Package: ca-certificates Version: 20240203 Severity: important Tags: patch
update-ca-certificates calls `openssl rehash` (sbin/update-ca-certificates, line 192), but LibreSSL does not implement the `rehash` subcommand — it provides `certhash` instead. Because the script runs under `#!/bin/sh -e`, the failing `openssl rehash` causes the script to exit immediately, before the CA bundle file (ca-certificates.crt) is written. This leaves /etc/ssl/certs in a broken state: certificate symlinks may have been updated, but the bundle that many applications depend on is never generated. The attached patch detects LibreSSL at startup via `openssl version` output and stores the appropriate subcommand in a shell variable ($REHASH_CMD). The POSIX `case` construct is used to avoid introducing bashisms, since the script uses `#!/bin/sh`. The patch applies cleanly against current ca-certificates master (ba3830faf6, "Upload to unstable"). Upstream LibreSSL issue: https://github.com/libressl/portable/issues/1136 -- Hallvard Ystad --Theme song: https://open.spotify.com/track/2vxbGmEBilnrByHy12mNKU?si=xfFeZd3MR-uZ6cZY9EPPXw
From bf6d80ca32588ce64612713c4e86c9fdea6d7b3c Mon Sep 17 00:00:00 2001 From: Hallvard Ystad <[email protected]> Date: Mon, 23 Feb 2026 14:47:28 +0100 Subject: [PATCH] Use 'openssl certhash' instead of 'openssl rehash' on LibreSSL LibreSSL does not implement the 'rehash' subcommand; it provides 'certhash' instead. Because the script runs under 'set -e' (#!/bin/sh -e), a failing 'openssl rehash' terminates the script before the CA bundle is written (lines 199-205 in the original), leaving the certificate store in a broken state. Detect LibreSSL at startup via 'openssl version' and store the appropriate subcommand in $REHASH_CMD, then use it in place of the hard-coded 'rehash'. Reference: https://github.com/libressl/portable/issues/1136 --- sbin/update-ca-certificates | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates index 91d8024..2d273e6 100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates @@ -31,6 +31,12 @@ CERTBUNDLE=ca-certificates.crt ETCCERTSDIR=/etc/ssl/certs HOOKSDIR=/etc/ca-certificates/update.d +# Detect LibreSSL, which provides 'certhash' instead of 'rehash' +case "$(openssl version 2>/dev/null)" in + LibreSSL*) REHASH_CMD="certhash" ;; + *) REHASH_CMD="rehash" ;; +esac + while [ $# -gt 0 ]; do case $1 in @@ -179,7 +185,8 @@ if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ] then # only run if set of files has changed # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash` - # from exiting with an error. See #895482, #895473. + # (or `openssl certhash` on LibreSSL) from exiting with an error. + # See #895482, #895473. find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read -r orphan do rm -f "$orphan" @@ -189,9 +196,9 @@ then done if [ "$verbose" = 0 ] then - openssl rehash . > /dev/null + openssl "$REHASH_CMD" . > /dev/null else - openssl rehash -v . + openssl "$REHASH_CMD" -v . fi fi -- 2.43.0
