On Sun, 2008-08-17 at 10:39 +0100, Mick wrote:
> Hi All,
>
> I am getting mixed up with update-ca-certificates. It reports that I have
> duplicates:
> =================================================
> # update-ca-certificates
> Updating certificates in /etc/ssl/certs....WARNING: SPI_CA_2006-cacert.pem
> does not contain a certificate or CRL: skipping
> WARNING: Verisign_Class_1_Public_Primary_OCSP_Responder.pem does not contain a
> certificate or CRL: skipping
> WARNING: cacert.org.pem does not contain a certificate or CRL: skipping
> WARNING: Skipping duplicate certificate QuoVadis_Root_CA.pem
> WARNING: Skipping duplicate certificate Verisign_RSA_Secure_Server_CA.pem
> WARNING: Skipping duplicate certificate
> America_Online_Root_Certification_Authority_1.pem
> WARNING: Skipping duplicate certificate
> America_Online_Root_Certification_Authority_2.pem
> WARNING: Verisign_Class_3_Public_Primary_OCSP_Responder.pem does not contain a
> certificate or CRL: skipping
> WARNING: Skipping duplicate certificate thawteCb.pem
> WARNING: Skipping duplicate certificate Wells_Fargo_Root_CA.pem
> WARNING: Skipping duplicate certificate thawteCp.pem
> WARNING: Skipping duplicate certificate vsign3.pem
> WARNING: spi-ca.pem does not contain a certificate or CRL: skipping
> WARNING: Verisign_Secure_Server_OCSP_Responder.pem does not contain a
> certificate or CRL: skipping
> WARNING: Skipping duplicate certificate aoltw1.pem
> WARNING: Skipping duplicate certificate aoltw2.pem
> WARNING: Verisign_Class_2_Public_Primary_OCSP_Responder.pem does not contain a
> certificate or CRL: skipping
> done.
> Running hooks in /etc/ca-certificates/update.d....done.
> =================================================
>
> However, when I check for e.g. vsign3.pem I see this:
>
> # ls -la /etc/ssl/certs/vsign*
> -rw-r--r-- 1 root root 984 Jun 1 09:43 /etc/ssl/certs/vsign1.pem
> -rw-r--r-- 1 root root 989 Dec 4 2005 /etc/ssl/certs/vsign2.pem
> -rw-r--r-- 1 root root 984 Jun 1 09:43 /etc/ssl/certs/vsign3.pem
> -rw-r--r-- 1 root root 976 Jun 1 09:43 /etc/ssl/certs/vsignss.pem
> -rw-r--r-- 1 root root 1084 Dec 4 2005 /etc/ssl/certs/vsigntca.pem
>
> Also, what should I do with those that report "does not contain a certificate
> or CRL: skipping"?


When you updated the ca-certificates, you should have gotten a postinst
message about broken symlinks that you need to remove.

On Sunday 17 August 2008, Albert Hopkins wrote:
> On Sun, 2008-08-17 at 10:39 +0100, Mick wrote:

> > I am getting mixed up with update-ca-certificates. It reports that I
> > have duplicates:
> > =================================================
> > # update-ca-certificates
. . .
> > =================================================

> When you updated the ca-certificates, you should have gotten a postinst
> message about broken symlinks that you need to remove.

Oops! I had missed that.

Looks good now:

# update-ca-certificates
Updating certificates in /etc/ssl/certs....done.

Thank you Albert.
--
Regards,
Mick

On 18 Aug 2008, at 08:04, Mick wrote:

...
When you updated the ca-certificates, you should have gotten a
postinst

message about broken symlinks that you need to remove.


Oops! I had missed that.

Looks good now:

# update-ca-certificates
Updating certificates in /etc/ssl/certs....done.


Except that doesn't _seem_ to fix it:

WARN: postinst
Broken symlink for a certificate at //etc/ssl/certs/SPI_CA_2006-
cacert.pem
Broken symlink for a certificate at //etc/ssl/certs/
Verisign_Class_1_Public_Primary_OCSP_Responder.pem

Broken symlink for a certificate at //etc/ssl/certs/cacert.org.pem
Broken symlink for a certificate at //etc/ssl/certs/
Verisign_Class_3_Public_Primary_OCSP_Responder.pem

Broken symlink for a certificate at //etc/ssl/certs/spi-ca.pem
Broken symlink for a certificate at //etc/ssl/certs/
Verisign_Secure_Server_OCSP_Responder.pem
Broken symlink for a certificate at //etc/ssl/certs/
Verisign_Class_2_Public_Primary_OCSP_Responder.pem

You MUST remove the above broken symlinks

$ ls -l /etc/ssl/certs/SPI_CA_2006-cacert.pem
lrwxrwxrwx 1 root root 61 Aug 30 03:37 /etc/ssl/certs/SPI_CA_2006-
cacert.pem -> /usr/share/ca-certificates/spi-inc.org/SPI_CA_2006-
cacert.crt

$ sudo update-ca-certificates --verbose
Updating certificates in /etc/ssl/certs....done.
$ ls -l /etc/ssl/certs/SPI_CA_2006-cacert.pem
lrwxrwxrwx 1 root root 61 Aug 30 03:37 /etc/ssl/certs/SPI_CA_2006-
cacert.pem -> /usr/share/ca-certificates/spi-inc.org/SPI_CA_2006-
cacert.crt

$

Stroller.

