Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-12-20 Thread Michael Shuler 
I've been able to test this error by creating a bogus symlink in
/etc/ssl/certs and I committed a patch that removes any orphan symlinks,
prior to running `openssl rehash`.

https://salsa.debian.org/debian/ca-certificates/commit/cfe7064cb707ed2e8ac587877c1153029d46dc28

-- 
Kind regards,
Michael.

Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-22 Thread Axel Beckert 
Hi Michael,

Michael Shuler wrote:
> [x] I intend to find the time between work, family, and multiple other
> projects to attempt to reliably reproduce the problem, in order to
> intelligently answer the above.

Much appreciated, thanks!

In the hope that it helps you to track down this issue, here are the
debconf settings of my second affected machine, the i386 one. (The
other machine's debconf settings are in the original report.)

# debconf-get-selections | fgrep ca-cert
ca-certificates ca-certificates/enable_crts multiselect 
CAcert/class3.crt, CAcert/root.crt, 
mozilla/COMODO_RSA_Certification_Authority.crt, 
mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DST_Root_CA_X3.crt, 
mozilla/GeoTrust_Global_CA_2.crt, mozilla/GeoTrust_Global_CA.crt, 
mozilla/GeoTrust_Primary_Certification_Authority.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, 
mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, 
mozilla/IdenTrust_Commercial_Root_CA_1.crt, 
mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, 
mozilla/QuoVadis_Root_CA_1_G3.crt, mozilla/QuoVadis_Root_CA_2.crt, 
mozilla/QuoVadis_Root_CA_2_G3.crt, mozilla/QuoVadis_Root_CA_3.crt, 
mozilla/QuoVadis_Root_CA_3_G3.crt, mozilla/QuoVadis_Root_CA.crt, 
mozilla/Swisscom_Root_CA_1.crt, mozilla/Swisscom_Root_CA_2.crt, 
mozilla/Swisscom_Root_EV_CA_2.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, 
mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/thawte_Primary_Root_CA.crt, 
mozilla/thawte_Primary_Root_CA_-_G2.crt, 
mozilla/thawte_Primary_Root_CA_-_G3.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, 
mozilla/VeriSign_Universal_Root_Certification_Authority.crt,
ca-certificates ca-certificates/new_crtsmultiselect
ca-certificates ca-certificates/trust_new_crts  select  ask

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-21 Thread Michael Shuler 

On 06/20/2018 04:33 PM, Sebastian Andrzej Siewior wrote:

On 2018-06-13 08:19:32 [+0200], To Axel Beckert wrote:

I asked upstream what they thing about ignoring these errors because the
perl script does so. On the other hand what about cleaning up these
dangling symlinks?


ca-certificate maintainers: what do we do here?

[ ] we intend to figure out why there are dangling symlinks, no need to
 change "openssl rehash" in anyway.

[ ] we intend to figure out why there are dangling symlinks but in the
 meantime "openssl rehash" should not error out on them.

[ ] "openssl rehash" should not error out on certificates which can not
 be opened. This is the old behavioud and required due to $reason.


[x] I intend to find the time between work, family, and multiple other
projects to attempt to reliably reproduce the problem, in order to
intelligently answer the above.

--
Kind regards,
Michael

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-20 Thread Sebastian Andrzej Siewior 
On 2018-06-13 08:19:32 [+0200], To Axel Beckert wrote:
> I asked upstream what they thing about ignoring these errors because the
> perl script does so. On the other hand what about cleaning up these
> dangling symlinks?

ca-certificate maintainers: what do we do here?

[ ] we intend to figure out why there are dangling symlinks, no need to
change "openssl rehash" in anyway.

[ ] we intend to figure out why there are dangling symlinks but in the
meantime "openssl rehash" should not error out on them.

[ ] "openssl rehash" should not error out on certificates which can not
be opened. This is the old behavioud and required due to $reason.
 
