Remove all orphan symlinks found in /etc/ssl/certs

This should prevent `openssl rehash` from exiting with an error on a
symlink with nonexistent target, since the behavior changed from c_rehash.
See #895482, #895473.

2 files changed, 11 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index bec0b2d..45af3cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ ca-certificates (20181220) UNRELEASED; urgency=medium
   * debian/ca-certificates.postinst:
     Fix permissions on /usr/local/share/ca-certificates when using symlinks.
     Closes: #916833
+  * sbin/update-ca-certificates:
+    Remove orphaned symlinks found in /etc/ssl/certs, to prevent `openssl
+    rehash` from exiting with an error. Closes: #895482, #895473
   * mozilla/{certdata.txt,nssckbi.h}:
     Update Mozilla certificate authority bundle to version 2.28.
     The following certificate authorities were added (+):
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
index bdf5b27..175035a 100755
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
@@ -111,6 +111,14 @@ remove() {
   fi
 }
 
+# Remove all orphan symlinks found in ETCCERTSDIR, to prevent
+# `openssl rehash` from exiting with an error. See #895482, #895473.
+find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
+do
+  rm -f "$orphan"
+  echo "Removed orphan symlink $orphan"
+done
+
 cd "$ETCCERTSDIR"
 if [ "$fresh" = 1 ]; then
   echo "Clearing symlinks in $ETCCERTSDIR..."