On Saturday 30 August 2008, Stroller wrote:
> On 18 Aug 2008, at 08:04, Mick wrote:
> > ...
> >
> >> When you updated the ca-certificates, you should have gotten a
> >> postinst
> >> message about broken symlinks that you need to remove.
> >
> > Oops! I had missed that.
> >
> > Looks good now:
> >
> > # update-ca-certificates
> > Updating certificates in /etc/ssl/certs....done.
>
> Except that doesn't _seem_ to fix it:
>
> WARN: postinst
> Broken symlink for a certificate at //etc/ssl/certs/SPI_CA_2006-
> cacert.pem
> Broken symlink for a certificate at //etc/ssl/certs/
> Verisign_Class_1_Public_Primary_OCSP_Responder.pem
> Broken symlink for a certificate at //etc/ssl/certs/cacert.org.pem
> Broken symlink for a certificate at //etc/ssl/certs/
> Verisign_Class_3_Public_Primary_OCSP_Responder.pem
> Broken symlink for a certificate at //etc/ssl/certs/spi-ca.pem
> Broken symlink for a certificate at //etc/ssl/certs/
> Verisign_Secure_Server_OCSP_Responder.pem
> Broken symlink for a certificate at //etc/ssl/certs/
> Verisign_Class_2_Public_Primary_OCSP_Responder.pem
> You MUST remove the above broken symlinks
>
> $ ls -l /etc/ssl/certs/SPI_CA_2006-cacert.pem
> lrwxrwxrwx 1 root root 61 Aug 30 03:37 /etc/ssl/certs/SPI_CA_2006-
> cacert.pem -> /usr/share/ca-certificates/spi-inc.org/SPI_CA_2006-
> cacert.crt
> $ sudo update-ca-certificates --verbose
> Updating certificates in /etc/ssl/certs....done.
> $ ls -l /etc/ssl/certs/SPI_CA_2006-cacert.pem
> lrwxrwxrwx 1 root root 61 Aug 30 03:37 /etc/ssl/certs/SPI_CA_2006-
> cacert.pem -> /usr/share/ca-certificates/spi-inc.org/SPI_CA_2006-
> cacert.crt
> $

I assume that the above links are shown as red (or whatever) indicating that
the links are borked?

On my machine:

#
ls -la /usr/share/ca-certificates/mozilla/Verisign_Secure_Server_OCSP_Responder.crt
ls: cannot
access /usr/share/ca-certificates/mozilla/Verisign_Secure_Server_OCSP_Responder.crt:
No such file or directory

# ls -la /usr/share/ca-certificates/spi-inc.org/SPI_CA_2006-cacert.crt
ls: cannot
access /usr/share/ca-certificates/spi-inc.org/SPI_CA_2006-cacert.crt: No such
file or directory

I believe that it is left as an exercise for the reader to manually remove
such broken lists as your WARN message tells you:

> WARN: postinst
> Broken symlink for a certificate at //etc/ssl/certs/SPI_CA_2006-
> cacert.pem
> Broken symlink for a certificate at
[snip...]
> You MUST remove the above broken symlinks"

Now I better go and do the same on my boxen!
--
Regards,
Mick

On Tue, 2 Sep 2008 17:56:20 +0100, Mick wrote:

> I believe that it is left as an exercise for the reader to manually
> remove such broken lists as your WARN message tells you:

Or install app-misc/symlinks and let it track them down.


--
Neil Bothwick

Stop metricationists! They are demanding their 454 grammes of flesh,
and if we give them 2.54 centimetres they'll take 1.609 kilometres!

On 2 Sep 2008, at 17:56, Mick wrote:

...
WARN: postinst
Broken symlink for a certificate at //etc/ssl/certs/SPI_CA_2006-
cacert.pem
...
$ ls -l /etc/ssl/certs/SPI_CA_2006-cacert.pem
lrwxrwxrwx 1 root root 61 Aug 30 03:37 /etc/ssl/certs/SPI_CA_2006-
cacert.pem -> /usr/share/ca-certificates/spi-inc.org/SPI_CA_2006-
cacert.crt
$


I assume that the above links are shown as red (or whatever)
indicating that

the links are borked?


Yes, indeed.

I believe that it is left as an exercise for the reader to manually
remove

such broken lists as your WARN message tells you:


WARN: postinst
Broken symlink for a certificate at //etc/ssl/certs/SPI_CA_2006-
cacert.pem
Broken symlink for a certificate at

[snip...]

You MUST remove the above broken symlinks"




I kinda feel this is a poor error message for Portage / an ebuild.

I have now already deleted the links manually, but I rather think
it'd've been nearer to say "You should now run `find /etc/ssl/certs/ -
type broken-symlinks -exec rm {} ;` as root.


The reason I posted was because I felt slightly unclear.

Stroller.