> > Regards, Axel

Sebastian

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-13 Thread Sebastian Andrzej Siewior 
On 2018-06-13 00:10:57 [+0200], Axel Beckert wrote:
> Hi Sebastian,
Hi Axel,

> Sebastian Andrzej Siewior wrote:
> > > I don't think so unless a future upload of OpenSSL to unstable fixes
> > > this. The recent one to unstable didn't.
> > 
> > forwarded https://github.com/openssl/openssl/issues/6475
> > 
> > Just a little question: The missing certificates:
> > |rehash: error: skipping Swisscom_Root_CA_1.pem, cannot open file
> > |rehash: error: skipping Swisscom_Root_CA_2.pem, cannot open file
> > |rehash: error: skipping GeoTrust_Global_CA_2.pem, cannot open file
> > |rehash: error: skipping Swisscom_Root_EV_CA_2.pem, cannot open file
> > 
> > where are they from?
> 
> From the ca-certificates package I assume. At least those errors go
> away if I downgrade to 20170717 again and they reappear as soon as I
> upgrade to 20180409 on that machine. At least the file names are the
> same as in my mail from 12th of April[1] (just in different order).
> 
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895482#10
> 
> I just checked: All four CAs are CAs I've chosen to be enabled. But
> they're by far not the only CAs which are enabled from ca-certificates
> on that machine. So I have no idea what makes those four special.

Okay. So this is "normal" debconf and nothing more. Just wanted to make
sure.

> > Is there something specific you did to get those
> > symlinks which now don't belong to a real file?
> 
> No. As mentioned in the initial report, I have ca-certificates to ask
> me every time on new CAs if I want to enable them or not. And I'm
> rather conservative with enabling CAs. I also do this on most of my
> machines, usually with slight differences in the list of enabled CAs.
> Nevertheless this only happened on two of my machines.

I asked upstream what they thing about ignoring these errors because the
perl script does so. On the other hand what about cleaning up these
dangling symlinks?

>   Regards, Axel

Sebastian

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Axel Beckert 
Hi Sebastian,

Sebastian Andrzej Siewior wrote:
> > I don't think so unless a future upload of OpenSSL to unstable fixes
> > this. The recent one to unstable didn't.
> 
> forwarded https://github.com/openssl/openssl/issues/6475
> 
> Just a little question: The missing certificates:
> |rehash: error: skipping Swisscom_Root_CA_1.pem, cannot open file
> |rehash: error: skipping Swisscom_Root_CA_2.pem, cannot open file
> |rehash: error: skipping GeoTrust_Global_CA_2.pem, cannot open file
> |rehash: error: skipping Swisscom_Root_EV_CA_2.pem, cannot open file
> 
> where are they from?

From the ca-certificates package I assume. At least those errors go
away if I downgrade to 20170717 again and they reappear as soon as I
upgrade to 20180409 on that machine. At least the file names are the
same as in my mail from 12th of April[1] (just in different order).

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895482#10

I just checked: All four CAs are CAs I've chosen to be enabled. But
they're by far not the only CAs which are enabled from ca-certificates
on that machine. So I have no idea what makes those four special.

From debconf-get-selections:

ca-certificates ca-certificates/enable_crts multiselect 
CAcert/class3.crt, CAcert/root.crt, 
mozilla/COMODO_RSA_Certification_Authority.crt, 
mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DST_Root_CA_X3.crt, 
mozilla/GeoTrust_Global_CA_2.crt, mozilla/GeoTrust_Global_CA.crt, 
mozilla/GeoTrust_Primary_Certification_Authority.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, 
mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, 
mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, 
mozilla/IdenTrust_Commercial_Root_CA_1.crt, 
mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, 
mozilla/QuoVadis_Root_CA_1_G3.crt, mozilla/QuoVadis_Root_CA_2.crt, 
mozilla/QuoVadis_Root_CA_2_G3.crt, mozilla/QuoVadis_Root_CA_3.crt, 
mozilla/QuoVadis_Root_CA_3_G3.crt, mozilla/QuoVadis_Root_CA.crt, 
mozilla/Swisscom_Root_CA_1.crt, mozilla/Swisscom_Root_CA_2.crt, 
mozilla/Swisscom_Root_EV_CA_2.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, 
mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/thawte_Primary_Root_CA.crt, 
mozilla/thawte_Primary_Root_CA_-_G2.crt, 
mozilla/thawte_Primary_Root_CA_-_G3.crt, 
mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt, 
mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, 
mozilla/VeriSign_Universal_Root_Certification_Authority.crt,

> Is there something specific you did to get those
> symlinks which now don't belong to a real file?

No. As mentioned in the initial report, I have ca-certificates to ask
me every time on new CAs if I want to enable them or not. And I'm
rather conservative with enabling CAs. I also do this on most of my
machines, usually with slight differences in the list of enabled CAs.
Nevertheless this only happened on two of my machines.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Sebastian Andrzej Siewior 
On 2018-06-12 22:29:42 [+0200], Axel Beckert wrote:
> Shall I try the version from Experimental, too?
no.

