After upgrading ca-certificates and restarting courier-imap (upgraded too), IMAP SSL connections result in the following error on the server : imapd-ssl: couriertls: connect: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table ca-certificates-20080514-r2 does not display that behaviour Upgrading from 20080514-r2 to 20080809 yields this : (...) <<< dir /usr/share/doc/ca-certificates-20080514-r2 >>> Original instance of package unmerged safely. Updating certificates in /etc/ssl/certs....WARNING: Skipping duplicate certificate root.pem WARNING: Skipping duplicate certificate QuoVadis_Root_Certification_Authority.pem done. Running hooks in /etc/ca-certificates/update.d....done. >>> Auto-cleaning packages... (...) Reproducible: Always Steps to Reproduce: emerge --info Portage 2.1.6.4 (default/linux/amd64/2008.0/server, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22.18-vs2.3.0.32 x86_64) ================================================================= System uname: Linux-2.6.22.18-vs2.3.0.32-x86_64-Intel-R-_Celeron-R-_CPU_2.66GHz-with-glibc2.2.5 Timestamp of tree: Thu, 08 Jan 2009 23:00:02 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-lang/python: 2.4.4-r14, 2.5.2-r7 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r2 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=nocona -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -march=nocona -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.ovh.net/gentoo-distfiles/" LANG="en_US" LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude /etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage-ppc /usr/local/portage-ovh" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl amd64 apache2 authdaemon bash-completion berkdb bzip2 chroot cli cracklib crypt ctype cups curl dba dbm dovecot-sasl dynamicplugin emacs emul-linux-x86 fortran ftp gd gdbm gpm iconv imap iproute2 ipv6 ipv6arpa latin1 libwww logrotate maildir mailwrapper mbox midi mime mudflap multilib multiuser mysql mysqli ncurses netboot nls nptl nptlonly openmp pam pcre pdf perl pg-hier php png pop pop3d posix postfix postgres python rar razor readline reflection sasl sensord session simplexml slang snmp sockets spamassassin spl ssl suexec svnserve sysfs tcpd threads tokenizer truetype unicode unzip userlocales vhosts xml xmlreader xmlrpc xmlwriter xsl zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status suexec unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="via" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
This looks like the Debian bug in the URL. Presumably /usr/lib/ssl/certs with them is /etc/ssl/certs with us.
(In reply to comment #1) > This looks like the Debian bug in the URL. Presumably /usr/lib/ssl/certs with > them is /etc/ssl/certs with us. It is very probably the same bug, except it is not courier's fault AFAICT. There is an additional inconsistency. The first time I upgraded ca-certificates, I believe I had the message I pasted in the original description during post-installation. While trying to investigate the problem, I downgraded then re-upgraded the package, and the message was gone. But update-ca-certificates -f still showed the duplicates and courier still failed.
(In reply to comment #2) > It is very probably the same bug, except it is not courier's fault AFAICT. Probably same bug on openssl-users list with solution: http://marc.info/?l=openssl-users&m=123721072930382&w=2 Breaks postfix as well.
Created attachment 185299 [details, diff] Patch dropping a bad cert Problem with the ca-certificates from debian. Simplest (and non harmful) solution is to drop the duplicate cacert's certificates, as done by the enclosed patch, applying to ca-certificates-20080809.ebuild.
(In reply to comment #4) > Created an attachment (id=185299) [edit] > Patch dropping a bad cert I am not sure if removing cacert.org.crt is the correct solution. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494343 Anyway, correct place for the bug report is probably at Debian.
Agreed that it should be corrected in Debian, but given their releases time... http://marc.info/?l=openssl-users&m=123729123505080&w=2 "prooves" that deleting the combined cacert.org.crt *is* a solution that works; deleting the two others and having just the combined does *not*. Maybe a "bug" in update-ca-certificates, which probably doesn't look for more than one cert in a file... Or maybe from c_rehash. Unsure.
considering the cacert.org file is the "new" one, the old duplicate ones should be deleted instead also, please forward your links to the bug report referenced in the URL here. that way the Debian guys can see the error and info from upstream.
It does *NOT* work with the new one.
(In reply to comment #7) > also, please forward your links to the bug report referenced in the URL here. Done
I get this exact problem in Postfix as well.
What is the status of this bug? I emerged app-misc/ca-certificates-20090709 on stable and ran into this problem :S
Test request: 1. find -L /etc/ssl/certs/ -type l -exec rm {} + 2. etc-update (for the ca-certificates config) 3. update-ca-certificates If that fails, upgrade to 20090709 and repeat.
(In reply to comment #12) > Test request: > 1. find -L /etc/ssl/certs/ -type l -exec rm {} + > 2. etc-update (for the ca-certificates config) > 3. update-ca-certificates > > If that fails, upgrade to 20090709 and repeat. > Ugh, this was actually a PEBKAC error :( Seems that 20090709 version added cacert certificate which I had been supplying to postfix manually before. So after upgrade, this extra certificate (hidden in a secret directory) was causing the error.
Ok, i'm closing this bug then.
woodpecker is borked in the same way.
This advice fixed it: http://marc.info/?l=openssl-users&m=123729123505080&w=2 The package remains broken.
-ENOINFO latest stable ca-certificates only provides one cacert.org file, and i have no idea what "advice" you refer to as that thread seems to rely on there being more than one cacert.org file
(In reply to comment #17) > -ENOINFO > > latest stable ca-certificates only provides one cacert.org file, and i have no > idea what "advice" you refer to as that thread seems to rely on there being > more than one cacert.org file > /usr/share/ca-certificates/cacert.org/cacert.org.crt contains 2 certificates. 1) broke them into 2 files, root.crt and cacert2.org 2) removed cacert.org.crt 3) updated /etc/ca-certificates.conf accordingly 4) ran update-ca-certificates --fresh --verbose email works again.
Log entry for good measure: Nov 21 02:49:44 woodpecker imapd-ssl: couriertls: connect: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
Closing this. The problem was an extra copy sitting in /etc/ssl/certs/.
bah, missed the button
