[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
** Changed in: ca-certificates (Debian) Status: Invalid = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/114495 Title: ca-certificates removes all users certificates in /etc/ssl/certs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/114495/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again! ** Changed in: ca-certificates (Ubuntu) Status: Incomplete = Invalid ** Changed in: ca-certificates (Debian) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. https://bugs.launchpad.net/bugs/114495 Title: ca-certificates removes all users certificates in /etc/ssl/certs -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
What behavior is currently unexpected in the symlink handling? It sounds like everything is working as expected? ** Changed in: ca-certificates (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) = (unassigned) ** Changed in: ca-certificates (Ubuntu) Status: Triaged = Incomplete ** Changed in: ca-certificates (Ubuntu) Importance: High = Wishlist -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
** Changed in: ca-certificates (Ubuntu) Assignee: (unassigned) = Ubuntu Security Team (ubuntu-security) -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
Not even hash symlinks are currently removed by update-ca-certificates's call of c_rehash. Only if it's invoked with --fresh. The new version which will be included in Karmic supports the use of local certificates in /usr/local/share/ca-certificates. As far as I know the script (and I rewrote it yesterday), update-ca- certificates only deleted dangling symlinks if anything. But it wouldn't have included local certificates into the ca-certificates.crt bundle. -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
** Changed in: ca-certificates (Ubuntu) Status: Confirmed = Triaged -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
The hash symlinks are supposed to be managed automatically by openssl. If you have a symlink like /etc/ssl/certs/f066f19f.0 - /usr/share/debathena-ssl-certificates/mitCA.pem then it will get removed by c_rehash (which is run by update-ca-certificates). However, if you instead make a symlink /etc/ssl/certs/mitCA.pem - /usr/share/debathena-ssl-certificates/mitCA.pem then c_rehash will add the symlink /etc/ssl/certs/f066f19f.0 - mitCA.pem and this will all be preserved over ca-certificates upgrades, etc. Alternatively, if you put a CA certificate in /usr/share/ca-certificates with the .crt extension, then run dpkg-reconfigure ca-certificates and tell it that you trust the new CA, it will be linked to /etc/ssl/certs appropriately and added to /etc/ssl/certs/ca-certificates.crt. So this is not a bug, although there could perhaps be better documentation. -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
** Changed in: ca-certificates (Debian) Status: Unknown = New -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
** Bug watch added: Debian Bug tracker #326072 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326072 ** Also affects: ca-certificates (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326072 Importance: Unknown Status: Unknown -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
It looks like the postrm is about removing non-existent entries: they get tested with file -f, which also works for symlinks. So, my guess is that /usr/sbin/update-ca-certificates somehow removes those certificates. -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
Right, that postrm is *evil*. It messes up the user configuration. ** Changed in: ca-certificates (Ubuntu) Importance: Medium = High Status: Unconfirmed = Confirmed -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
Thanks for taking the time to report this bug and helping to make Ubuntu better. Can you give a series of steps to reproduce the problem you're describing? Normally symlinks in /etc/ssl are regenerated when ca- certificates is upgraded, so I'm unclear what misbehavior you're describing. Thanks in advance. ** Changed in: ca-certificates (Ubuntu) Importance: Undecided = Medium Status: Unconfirmed = Needs Info ** Visibility changed to: Public -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
Here is how I experienced what I've reported. I have the certificates for sendmail in /etc/mail/tls, a list of *.crt files. To have everything ok for sendmail, I need to have those certificates in /etc/ssl/certs with the special name hash.0. As the name hash.0 is not easy to maintain, I just create symlinks in /etc/ssl/certs using : $ cd /etc/ssl/certs $ ln -s /etc/mail/tls/foo.crt `openssl x509 -noout -hash /etc/mail/tls/foo.crt`.0 Then, each time I let ubuntu/debian upgrade the ca-certificates package, my symlinks disapear. Proof: [EMAIL PROTECTED]:/etc/ssl # cp -a certs certs-orig [EMAIL PROTECTED]:/etc/ssl # apt-get --reinstall install ca-certificates Reading package lists... Done Building dependency tree Reading state information... Done 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 1 not upgraded. Need to get 97.3kB of archives. After unpacking 0B of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://archive.ubuntu.com gutsy/main ca-certificates 20070303 [97.3kB] Fetched 97.3kB in 0s (185kB/s) Preconfiguring packages ... (Reading database ... 145428 files and directories currently installed.) Preparing to replace ca-certificates 20070303 (using .../ca-certificates_20070303_all.deb) ... Unpacking replacement ca-certificates ... Setting up ca-certificates (20070303) ... Updating certificates in /etc/ssl/certsdone. Now I check: [EMAIL PROTECTED]:/etc/ssl # diff -qr certs-orig certs Only in certs-orig: 4f293038.0 Only in certs-orig: 627c1091.0 .more files only in certs-orig... diff: certs-orig/cacert.org.pem: No such file or directory diff: certs/cacert.org.pem: No such file or directory= broken symlink (*) [EMAIL PROTECTED]:/etc/ssl # ls -l certs-orig/4f293038.0 lrwxrwxrwx 1 root root 33 2007-05-14 22:13 certs-orig/4f293038.0 - /etc/mail/tls/sendmail-server.crt [EMAIL PROTECTED]:/etc/ssl # ls -l certs-orig/627c1091.0 lrwxrwxrwx 1 root root 33 2007-05-14 22:13 certs-orig/627c1091.0 - /etc/mail/tls/x.org.crt bingo, those two certs were for sendmail and they are gone. (*) broken symlink: [EMAIL PROTECTED]:/etc/ssl # ls -l certs/cacert.org.pem lrwxrwxrwx 1 root root 52 2007-03-22 00:51 certs/cacert.org.pem - /usr/share/ca-certificates/cacert.org/cacert.org.crt [EMAIL PROTECTED]:/etc/ssl # ls -l /usr/share/ca-certificates/cacert.org/cacert.org.crt ls: /usr/share/ca-certificates/cacert.org/cacert.org.crt: No such file or directory -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
I've found something related in debian/postrm, but I don't think it gets considered, when re-installing: case $1 in remove) cd /etc/ssl/certs echo -n Removing hash symlinks in /etc/ssl/certs ... find . -type l -print | while read h do test -f $h || rm -f $h done echo done. ;; You should take a look at /etc/ca-certificates.conf: it says that certs should be installed into /usr/share/ca-certificates. ** Changed in: ca-certificates (Ubuntu) Status: Needs Info = Unconfirmed -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 114495] Re: ca-certificates removes all users certificates in /etc/ssl/certs
Daniel, even in postrm, that should not be done. It's not because one wants to get rid of this ca-certificates deb that user certs should be removed. I concider this package do be only one contributor of certificates, not the only one. If ubuntu and debian insist on doing so, ie forcing other apps to use /usr/share/ca-certificates, then the others apps should be patched accordingly, and their docs. IMHO, it's easier to fix ca-certificates to behave correctly. As it's not reliable for me, I once again have to lock this package and this time, I will modify the confs of all my sendmail servers to use another path for certs, ie ignore the default path provided by ubuntu/debian. Too bad. -- ca-certificates removes all users certificates in /etc/ssl/certs https://bugs.launchpad.net/bugs/114495 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs