On Tue, May 14, 2024 at 3:10 PM Harald Dunkel <harald.dun...@aixigo.com> wrote:
> Hi folks, > > is there a sanity check for /etc/ssl/certs included in Bookworm? > I've got one host with some missing symlinks in this directory, eg. > > root@dpcl064:/etc/ssl/certs# ls -al *SSL.com* > ls: cannot access '*SSL.com*': No such file or directory > It is hard to say what is going on. I see them in Debian Unstable: $ find /etc/ssl/certs -iname '*ssl.com*' /etc/ssl/certs/SSL.com_TLS_RSA_Root_CA_2022.pem /etc/ssl/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem /etc/ssl/certs/SSL.com_TLS_ECC_Root_CA_2022.pem /etc/ssl/certs/SSL.com_Root_Certification_Authority_RSA.pem /etc/ssl/certs/SSL.com_Root_Certification_Authority_ECC.pem /etc/ssl/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem I don't see anything in Debian's bug reporter about removing ssl.com; confer, <https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=ca-certificates>. And ssl.com is included in Mozilla and Chrome's root program. > Other hosts show > > root@dpcl082:/etc/ssl/certs# ls -al *SSL.com* > lrwxrwxrwx 1 root root 82 Jul 16 2018 > SSL.com_EV_Root_Certification_Authority_ECC.pem -> > /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt > lrwxrwxrwx 1 root root 85 Jul 16 2018 > SSL.com_EV_Root_Certification_Authority_RSA_R2.pem -> > /usr/share/ca-certificates/mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt > lrwxrwxrwx 1 root root 79 Jul 16 2018 > SSL.com_Root_Certification_Authority_ECC.pem -> > /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_ECC.crt > lrwxrwxrwx 1 root root 79 Jul 16 2018 > SSL.com_Root_Certification_Authority_RSA.pem -> > /usr/share/ca-certificates/mozilla/SSL.com_Root_Certification_Authority_RSA.crt > > The files in /usr/share/ca-certificates are available, of course. > The access rights seem OK. update-ca-certificates or reinstalling > ca-certificates (with overwrite) didn't solve this problem. > Hazarding a guess... Have you upgraded that system over the years? That may explain why you are seeing old artifacts and dead symlinks. Maybe you should run `symlinks -r / | grep dangling` to locate dead symlinks, and then run `symlink -r -d /` to delete them (once you are satisfied with the resulting list). Jeff