Control: severity -1 wishlist
On 2/23/26 15:43, Hallvard Ystad wrote:
update-ca-certificates calls `openssl rehash`
(sbin/update-ca-certificates,
line 192), but LibreSSL does not implement the `rehash` subcommand — it
provides `certhash` instead.
Because the script runs under `#!/bin/sh -e`, the failing `openssl
rehash`
causes the script to exit immediately, before the CA bundle file
(ca-certificates.crt) is written. This leaves /etc/ssl/certs in a broken
state: certificate symlinks may have been updated, but the bundle that
many
applications depend on is never generated.
The attached patch detects LibreSSL at startup via `openssl version`
output
and stores the appropriate subcommand in a shell variable ($REHASH_CMD).
The POSIX `case` construct is used to avoid introducing bashisms,
since the
script uses `#!/bin/sh`.
I'm not convinced this is something we want/need to support...
Cheers,
Julien
