Package: ca-certificates
Version: 20070303
Followup-For: Bug #413766
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
apache-ssl refused to start after upgrading ca-certificates to 20070303:
canardo:/etc/apache-ssl# /etc/init.d/apache-ssl start
Starting apache-ssl 1.3 web server... failed!
The ssl_error.log showed
[Wed Mar 14 13:52:22 2007] [crit] error reading CA certs
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:0906D06C:PEM routines:PEM_read_bio:no
start line
[Wed Mar 14 13:52:22 2007] [crit] error:02001002:system library:fopen:No such
file or directory
[Wed Mar 14 13:52:22 2007] [crit] error:20074002:BIO routines:FILE_CTRL:system
lib
strace on the apache-ssl process gave me a further pointer:
canardo:/etc/apache-ssl# strace -f /usr/sbin/apache-ssl -F
[..]
open("/etc/ssl/certs/cacert.org.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
close(4) = 0
and sure enough, /etc/ssl/certs/cacert.org.pem pointed to a file that
was removed by the ca-certificates upgrade:
canardo:/etc/apache-ssl# ls -l /etc/ssl/certs/cacert.org.pem
lrwxrwxrwx 1 root root 52 2007-02-12 12:51 /etc/ssl/certs/cacert.org.pem ->
/usr/share/ca-certificates/cacert.org/cacert.org.crt
Changing the symlink to point to usr/share/ca-certificates/cacert.org/root.crt
fixed the problem:
canardo:/etc/apache-ssl# ln -sf /usr/share/ca-certificates/cacert.org/root.crt
/etc/ssl/certs/cacert.org.pem
canardo:/etc/apache-ssl# ls -l /etc/ssl/certs/cacert.org.pem
lrwxrwxrwx 1 root root 46 2007-03-14 13:53 /etc/ssl/certs/cacert.org.pem ->
/usr/share/ca-certificates/cacert.org/root.crt
but I believe breaking existing apache-ssl installations like this is a
critical
bug. The admin should least be warned about the necessary changes.
Bjørn
- -- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages ca-certificates depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii openssl 0.9.8c-4 Secure Socket Layer (SSL) binary a
ca-certificates recommends no packages.
- -- debconf information:
* ca-certificates/enable_crts: brasil.gov.br/brasil.gov.br.crt,
cacert.org/class3.crt, cacert.org/root.crt, debconf.org/ca.crt, mork-ca.crt,
mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt,
mozilla/AddTrust_External_Root.crt,
mozilla/AddTrust_Low-Value_Services_Root.crt,
mozilla/AddTrust_Public_Services_Root.crt,
mozilla/AddTrust_Qualified_Certificates_Root.crt,
mozilla/America_Online_Root_Certification_Authority_1.crt,
mozilla/America_Online_Root_Certification_Authority_2.crt,
mozilla/AOL_Time_Warner_Root_Certification_Authority_1.crt,
mozilla/AOL_Time_Warner_Root_Certification_Authority_2.crt,
mozilla/Baltimore_CyberTrust_Root.crt,
mozilla/beTRUSTed_Root_CA-Baltimore_Implementation.crt,
mozilla/beTRUSTed_Root_CA.crt,
mozilla/beTRUSTed_Root_CA_-_Entrust_Implementation.crt,
mozilla/beTRUSTed_Root_CA_-_RSA_Implementation.crt, mozilla/Certum_Root_CA.crt,
mozilla/Comodo_AAA_Services_root.crt, mozilla/Comodo_Secure_Services_root.crt,
mozilla/Comodo_Trusted_Services_root.crt,
mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt,
mozilla/Digital_Signature_Trust_Co._Global_CA_2.crt,
mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt,
mozilla/Digital_Signature_Trust_Co._Global_CA_4.crt,
mozilla/Entrust.net_Global_Secure_Personal_CA.crt,
mozilla/Entrust.net_Global_Secure_Server_CA.crt,
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt,
mozilla/Entrust.net_Secure_Personal_CA.crt,
mozilla/Entrust.net_Secure_Server_CA.crt, mozilla/Equifax_Secure_CA.crt,
mozilla/Equifax_Secure_eBusiness_CA_1.crt,
mozilla/Equifax_Secure_eBusiness_CA_2.crt,
mozilla/Equifax_Secure_Global_eBusiness_CA.crt, mozilla/GeoTrust_Global_CA.crt,
mozilla/GlobalSign_Root_CA.crt, mozilla/GTE_CyberTrust_Global_Root.crt,
mozilla/GTE_CyberTrust_Root_CA.crt, mozilla/IPS_Chained_CAs_root.crt,
mozilla/IPS_CLASE1_root.crt, mozilla/IPS_CLASE3_root.crt,
mozilla/IPS_CLASEA1_root.crt, mozilla/IPS_CLASEA3_root.crt,
mozilla/IPS_Servidores_root.crt, mozilla/IPS_Timestamping_root.crt,
mozilla/QuoVadis_Root_CA.crt, mozilla/RSA_Root_Certificate_1.crt, moz!
