Re: sanity check for /etc/ssl/certs?

Tue, 14 May 2024 13:08:37 -0700 

On Tue, May 14, 2024 at 3:10 PM Harald Dunkel <harald.dun...@aixigo.com>
wrote:

> Hi folks,
>
> is there a sanity check for /etc/ssl/certs included in Bookworm?
> I've got one host with some missing symlinks in this directory, eg.
>
>         root@dpcl064:/etc/ssl/certs# ls -al *SSL.com*
>         ls: cannot access '*SSL.com*': No such file or directory
>

It is hard to say what is going on.

I see them in Debian Unstable:

$ find /etc/ssl/certs -iname '*ssl.com*'
/etc/ssl/certs/SSL.com_TLS_RSA_Root_CA_2022.pem
/etc/ssl/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
/etc/ssl/certs/SSL.com_TLS_ECC_Root_CA_2022.pem
/etc/ssl/certs/SSL.com_Root_Certification_Authority_RSA.pem
/etc/ssl/certs/SSL.com_Root_Certification_Authority_ECC.pem
/etc/ssl/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem

I don't see anything in Debian's bug reporter about removing ssl.com;
confer, <https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ca-certificates>.
And ssl.com is included in Mozilla and Chrome's root program.


> Other hosts show
>
>         root@dpcl082:/etc/ssl/certs# ls -al *SSL.com*
>         lrwxrwxrwx 1 root root 82 Jul 16  2018
> SSL.com_EV_Root_Certification_Authority_ECC.pem ->
> /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt
>         lrwxrwxrwx 1 root root 85 Jul 16  2018
> SSL.com_EV_Root_Certification_Authority_RSA_R2.pem ->
> /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
>         lrwxrwxrwx 1 root root 79 Jul 16  2018
> SSL.com_Root_Certification_Authority_ECC.pem ->
> /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_ECC.crt
>         lrwxrwxrwx 1 root root 79 Jul 16  2018
> SSL.com_Root_Certification_Authority_RSA.pem ->
> /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_RSA.crt
>
> The files in /usr/share/ca-certificates are available, of course.
> The access rights seem OK. update-ca-certificates or reinstalling
> ca-certificates (with overwrite) didn't solve this problem.
>

Hazarding a guess... Have you upgraded that system over the years? That may
explain why you are seeing old artifacts and dead symlinks.

Maybe you should run `symlinks -r / | grep dangling` to locate dead
symlinks, and then run `symlink -r -d /` to delete them (once you are
satisfied with the resulting list).

Jeff

Reply via email to