> > (Should some Breaks be added, Depends made stricter?)
> 
> I don't think so unless a future upload of OpenSSL to unstable fixes
> this. The recent one to unstable didn't.

forwarded https://github.com/openssl/openssl/issues/6475

Just a little question: The missing certificates:
|rehash: error: skipping Swisscom_Root_CA_1.pem, cannot open file
|rehash: error: skipping Swisscom_Root_CA_2.pem, cannot open file
|rehash: error: skipping GeoTrust_Global_CA_2.pem, cannot open file
|rehash: error: skipping Swisscom_Root_EV_CA_2.pem, cannot open file

where are they from? Is there something specific you did to get those
symlinks which now don't belong to a real file?

>   Regards, Axel

Sebastian

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Axel Beckert 
Hi Kurt,

Kurt Roeckx wrote:
> > > Given that this openssl update is now in testing, should we close or at
> > > least downgrade this bug so ca-certificates can migrate?
> > 
> > I just unhold ca-certificates 20170717 and upgraded it to 20180409 on
> > one of my affected machines (the i386 one) and unfortunately, the
> > issue (at least mine, which is #895482 with exit status 4, so only
> > Cc'ing that bug report) doesn't seem to fixed:
> 
> Which openssl version do you have installed?

Valid question. I should have mentioned that explicitly.

It's the current version from unstable/testing:

104/0/0 root@loadrunner:pts/3 22:16:35 [~] # apt-cache policy openssl
openssl:
  Installed: 1.1.0h-4
  Candidate: 1.1.0h-4
  Version table:
 1.1.1~~pre7-1 110
110 https://debian.ethz.ch/debian experimental/main i386 Packages
 *** 1.1.0h-4 990
990 https://debian.ethz.ch/debian sid/main i386 Packages
500 https://debian.ethz.ch/debian testing/main i386 Packages
100 /var/lib/dpkg/status
105/0/0 root@loadrunner:pts/3 22:26:00 [~] # 

Shall I try the version from Experimental, too?

> (Should some Breaks be added, Depends made stricter?)

I don't think so unless a future upload of OpenSSL to unstable fixes
this. The recent one to unstable didn't.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Kurt Roeckx 
On Tue, Jun 12, 2018 at 09:57:56PM +0200, Axel Beckert wrote:
> Hi,
> 
> Thijs Kinkhorst wrote:
> > >> I've read about this bug (and the other one) on d-devel. I uploaded
> > >> recently a new version of openssl to unstable (1.1.0h-3)which changes
> > >> the exit code of "openssl rehash" to zero in case of a duplicate or if a
> > >> certificate can no be open.
> > >> I left this bug open in case the maintainer of this package wants to
> > >> investigate why there are duplicates or non-existing certificates.
> > >
> > > Thanks for the update, Sebastian.
> > >
> > > OpenSSL commit for my own reference and for others, if interested:
> > > https://github.com/openssl/openssl/commit/e6a833cb97ed762408b57ea3efa83bd10c1d2a78
> > 
> > Given that this openssl update is now in testing, should we close or at
> > least downgrade this bug so ca-certificates can migrate?
> 
> I just unhold ca-certificates 20170717 and upgraded it to 20180409 on
> one of my affected machines (the i386 one) and unfortunately, the
> issue (at least mine, which is #895482 with exit status 4, so only
> Cc'ing that bug report) doesn't seem to fixed:

Which openssl version do you have installed?

(Should some Breaks be added, Depends made stricter?)


Kurt

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-12 Thread Axel Beckert 
Hi,

Thijs Kinkhorst wrote:
> >> I've read about this bug (and the other one) on d-devel. I uploaded
> >> recently a new version of openssl to unstable (1.1.0h-3)which changes
> >> the exit code of "openssl rehash" to zero in case of a duplicate or if a
> >> certificate can no be open.
> >> I left this bug open in case the maintainer of this package wants to
> >> investigate why there are duplicates or non-existing certificates.
> >
> > Thanks for the update, Sebastian.
> >
> > OpenSSL commit for my own reference and for others, if interested:
> > https://github.com/openssl/openssl/commit/e6a833cb97ed762408b57ea3efa83bd10c1d2a78
> 
> Given that this openssl update is now in testing, should we close or at
> least downgrade this bug so ca-certificates can migrate?

