Remove orphan symlinks found in /etc/ssl/certs

This should prevent `openssl rehash` from exiting with an error on a
symlink with nonexistent target, since the behavior changed from c_rehash.
See #895482, #895473.

2 files changed, 13 insertions, 1 deletions

diff --git a/debian/changelog b/debian/changelog
index bec0b2d..03d0467 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ ca-certificates (20181220) UNRELEASED; urgency=medium
   * debian/ca-certificates.postinst:
     Fix permissions on /usr/local/share/ca-certificates when using symlinks.
     Closes: #916833
+  * sbin/update-ca-certificates:
+    Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl
+    rehash` from exiting with an error. Closes: #895482, #895473
   * mozilla/{certdata.txt,nssckbi.h}:
     Update Mozilla certificate authority bundle to version 2.28.
     The following certificate authorities were added (+):
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
index bdf5b27..b27c6bd 100755
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
@@ -172,11 +172,20 @@ REMOVED_CNT=$(wc -l < "$REMOVED")
 if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
 then
   # only run if set of files has changed
+  # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash`
+  # from exiting with an error. See #895482, #895473.
+  find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
+  do
+    rm -f "$orphan"
+    if [ "$verbose" = 1 ]; then
+      echo "Removed orphan symlink $orphan"
+    fi
+  done
   if [ "$verbose" = 0 ]
   then
     openssl rehash . > /dev/null
   else
-    openssl rehash .
+    openssl rehash -v .
   fi
 fi