Basically I noticed this because cacert.org's cert files were broken into root.crt and class3.crt. Now you run update-ca-certificates in the pkg_postinst() step, however since the file is being installed into /etc it's under CONFIG_PROTECT. So the update to the config file doesn't actually occur until the user runs etc-update or dispatch-conf. However, you've already run update-ca-certificates, which now results in the old file being used and the user sees cacert.org's certificates silently disappear for them. Additionally the problem is even worse since --fresh isn't appended by the call so old symlinks stay around and muck up the situation even further. The solution is to either remove ca-certificates.conf from CONFIG_PROTECT and append --fresh to the call. Or to patch update-ca-certificates to accept a path to ca-certificates.conf and append --fresh.
*** This bug has been marked as a duplicate of bug 177397 ***
This isn't a dup. This is an issue that the symlinks are not generated to the new certificates. A side note in this is that it leaves dangling symlinks. The fact that they symlinks aren't generated at all is what's causing breakage. The other bug report the guy says dangling symlinks are broken.
eh. I'll take the discussion there since it's still an issue. *** This bug has been marked as a duplicate of bug 177397 ***
