From 1ef0fd15cc77c854e79a4f599d5228a67548ab87 Mon Sep 17 00:00:00 2001
From: Michael Shuler <michael@pbandjelly.org>
Date: Thu, 20 Dec 2018 17:22:59 -0600
Subject: Remove all orphan symlinks found in /etc/ssl/certs

This should prevent `openssl rehash` from exiting with an error on a
symlink with nonexistent target, since the behavior changed from c_rehash.
See #895482, #895473.
---
 debian/changelog            | 3 +++
 sbin/update-ca-certificates | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bec0b2d..45af3cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ ca-certificates (20181220) UNRELEASED; urgency=medium
   * debian/ca-certificates.postinst:
     Fix permissions on /usr/local/share/ca-certificates when using symlinks.
     Closes: #916833
+  * sbin/update-ca-certificates:
+    Remove orphaned symlinks found in /etc/ssl/certs, to prevent `openssl
+    rehash` from exiting with an error. Closes: #895482, #895473
   * mozilla/{certdata.txt,nssckbi.h}:
     Update Mozilla certificate authority bundle to version 2.28.
     The following certificate authorities were added (+):
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
index bdf5b27..175035a 100755
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
@@ -111,6 +111,14 @@ remove() {
   fi
 }
 
+# Remove all orphan symlinks found in ETCCERTSDIR, to prevent
+# `openssl rehash` from exiting with an error. See #895482, #895473.
+find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
+do
+  rm -f "$orphan"
+  echo "Removed orphan symlink $orphan"
+done
+
 cd "$ETCCERTSDIR"
 if [ "$fresh" = 1 ]; then
   echo "Clearing symlinks in $ETCCERTSDIR..."
-- 
cgit v1.2.1