I just unhold ca-certificates 20170717 and upgraded it to 20180409 on
one of my affected machines (the i386 one) and unfortunately, the
issue (at least mine, which is #895482 with exit status 4, so only
Cc'ing that bug report) doesn't seem to fixed:

Performing actions...
Preconfiguring packages ...
(Reading database ... 936122 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20180409_all.deb ...
Unpacking ca-certificates (20180409) over (20170717) ...
[…]
Setting up ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA_2.crt not found, but 
listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Swisscom_Root_CA_1.crt not found, but 
listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Swisscom_Root_CA_2.crt not found, but 
listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Swisscom_Root_EV_CA_2.crt not found, but 
listed in /etc/ca-certificates.conf.
rehash: error: skipping Swisscom_Root_CA_1.pem, cannot open file
rehash: error: skipping Swisscom_Root_CA_2.pem, cannot open file
rehash: error: skipping GeoTrust_Global_CA_2.pem, cannot open file
rehash: error: skipping Swisscom_Root_EV_CA_2.pem, cannot open file
dpkg: error processing package ca-certificates (--configure):
 installed ca-certificates package post-installation script subprocess returned 
error exit status 4
Processing triggers for hicolor-icon-theme (0.17-2) ...
Setting up libcups2:i386 (2.2.8-3) ...
Setting up libcupsimage2:i386 (2.2.8-3) ...
Processing triggers for libc-bin (2.27-3) ...
Errors were encountered while processing:
 ca-certificates
[master c040eace] committing changes in /etc after apt run
 45 files changed, 1039 deletions(-)
 delete mode 12 ssl/certs/00673b5b.0
 delete mode 12 ssl/certs/034868d6.0
 delete mode 12 ssl/certs/12d55845.0
 delete mode 12 ssl/certs/1f58a078.0
 delete mode 12 ssl/certs/27af790d.0
 delete mode 12 ssl/certs/399e7759.0
 delete mode 12 ssl/certs/3c860d51.0
 delete mode 12 ssl/certs/3efd4dc0.0
 delete mode 12 ssl/certs/450c6e38.0
 delete mode 12 ssl/certs/4be590e0.0
 delete mode 12 ssl/certs/5046c355.0
 delete mode 12 ssl/certs/524d9b43.0
 delete mode 12 ssl/certs/52b525c7.0
 delete mode 12 ssl/certs/57692373.0
 delete mode 12 ssl/certs/5cf9d536.0
 delete mode 12 ssl/certs/5d66db40.0
 delete mode 12 ssl/certs/5e4e69e7.0
 delete mode 12 ssl/certs/5ed36f99.0
 delete mode 12 ssl/certs/6187b673.0
 delete mode 12 ssl/certs/667c66d4.0
 delete mode 12 ssl/certs/67495436.0
 delete mode 12 ssl/certs/69105f4f.0
 delete mode 12 ssl/certs/7999be0d.0
 delete mode 12 ssl/certs/7a819ef2.0
 delete mode 12 ssl/certs/7d453d8f.0
 delete mode 12 ssl/certs/8028ce6e.0
 delete mode 12 ssl/certs/81b9768f.0
 delete mode 12 ssl/certs/87753b0d.0
 delete mode 12 ssl/certs/9339512a.0
 delete mode 12 ssl/certs/9772ca32.0
 delete mode 12 ssl/certs/9ab62355.0
 delete mode 12 ssl/certs/9f129ada.0
 delete mode 12 ssl/certs/a7d2cf64.0
 delete mode 12 ssl/certs/c7e2a638.0
 delete mode 100644 ssl/certs/ca-certificates.crt
 delete mode 12 ssl/certs/cbeee9e2.0
 delete mode 12 ssl/certs/d18e9066.0
 delete mode 12 ssl/certs/d4c339cb.0
 delete mode 12 ssl/certs/e442e424.0
 delete mode 12 ssl/certs/e5662767.0
 delete mode 12 ssl/certs/e60bf0c0.0
 delete mode 12 ssl/certs/e775ed2d.0
 delete mode 12 ssl/certs/e9f92b43.0
 delete mode 12 ssl/certs/facacbc6.0
[…]
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)
Setting up ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA_2.crt not found, but 
listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Swisscom_Root_CA_1.crt not found, but 
listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Swisscom_Root_CA_2.crt not found, but 
listed in /etc/ca-certificates.conf.
W:

Bug#895482: Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-06-06 Thread Thijs Kinkhorst 
On Wed, May 30, 2018 20:22, Michael Shuler wrote:
> On 05/30/2018 12:46 PM, Sebastian Andrzej Siewior wrote:
>>
>> I've read about this bug (and the other one) on d-devel. I uploaded
>> recently a new version of openssl to unstable (1.1.0h-3)which changes
>> the exit code of "openssl rehash" to zero in case of a duplicate or if a
>> certificate can no be open.
>> I left this bug open in case the maintainer of this package wants to
>> investigate why there are duplicates or non-existing certificates.
>
> Thanks for the update, Sebastian.
>
> OpenSSL commit for my own reference and for others, if interested:
> https://github.com/openssl/openssl/commit/e6a833cb97ed762408b57ea3efa83bd10c1d2a78

Given that this openssl update is now in testing, should we close or at
least downgrade this bug so ca-certificates can migrate?