illa/RSA
_Security_1024_v3.crt, mozilla/RSA_Security_2048_v3.crt,
mozilla/Security_Communication_Root_CA.crt, mozilla/Sonera_Class_1_Root_CA.crt,
mozilla/Sonera_Class_2_Root_CA.crt, mozilla/Staat_der_Nederlanden_Root_CA.crt,
mozilla/TC_TrustCenter__Germany__Class_2_CA.crt,
mozilla/TC_TrustCenter__Germany__Class_3_CA.crt,
mozilla/TDC_Internet_Root_CA.crt, mozilla/TDC_OCES_Root_CA.crt,
mozilla/Thawte_Personal_Basic_CA.crt, mozilla/Thawte_Personal_Freemail_CA.crt,
mozilla/Thawte_Personal_Premium_CA.crt, mozilla/Thawte_Premium_Server_CA.crt,
mozilla/Thawte_Server_CA.crt, mozilla/Thawte_Time_Stamping_CA.crt,
mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt,
mozilla/UTN_USERFirst_Hardware_Root_CA.crt,
mozilla/UTN-USER_First-Network_Applications.crt,
mozilla/UTN_USERFirst_Object_Root_CA.crt, mozilla/ValiCert_Class_1_VA.crt,
mozilla/ValiCert_Class_2_VA.crt,
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt,
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt,
mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt,
mozilla/Verisign_Class_1_Public_Primary_OCSP_Responder.crt,
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt,
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt,
mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt,
mozilla/Verisign_Class_2_Public_Primary_OCSP_Responder.crt,
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt,
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt,
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt,
mozilla/Verisign_Class_3_Public_Primary_OCSP_Responder.crt,
mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt,
mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt,
mozilla/Verisign_RSA_Secure_Server_CA.crt,
mozilla/Verisign_Secure_Server_OCSP_Responder.crt,
mozilla/Verisign_Time_Stamping_Authority_CA.crt,
mozilla/Visa_eCommerce_Root.crt, mo!
zilla/Vi
sa_International_Global_Root_2.crt,
quovadis.bm/QuoVadis_Root_Certification_Authority.crt,
signet.pl/signet_ca1_pem.crt, signet.pl/signet_ca2_pem.crt,
signet.pl/signet_ca3_pem.crt, signet.pl/signet_ocspklasa2_pem.crt,
signet.pl/signet_ocspklasa3_pem.crt, signet.pl/signet_pca2_pem.crt,
signet.pl/signet_pca3_pem.crt, signet.pl/signet_rootca_pem.crt,
signet.pl/signet_tsa1_pem.crt, spi-inc.org/SPI_CA_2006-cacert.crt,
spi-inc.org/spi-ca.crt
ca-certificates/new_crts:
* ca-certificates/trust_new_crts: yes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF9/Pn10rqkowbIskRAjqIAKCO8UcjUWOuZB5S9E2hvQdTQ4Z/dACfYsK3
nBTvzLxpKkw/2oJljCXq1eE=
=lvhq
-----END PGP SIGNATURE-----
