Hi Sebastian, Sebastian Andrzej Siewior wrote: > > I don't think so unless a future upload of OpenSSL to unstable fixes > > this. The recent one to unstable didn't. > > forwarded https://github.com/openssl/openssl/issues/6475 > > Just a little question: The missing certificates: > |rehash: error: skipping Swisscom_Root_CA_1.pem, cannot open file > |rehash: error: skipping Swisscom_Root_CA_2.pem, cannot open file > |rehash: error: skipping GeoTrust_Global_CA_2.pem, cannot open file > |rehash: error: skipping Swisscom_Root_EV_CA_2.pem, cannot open file > > where are they from?
From the ca-certificates package I assume. At least those errors go away if I downgrade to 20170717 again and they reappear as soon as I upgrade to 20180409 on that machine. At least the file names are the same as in my mail from 12th of April[1] (just in different order). [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895482#10 I just checked: All four CAs are CAs I've chosen to be enabled. But they're by far not the only CAs which are enabled from ca-certificates on that machine. So I have no idea what makes those four special. From debconf-get-selections: ca-certificates ca-certificates/enable_crts multiselect CAcert/class3.crt, CAcert/root.crt, mozilla/COMODO_RSA_Certification_Authority.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/DigiCert_Global_Root_CA.crt, mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DST_Root_CA_X3.crt, mozilla/GeoTrust_Global_CA_2.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/GeoTrust_Primary_Certification_Authority.crt, mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt, mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt, mozilla/GeoTrust_Universal_CA_2.crt, mozilla/GeoTrust_Universal_CA.crt, mozilla/IdenTrust_Commercial_Root_CA_1.crt, mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, mozilla/QuoVadis_Root_CA_1_G3.crt, mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt, mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/Swisscom_Root_CA_1.crt, mozilla/Swisscom_Root_CA_2.crt, mozilla/Swisscom_Root_EV_CA_2.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/thawte_Primary_Root_CA.crt, mozilla/thawte_Primary_Root_CA_-_G2.crt, mozilla/thawte_Primary_Root_CA_-_G3.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt, mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, mozilla/VeriSign_Universal_Root_Certification_Authority.crt, > Is there something specific you did to get those > symlinks which now don't belong to a real file? No. As mentioned in the initial report, I have ca-certificates to ask me every time on new CAs if I want to enable them or not. And I'm rather conservative with enabling CAs. I also do this on most of my machines, usually with slight differences in the list of enabled CAs. Nevertheless this only happened on two of my machines. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
