Looking at the changelog: 20111025: Drop bogus c_rehash on upgrades, ... 20110421: * Depend on openssl 1.0.0 and force a call of c_rehash so that we have both the old and new style of symlinks. (Closes: #611102)
I fully suspect that the bug was introduced upstream in oct 2011. If that's the case, then ubuntu introduced it 2014-03-05 with the security update to 20130906ubuntu0.12.04.1. At this point in time, this bug only affects machines upgrading from lucid to precise, and can be worked around by running c_rehash manually after do-release-upgrades finishes. It probably deserves to languish without fixes until precise EOL in 2017, and then get closed as fully uninteresting. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1472378 Title: upgrading ca-certificates results in broken certificate chains Status in ca-certificates package in Ubuntu: New Bug description: Found this (finally) upgrading a web server from lucid to precise (via do-release-upgrade): Preparing to replace ca-certificates 20141019ubuntu0.10.04.1 (using .../ca-certificates_20141019ubuntu0.12.04.1_all.deb) ...^M Unpacking replacement ca-certificates ...^M ... Setting up openssl (1.0.1-4ubuntu5.31) ...^M Installing new version of config file /etc/ssl/openssl.cnf ...^M Setting up ca-certificates (20141019ubuntu0.12.04.1) ...^M Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.^M Running hooks in /etc/ca-certificates/update.d....done.^M Setting up netbase (4.47ubuntu1) ...^M ... And everything is broken. sometime between lucid and precise, the hash function seems to have changed (there are 2 hashes per pemfile in precise, and 1 per pemfile in lucid), and update-ca-certificates goes "nothing to do here" instead of "hey, I need to rerun c_rehash to generate the other symlink". to reproduce: install a lucid box, and do-release-upgrade lamont To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1472378/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
