From cfe7064cb707ed2e8ac587877c1153029d46dc28 Mon Sep 17 00:00:00 2001 From: Michael Shuler Date: Thu, 20 Dec 2018 18:35:11 -0600 Subject: Remove orphan symlinks found in /etc/ssl/certs This should prevent `openssl rehash` from exiting with an error on a symlink with nonexistent target, since the behavior changed from c_rehash. See #895482, #895473. --- debian/changelog | 3 +++ sbin/update-ca-certificates | 11 ++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index bec0b2d..03d0467 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ ca-certificates (20181220) UNRELEASED; urgency=medium * debian/ca-certificates.postinst: Fix permissions on /usr/local/share/ca-certificates when using symlinks. Closes: #916833 + * sbin/update-ca-certificates: + Remove orphan symlinks found in /etc/ssl/certs to prevent `openssl + rehash` from exiting with an error. Closes: #895482, #895473 * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.28. The following certificate authorities were added (+): diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates index bdf5b27..b27c6bd 100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates @@ -172,11 +172,20 @@ REMOVED_CNT=$(wc -l < "$REMOVED") if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ] then # only run if set of files has changed + # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash` + # from exiting with an error. See #895482, #895473. + find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan + do + rm -f "$orphan" + if [ "$verbose" = 1 ]; then + echo "Removed orphan symlink $orphan" + fi + done if [ "$verbose" = 0 ] then openssl rehash . > /dev/null else - openssl rehash . + openssl rehash -v . fi fi -- cgit v1.2.1