypto3 1.17-2 ii libkrb5-3 1.17-2 ii libldap-2.4-2 2.4.47+dfsg-3 ii libnspr4 2:4.20-1 ii libnss-sss 1.16.3-3.1 ii libnss3 2:3.42.1-1 ii libnss3-tools 2:3.42.1-1 ii libpam-sss 1.16.3-3.1 ii libpopt0 1.16-12 ii libref-array1 0.6.1-2 ii libsasl2-2 2.1.27+dfsg-1 ii libsasl2-modules-gssapi-mit 2.1.27+dfsg-1 ii libssl1.1 1.1.1b-1 ii libsss-sudo 1.16.3-3.1 ii libxmlrpc-core-c3 1.33.14-8+b1 ii oddjob-mkhomedir 0.34.4-1 ii python 2.7.15-4 ii python-dnspython 1.16.0-1 ii python-gssapi 1.4.1-1+b1 ii python-ipaclient 4.7.2-2 ii python-ldap 3.1.0-2 ii python-sss 1.16.3-3.1 ii sssd 1.16.3-3.1 Versions of packages freeipa-client recommends: ii chrony 3.4-2 Versions of packages freeipa-client suggests: pn libpam-krb5 <none> -- no debconf information