Package: ca-certificates Version: 20141019+deb8u1 Severity: normal Tags: patch
Hi,
While updating CA certificates, one of my Python programs failed with:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 70, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 488, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 609, in
send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 423, in
send
timeout=timeout
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594,
in urlopen
chunked=chunked)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 350,
in _make_request
self._validate_conn(conn)
File "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 837,
in _validate_conn
conn.connect()
File "/usr/lib/python2.7/dist-packages/urllib3/connection.py", line 323, in
connect
ssl_context=context)
File "/usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py", line 308, in
ssl_wrap_socket
context.load_verify_locations(ca_certs, ca_cert_dir)
File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line
392, in load_verify_locations
self._ctx.load_verify_locations(cafile, capath)
File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 781, in
load_verify_locations
_raise_current_error()
File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 54, in
exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('system library', 'fopen', 'No such file or directory'),
('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines',
'X509_load_cert_crl_file', 'system lib')]
It seems that update-ca-certificates temporarily removes the
/etc/ssl/certs/ca-certificates.crt bundle.
As a result, whoever uses this file explicitly, e.g. python-requests via
DEFAULT_CA_BUNDLE_PATH, might fail during a system-wide
update-ca-certificates.
Removing this file is practically unesseccery since a few lines below,
the script replaces it atomically using mv.
Note, that currently, if we skip the removal of the bundle we get the
following openssl rehash warning:
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one
certificate or CRL
Still `openssl rehash` exits normally. The above warning will show up
only in debug mode (with --verbose).
Attached is a patch that fixes the above "racy" behavior.
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates index b27c6bd..473e90e 100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates @@ -164,8 +164,6 @@ then done fi -rm -f "$CERTBUNDLE" - ADDED_CNT=$(wc -l < "$ADDED") REMOVED_CNT=$(wc -l < "$REMOVED")
signature.asc
Description: Digital signature