Cheers,
Thijs

Bug#895473: Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-05-30 Thread Michael Shuler 

On 05/30/2018 12:46 PM, Sebastian Andrzej Siewior wrote:


I've read about this bug (and the other one) on d-devel. I uploaded
recently a new version of openssl to unstable (1.1.0h-3)which changes
the exit code of "openssl rehash" to zero in case of a duplicate or if a
certificate can no be open.
I left this bug open in case the maintainer of this package wants to
investigate why there are duplicates or non-existing certificates.


Thanks for the update, Sebastian.

OpenSSL commit for my own reference and for others, if interested:
https://github.com/openssl/openssl/commit/e6a833cb97ed762408b57ea3efa83bd10c1d2a78

--
Kind regards,
Michael

Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-05-30 Thread Sebastian Andrzej Siewior 
On 2018-04-22 16:55:21 [+0200], Axel Beckert wrote:
> Hi Michael,
Hi,

> Michael Shuler wrote:
> > Thanks for the details. #895473 reported a similar error on locally
> > installed CA certificates, which I think may be related.
> 
> That other bug report indeed looks similar albeit not identical.
…
> (That's why I've now downgraded ca-certificates on my two affected
> machines.)

I've read about this bug (and the other one) on d-devel. I uploaded
recently a new version of openssl to unstable (1.1.0h-3)which changes
the exit code of "openssl rehash" to zero in case of a duplicate or if a
certificate can no be open.
I left this bug open in case the maintainer of this package wants to
investigate why there are duplicates or non-existing certificates.

>   Regards, Axel

Sebastian

Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-04-22 Thread Axel Beckert 
Hi Michael,

Michael Shuler wrote:
> Thanks for the details. #895473 reported a similar error on locally
> installed CA certificates, which I think may be related.

That other bug report indeed looks similar albeit not identical.

> I've tried a number of upgrades from a March 29 unstable chroot, as well
> as from stretch to unstable on openstack instances, on both amd64 and
> i386 (I don't think arch is dependent), and I've been unable to get a
> similar error to present itself.

Doesn't surprise me. From about ten machines with Debian unstable, I
only ran into that issue on two machines, one amd64 and one i386.

> Each way I've tried, I get the package-removed certificates prefixed
> properly and no errors, so haven't been able to reproduce this, yet. I
> will keep trying with different options and see if I can figure out
> where the problem is. If someone has a good way to reproduce, I'd
> appreciate it!

Sorry, can't help there at the moment as I have no idea what makes the
two machines, on which I ran into it, so special. I just wanted to add
some more facts:

Downgrading ca-certificates to the version from testing (20170717)
fixes the issue and seems to clean up the broken files, symlinks, …
well.

On all machines I ran into that issue I was no more able to run "apt
update" or similar, since I use HTTPS in my sources.list and
certificate validation failed and hence I was unable to download new
package lists and hence unable to download any package updates, too.

(That's why I've now downgraded ca-certificates on my two affected
machines.)

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-04-16 Thread Michael Shuler 
Thanks for the details. #895473 reported a similar error on locally
installed CA certificates, which I think may be related.

Each of the list of `rehash: skipping .. cannot open file` in your
errors appears to be on CAs that were removed in the package during this
update, so somewhere we have a problem with `openssl rehash` trying to
link to files we removed, but for some reason were not prefixed with '!'
in /etc/ca-certificates.conf.

I've tried a number of upgrades from a March 29 unstable chroot, as well
as from stretch to unstable on openstack instances, on both amd64 and
i386 (I don't think arch is dependent), and I've been unable to get a
similar error to present itself.

Each way I've tried, I get the package-removed certificates prefixed
properly and no errors, so haven't been able to reproduce this, yet. I
will keep trying with different options and see if I can figure out
where the problem is. If someone has a good way to reproduce, I'd
appreciate it!

