Followup-For: Bug #825730
Control: tag -1 patch
The fix is quite easy: we just need to run update-ca-certificates
*without* processing the hooks during postinst configure:
update-ca-certificates --hooksdir ""
This should be backported to stable, too.
Andreas
>From 1d989acd2c53a9242845a6fe84e2a97098e1b256 Mon Sep 17 00:00:00 2001
From: Andreas Beckmann <a...@debian.org>
Date: Sun, 11 Sep 2016 10:26:10 +0200
Subject: [PATCH] initially populate /etc/ssh/certs during postinst configure
run update-ca-certificates without hooks
(which are deferred to the noawait trigger)
---
debian/changelog | 6 ++++++
debian/postinst | 7 +++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index ffd5c73..46e8ed3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -23,6 +23,12 @@ ca-certificates (20160816) unstable; urgency=medium
Update to Standards-Version: 3.9.8
Update to Vcs-Browser/Vcs-Git: https URLs
+ [ Andreas Beckmann ]
+ * debian/postinst:
+ Run update-certificates without hooks to initially populate
+ /etc/ssl/certs. (The hooks are deferred to the noawait trigger.)
+ (Closes: #825730)
+
-- Michael Shuler <mich...@pbandjelly.org> Tue, 16 Aug 2016 21:50:14 -0500
ca-certificates (20160104) unstable; urgency=medium
diff --git a/debian/postinst b/debian/postinst
index f7ef7f4..21586bb 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -138,13 +138,16 @@ EOF
-e 's/^[[:space:]]*1[[:space:]]*/!/' \
>> /etc/ca-certificates.conf
fi
+ # update /etc/ssl/certs without running the hooks
# fix bogus symlink to ca-certificates.crt on upgrades; see
# Debian #643667; drop after wheezy
if dpkg --compare-versions "$2" lt-nl 20111025; then
- dpkg-trigger --no-await update-ca-certificates-fresh
+ update-ca-certificates --hooksdir "" --fresh
else
- dpkg-trigger --no-await update-ca-certificates
+ update-ca-certificates --hooksdir ""
fi
+ # deferred update of /etc/ssl/certs including running the hooks
+ dpkg-trigger --no-await update-ca-certificates
;;
triggered)
--
2.9.3
