Followup-For: Bug #825730 Control: tag -1 patch The fix is quite easy: we just need to run update-ca-certificates *without* processing the hooks during postinst configure:
update-ca-certificates --hooksdir "" This should be backported to stable, too. Andreas
>From 1d989acd2c53a9242845a6fe84e2a97098e1b256 Mon Sep 17 00:00:00 2001 From: Andreas Beckmann <a...@debian.org> Date: Sun, 11 Sep 2016 10:26:10 +0200 Subject: [PATCH] initially populate /etc/ssh/certs during postinst configure run update-ca-certificates without hooks (which are deferred to the noawait trigger) --- debian/changelog | 6 ++++++ debian/postinst | 7 +++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index ffd5c73..46e8ed3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -23,6 +23,12 @@ ca-certificates (20160816) unstable; urgency=medium Update to Standards-Version: 3.9.8 Update to Vcs-Browser/Vcs-Git: https URLs + [ Andreas Beckmann ] + * debian/postinst: + Run update-certificates without hooks to initially populate + /etc/ssl/certs. (The hooks are deferred to the noawait trigger.) + (Closes: #825730) + -- Michael Shuler <mich...@pbandjelly.org> Tue, 16 Aug 2016 21:50:14 -0500 ca-certificates (20160104) unstable; urgency=medium diff --git a/debian/postinst b/debian/postinst index f7ef7f4..21586bb 100644 --- a/debian/postinst +++ b/debian/postinst @@ -138,13 +138,16 @@ EOF -e 's/^[[:space:]]*1[[:space:]]*/!/' \ >> /etc/ca-certificates.conf fi + # update /etc/ssl/certs without running the hooks # fix bogus symlink to ca-certificates.crt on upgrades; see # Debian #643667; drop after wheezy if dpkg --compare-versions "$2" lt-nl 20111025; then - dpkg-trigger --no-await update-ca-certificates-fresh + update-ca-certificates --hooksdir "" --fresh else - dpkg-trigger --no-await update-ca-certificates + update-ca-certificates --hooksdir "" fi + # deferred update of /etc/ssl/certs including running the hooks + dpkg-trigger --no-await update-ca-certificates ;; triggered) -- 2.9.3