-- 
Kind regards,
Michael

Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-04-11 Thread Axel Beckert 
Hi,

Axel Beckert wrote:
> On other sid installations (including architectures amd64, i386 and
> armhf), the upgrade worked fine, […]

Correction: It failed on one i386 sid machine, too:

Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA_2.crt not found, but 
listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Swisscom_Root_CA_1.crt not found, but 
listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Swisscom_Root_CA_2.crt not found, but 
listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/Swisscom_Root_EV_CA_2.crt not found, but 
listed in /etc/ca-certificates.conf.
rehash: skipping Swisscom_Root_CA_1.pem, cannot open file
rehash: skipping Swisscom_Root_CA_2.pem, cannot open file
rehash: skipping GeoTrust_Global_CA_2.pem, cannot open file
rehash: skipping Swisscom_Root_EV_CA_2.pem, cannot open file
dpkg: error processing package ca-certificates (--configure):
 installed ca-certificates package post-installation script subprocess returned 
error exit status 4
Errors were encountered while processing:
 ca-certificates

Still, it worked fine on at least one amd64 and one armhf machine.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#895482: Fails to upgrade: installed ca-certificates package post-installation script subprocess returned error exit status 4

2018-04-11 Thread Axel Beckert 
Package: ca-certificates
Version: 20180409
Severity: serious

Upgrading ca-certificates from 20170717 to 20180409 fails for me as
follows on one machine:

Before unpacking, I have been shown this dialog, which I acknowledged
by pressing enter:

  ┌┤ ca-certificates configuration 
├─┐
  │ During upgrades, new certificates will be added. Please choose 
those you trust.  │
  │ 
 │
  │ New certificates to activate:   
 │
  │ 
 │
  │[ ] mozilla/GDCA_TrustAUTH_R5_ROOT.crt   
 │
  │[ ] mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt  
 │
  │[ ] mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt   
 │
  │[ ] mozilla/SSL.com_Root_Certification_Authority_ECC.crt 
 │
  │[ ] mozilla/SSL.com_Root_Certification_Authority_RSA.crt 
 │
  │[ ] mozilla/TrustCor_ECA-1.crt   
 │
  │[ ] mozilla/TrustCor_RootCert_CA-1.crt   
 │
  │[ ] mozilla/TrustCor_RootCert_CA-2.crt   
 │
  │ 
 │
  │ 
 │
  │ 
 │
  │ 
 │
  
└──┘

Unpacking went fine:

Preparing to unpack .../04-ca-certificates_20180409_all.deb ...
Unpacking ca-certificates (20180409) over (20170717) ...

The first as well as the second try to configure ca-certificates
failed identically:

Setting up ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt not 
found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt 
not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt not 
found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt not found, but listed 
in /etc/ca-certificates.conf.
rehash: skipping DST_ACES_CA_X6.pem, cannot open file
rehash: skipping AddTrust_Qualified_Certificates_Root.pem, cannot open file
rehash: skipping UTN_USERFirst_Hardware_Root_CA.pem, cannot open file
rehash: skipping AddTrust_Public_Services_Root.pem, cannot open file
dpkg: error processing package ca-certificates (--configure):
 installed ca-certificates package post-installation script subprocess returned 
error exit status 4
[…]
Errors were encountered while processing:
 ca-certificates
[…]
E: Sub-process /usr/bin/dpkg returned an error code (1)
[…]
Setting up ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt not 
found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt 
not found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt not 
found, but listed in /etc/ca-certificates.conf.
W: /usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt not found, but listed 
in /etc/ca-certificates.conf.
rehash: skipping DST_ACES_CA_X6.pem, cannot open file
rehash: skipping AddTrust_Qualified_Certificates_Root.pem, cannot open file
rehash: skipping UTN_USERFirst_Hardware_Root_CA.pem, cannot open file
rehash: skipping AddTrust_Public_Services_Root.pem, cannot open file
dpkg: error processing package ca-certificates (--configure):
 installed ca-certificates package post-installation script subprocess returned 
error exit status 4
Errors were encountered while processing:
 ca-certificates

On other sid installations (including architectures amd64, i386 and
armhf), the upgrade worked fine, despite most (if not all) of my
systems have similar ca-certificates settings, namely
"ca-certificates/trust_new_crts: ask" and just a few CAs
selected. It's though very likely that the actual list of CAs differs
from installation to installation as I enabled further ones per
machine as needed.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), 
(500, 'buildd-unstable'), (110,