Bug#895473: ca-certificates: Post-install script subprocess return error exit status 3 while upgrading
I reported the fact that openssl rehash returns 1 while c_rehash returns 0 on duplicate certificates to openssl's upstream bug tracker here: https://github.com/openssl/openssl/issues/6083 It looks like it will be fixed shortly. -- Brian Murray @ubuntu.com signature.asc Description: PGP signature
Bug#895473: ca-certificates: Post-install script subprocess return error exit status 3 while upgrading
On Tue, Apr 17, 2018 at 03:57:27PM -0700, Brian Murray wrote: > In Ubuntu I encounter this issue when upgrading ca-certificates from > 20170717~16.04.1 (Ubuntu 16.04) to 20180409 (Ubuntu 18.04) when the > package python-ubuntu-sso-client (only available in Ubuntu 16.04) is > also installed. The python-ubuntu-sso-client package put > "/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem" on disk. Here's the > error: Yes, you can do a similar thing on sid: (ca-certificates 20170717 installed initially) root@set-opossum:~# cp /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt /etc/ssl/certs/Go_Daddy_Class_2_CA_dup.pem root@set-opossum:~# apt install ca-certificates Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: ca-certificates 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 161 kB of archives. After this operation, 35.8 kB disk space will be freed. Get:1 http://deb.debian.org/debian sid/main amd64 ca-certificates all 20180409 [161 kB] Fetched 161 kB in 0s (757 kB/s) debconf: delaying package configuration, since apt-utils is not installed (Reading database ... 8975 files and directories currently installed.) Preparing to unpack .../ca-certificates_20180409_all.deb ... Unpacking ca-certificates (20180409) over (20170717) ... Setting up ca-certificates (20180409) ... Updating certificates in /etc/ssl/certs... rehash: skipping duplicate certificate in Go_Daddy_Class_2_CA_dup.pem dpkg: error processing package ca-certificates (--configure): installed ca-certificates package post-installation script subprocess returned error exit status 1 Errors were encountered while processing: ca-certificates E: Sub-process /usr/bin/dpkg returned an error code (1) Adding set -x to the postinst and update-ca-certificates shows it's failing: + openssl rehash . rehash: skipping duplicate certificate in Go_Daddy_Class_2_CA.pem + cleanup + rm -f /tmp/ca-certificates.crt.tmp.vCjXJG + rm -f /tmp/ca-certificates.tmp.AsH4ms + rm -f /tmp/ca-certificates.tmp.e9IHEJ dpkg: error processing package ca-certificates (--install): installed ca-certificates package post-installation script subprocess returned error exit status 1 Errors were encountered while processing: ca-certificates It looks like `c_rehash' just warned in this case and it was non-fatal, but `openssl rehash' exits with a bad error code and we bomb the installation. Cheers, -- Iain Lane [ i...@orangesquash.org.uk ] Debian Developer [ la...@debian.org ] Ubuntu Developer [ la...@ubuntu.com ] signature.asc Description: PGP signature
Bug#895473: ca-certificates: Post-install script subprocess return error exit status 3 while upgrading
In Ubuntu I encounter this issue when upgrading ca-certificates from 20170717~16.04.1 (Ubuntu 16.04) to 20180409 (Ubuntu 18.04) when the package python-ubuntu-sso-client (only available in Ubuntu 16.04) is also installed. The python-ubuntu-sso-client package put "/etc/ssl/certs/UbuntuOne-Go_Daddy_Class_2_CA.pem" on disk. Here's the error: Setting up ca-certificates (20180409) ... Updating certificates in /etc/ssl/certs... rehash: skipping duplicate certificate in Go_Daddy_Class_2_CA.pem dpkg: error processing package ca-certificates (--configure): subprocess installed post-installation script returned error exit status 1 Processing triggers for libc-bin (2.23-0ubuntu10) ... Errors were encountered while processing: ca-certificates E: Sub-process /usr/bin/dpkg returned an error code (1) (xenial-amd64)root@impulse:/home/bdmurray/source-trees/ubuntu-release-upgrader# update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs... done. Updating certificates in /etc/ssl/certs... rehash: skipping duplicate certificate in Go_Daddy_Class_2_CA.pem (xenial-amd64)root@impulse:/home/bdmurray/source-trees/ubuntu-release-upgrader# echo $? 1 Perhaps that'll help recreating the issue. The Ubuntu bug report is at http://launchpad.net/bugs/1764848. -- Brian Murray @ubuntu.com
Bug#895473: ca-certificates: Post-install script subprocess return error exit status 3 while upgrading
