Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 653382

Summary: app-misc/ca-certificates-20180409.3.36.1: pkg_postinst failed: openssl:Error: 'rehash' is an invalid command.
Product: Gentoo Linux Reporter: Doppler <sevener.gentoo>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: gentoo, grknight
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Doppler 2018-04-17 14:49:06 UTC
After upgrading to that release of ca-certs and trying to update zsh and gvfs, wget failed to fetch the distfiles due to both my mirror and {zsh,gnome}.org having LE certificates.
https://paste.pound-python.org/show/38GyIhe71MjEb8mLvxVo/
Downgrading ca-certificates to 20170717.3.36.1 fixed this and DigiCert certificates, at the very least, may have still worked.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2018-04-17 15:14:39 UTC
with app-misc/ca-certificates-20170717.3.36.1::gentoo

 $ openssl s_client -connect gitweb.gentoo.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = default.gentoo.org
verify return:1
---
Certificate chain
 0 s:/CN=default.gentoo.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/CN=default.gentoo.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5030 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F558F80BC20AD45E4293660ABD314EE863C9A748DF871E99EDDBC1AB3CD9606E
    Session-ID-ctx:
    Master-Key: C2628A8D85894E934AB2B4B1C779383C1702A14DEDD98D267FCD11475EFC57E19AD53DE23116A1EE80B8B2DAF9AA216C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1523977559
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

WITH app-misc/ca-certificates-20180409.3.36.1::gentoo

$ openssl s_client -connect gitweb.gentoo.org:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=default.gentoo.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server Certificate
-----END CERTIFICATE-----
subject=/CN=default.gentoo.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5030 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 011D927550CA7BCEE6EF62F2D5491B8CFF00F3A8C0D5D8B4BDD9BF8FA2CA5645
    Session-ID-ctx:
    Master-Key: 8AD56E42D07FBC890B2966C6D6D8F8BD94000C9F0C7C163FB7920A4F2410BE5E1C820AAB781B2ECBEE3E8C4685FFC7A8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1523976962
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-04-17 15:41:00 UTC
Turns out Debian updated their update-ca-certificates script which depends on >=OpenSSL 1.1.x. Due to silent failure in pkg_postinst we don't notice that we are doing nothing.
Comment 3 Larry the Git Cow gentoo-dev 2018-04-17 16:01:27 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03f9b674ca3315198c72849e8dd77583974759c2

commit 03f9b674ca3315198c72849e8dd77583974759c2
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-04-17 16:00:26 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-04-17 16:01:19 +0000

    app-misc/ca-certificates: Fix update-ca-certificates to use c_rehash
    
    Closes: https://bugs.gentoo.org/653382
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 ...-20180409.3.36.1.ebuild => ca-certificates-20180409.3.36.1-r1.ebuild} | 1 +
 1 file changed, 1 insertion(+)