Bug#923479: update-ca-certificates fails to create hashes under 32-bit ARM (qemu)

James Pooton Thu, 28 Feb 2019 22:24:32 -0800


> You could try to debug by directly running `sudo openssl rehash -v
> /etc/ssl/certs` on either version of ca-certificates (new one has new
> CAs added, old ones removed, and a couple other bug fixes, but openssl
> behavior should be the same).


Well, this is very odd….  

First with ca-certificates (20170717) in place and running `openssl rehash -v
/etc/ssl/cert` as root.  It’s successful and spits out:

    Doing /etc/ssl/certs
    rehash: warning: skipping ca-certificates.crt,it does not contain exactly 
one certificate or CRL
    link D-TRUST_Root_Class_3_CA_2_EV_2009.pem -> d4dae3dd.0
    link Certplus_Root_CA_G2.pem -> 451b5485.0
    link Amazon_Root_CA_1.pem -> ce5e74ef.0
…..

Then with ca-certificates (20190110) in place and running `openssl rehash -v
/etc/ssl/cert` as root.  It fails only outputting:

    Doing /etc/ssl/certs

Try it several more times, get the same single line output as above.  So I was 
curious that it didn’t even give the warning about ca-certificates.crt at 
least.  So I moved that with `mv ca-certificates.crt ..` which curiously spit 
out:

    qemu: Unsupported syscall: 382
    qemu: Unsupported syscall: 382

But now running `openssl rehash -v /etc/ssl/cert` as root again was 
successful(!) with:

    Doing /etc/ssl/certs
    link D-TRUST_Root_Class_3_CA_2_EV_2009.pem -> d4dae3dd.0
    link Amazon_Root_CA_1.pem -> ce5e74ef.0
    link Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem -> 
3bde41ac.0
    link Certum_Trusted_Network_CA_2.pem -> 40193066.0
…..


So then, for fun I take the “suspect" ca-certificates.crt from (20190110) and 
toss it in to replace the one in (20170717) and try running rehash.  It works 
fine ?!

Ok, so then for a final test, I take take a fresh install of ca-certificates 
(20190110) and do the following:

    root@e67c226047ba:/# openssl rehash -v /etc/ssl/certs
    Doing /etc/ssl/certs

    root@e67c226047ba:/# openssl rehash -v /etc/ssl/certs
    Doing /etc/ssl/certs

    root@e67c226047ba:/# openssl rehash -v /etc/ssl/certs
    Doing /etc/ssl/certs

    root@e67c226047ba:/# touch /etc/ssl/certs/ca-certificates.crt 

    root@e67c226047ba:/# openssl rehash -v /etc/ssl/certs
    Doing /etc/ssl/certs
    rehash: warning: skipping ca-certificates.crt,it does not contain exactly 
one certificate or CRL
    link D-TRUST_Root_Class_3_CA_2_EV_2009.pem -> d4dae3dd.0
    link Amazon_Root_CA_1.pem -> ce5e74ef.0
    link Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem -> 
3bde41ac.0
    link Certum_Trusted_Network_CA_2.pem -> 40193066.0
…..

Seems crazy….  but touching that file allows rehash to work under QEMU.

Bug#923479: update-ca-certificates fails to create hashes under 32-bit ARM (qemu)

Reply via email to