On 04/11/2018 04:01 PM, Pr0metheus wrote: > >* What led up to the situation? > > apt-get upgrade > >* What exactly did you do (or not do) that was effective (or > ineffective)? > > Cannot fix the problem > >* What was the outcome of this action? > > Setting up ca-certificates (20180409) ... > Updating certificates in /etc/ssl/certs... > rehash: skipping duplicate certificate in HaricaRootCA2011.pem > rehash: skipping vpn.auth.gr.pem, cannot open file > rehash: skipping AutCentralCAR5.pem, cannot open file > dpkg: error processing package ca-certificates (--configure): > installed ca-certificates package post-installation script subprocess > returned > error exit status 3 > Errors were encountered while processing: > ca-certificates > E: Sub-process /usr/bin/dpkg returned an error code (1) > >* What outcome did you expect instead? > > Like previous upgrades, maintain my existing list and update the rest. Thanks for the bug report. I'm having trouble reproducing a similar error reported in #895482 on package-removed CAs and have not merged these reports because this error appears to be on locally installed certificates. I believe they are related, however. I will keep trying to reproduce and identify where the problem might be. -- Kind regards, Michael
Bug#895473: ca-certificates: Post-install script subprocess return error exit status 3 while upgrading
Package: ca-certificates Version: 20180409 Severity: important Dear Maintainer, * What led up to the situation? apt-get upgrade * What exactly did you do (or not do) that was effective (or ineffective)? Cannot fix the problem * What was the outcome of this action? Setting up ca-certificates (20180409) ... Updating certificates in /etc/ssl/certs... rehash: skipping duplicate certificate in HaricaRootCA2011.pem rehash: skipping vpn.auth.gr.pem, cannot open file rehash: skipping AutCentralCAR5.pem, cannot open file dpkg: error processing package ca-certificates (--configure): installed ca-certificates package post-installation script subprocess returned error exit status 3 Errors were encountered while processing: ca-certificates E: Sub-process /usr/bin/dpkg returned an error code (1) * What outcome did you expect instead? Like previous upgrades, maintain my existing list and update the rest. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ca-certificates depends on: ii debconf [debconf-2.0] 1.5.66 ii openssl1.1.0h-2 ca-certificates recommends no packages. ca-certificates suggests no packages. -- debconf information: ca-certificates/title: * ca-certificates/enable_crts: mozilla/ACCVRAIZ1.crt, mozilla/AC_RAIZ_FNMT-RCM.crt, mozilla/Actalis_Authentication_Root_CA.crt, mozilla/AddTrust_External_Root.crt, mozilla/AffirmTrust_Commercial.crt, mozilla/AffirmTrust_Networking.crt, mozilla/AffirmTrust_Premium.crt, mozilla/AffirmTrust_Premium_ECC.crt, mozilla/Amazon_Root_CA_1.crt, mozilla/Amazon_Root_CA_2.crt, mozilla/Amazon_Root_CA_3.crt, mozilla/Amazon_Root_CA_4.crt, mozilla/Atos_TrustedRoot_2011.crt, mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt, mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt, mozilla/Certigna.crt, mozilla/Certinomis_-_Root_CA.crt, mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/Certplus_Root_CA_G1.crt, mozilla/Certplus_Root_CA_G2.crt, mozilla/certSIGN_ROOT_CA.crt, mozilla/Certum_Trusted_Network_CA_2.crt, mozilla/Certum_Trusted_Network_CA.crt, mozilla/CFCA_EV_ROOT.crt, mozilla/Chambers_of_Commerce_Root_-_2008.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/COMODO_Certification_Authority.crt, mozilla/COMODO_ECC_Certification_Authority.crt, mozilla/COMODO_RSA_Certification_Authority.crt, mozilla/Cybertrust_Global_Root.crt, mozilla/Deutsche_Telekom_Root_CA_2.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Assured_ID_Root_G2.crt, mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt, mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt, mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DigiCert_Trusted_Root_G4.crt, mozilla/DST_Root_CA_X3.crt, mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt, mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, mozilla/EC-ACC.crt, mozilla/EE_Certification_Centre_Root_CA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust_Root_Certification_Authority.crt, mozilla/Entrust_Root_Certification_Authority_-_EC1.crt, mozilla/Entrust_Root_Certification_Authority_-_G2.crt, mozilla/ePKI_Root_Certification_Authority.crt, mozilla/E-Tugra_Certification_Authority.crt, mozilla/GDCA_TrustAUTH_R5_ROOT.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/GeoTrust_Primary_Certification_Authority.crt, mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, mozilla/Global_Chambersign_Root_-_2008.crt, mozilla/GlobalSign_ECC_Root_CA_-_R4.crt, mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt, mozilla/Go_Daddy_Class_2_CA.crt, mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt, mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt, mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt, mozilla/Hongkong_Post_Root_CA_1.crt, mozilla/IdenTrust_Commercial_Root_CA_1.crt, mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, mozilla/Izenpe.com.crt, mozilla/LuxTrust_Global_Root_2.crt, mozilla/Microsec_e-Szigno_Root_CA_2009.crt, mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt, mozilla/Network_Solutions_Certificate_Authority.crt, mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt,