Re: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

Arnaud Launay Mon, 16 Mar 2009 11:03:14 -0700

Le Mon, Mar 16, 2009 at 11:20:26AM -0400, Victor Duchovni a ?crit:
> Instead of "md5sum *", try the more robust:
>     for cert in *; do openssl x509 -in $cert -noout -sha1 -fingerprint; done |
>       sort | uniq -c | sort -nr | head -1
> to eliminate "cosmetic" cert file differences.


We're getting somewhere...

nw2 certs # for cert in *; do openssl x509 -in $cert -noout -sha1 -fingerprint; 
done | sort | uniq -c | sort -nr | head -n 2
      3 SHA1 
Fingerprint=DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
      3 SHA1 
Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33

(only those twos, as the others are all count 2, the .0 link to the .pem)

nw2 certs # for cert in *; do ( echo -n "$cert: " ; openssl x509 -in $cert 
-noout -sha1 -fingerprint ) | grep 
"DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9"; done
5cf9d536.0: SHA1 
Fingerprint=DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
QuoVadis_Root_CA.pem: SHA1 
Fingerprint=DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
QuoVadis_Root_Certification_Authority.pem: SHA1 
Fingerprint=DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9

nw2 certs # ls -l 5cf9d536.0 QuoVadis_Root_C*
lrwxrwxrwx 1 root root 41 Mar 15 21:31 5cf9d536.0 -> 
QuoVadis_Root_Certification_Authority.pem
lrwxrwxrwx 1 root root 55 Mar 15 21:31 QuoVadis_Root_CA.pem -> 
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA.crt
lrwxrwxrwx 1 root root 57 Mar 15 21:31 QuoVadis_Root_CA_2.pem -> 
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt
lrwxrwxrwx 1 root root 57 Mar 15 21:31 QuoVadis_Root_CA_3.pem -> 
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt
lrwxrwxrwx 1 root root 80 Mar 15 21:31 
QuoVadis_Root_Certification_Authority.pem -> 
/usr/share/ca-certificates/quovadis.bm/QuoVadis_Root_Certification_Authority.crt


nw2 certs # for cert in *; do ( echo -n "$cert: " ; openssl x509 -in $cert 
-noout -sha1 -fingerprint ) | grep 
"13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33"; done
5ed36f99.0: SHA1 
Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
cacert.org.pem: SHA1 
Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
root.pem: SHA1 
Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33

nw2 certs # ls -l 5ed36f99.0 cacert.org.pem root.pem
lrwxrwxrwx 1 root root 14 Mar 15 21:31 5ed36f99.0 -> cacert.org.pem
lrwxrwxrwx 1 root root 52 Mar 15 21:31 cacert.org.pem -> 
/usr/share/ca-certificates/cacert.org/cacert.org.crt
lrwxrwxrwx 1 root root 46 Mar 15 21:31 root.pem -> 
/usr/share/ca-certificates/cacert.org/root.crt


I deleted
/usr/share/ca-certificates/quovadis.bm/QuoVadis_Root_Certification_Authority.crt
and /usr/share/ca-certificates/cacert.org/root.crt , updated the
certs links, and did the test again: same error.

> Do any of the files contain multiple certs ?

apart from the generated ca-certificates.crt, I don't think so.
The certs package appears to be come from debian,
ca-certificates-20080809.

> What version of OpenSSL are you using (many Linux distibutions
> use an early patchlevel with backported fixes, so it is not
> always obvious what this means in terms of the actual code).

It's a vanilla gentoo 0.9.8j, with a few compilation and paths
fixes.
Okay, one more test:

citron ca-certificates # pwd
/usr/share/ca-certificates
citron ca-certificates # find
.
./cacert.org
./cacert.org/cacert.org.crt
./cacert.org/class3.crt

citron ca-certificates # update-ca-certificates --fresh --verbose
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs....Doing .
cacert.org.pem => 5ed36f99.0
class3.pem => e5662767.0
done.
Running hooks in /etc/ca-certificates/update.d....done.


--> 20978:error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert 
already in hash table:x509_lu.c:348:

?!?

citron cacert.org # openssl x509 -in cacert.org.crt -noout -sha1 -fingerprint
SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
citron cacert.org # openssl x509 -in class3.crt -noout -sha1 -fingerprint
SHA1 Fingerprint=DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D


Holy shit... There are two certicates in cacert.org.crt... One
beginning at 2003, the other one at 2005. Cleaning the older make
the thing work, but probably breaks older certificates ?

The enclosed cacert.org.crt for reference:
http://dl.free.fr/tKeZLxbb3

So it should be broken on debian and gentoo...

        Arnaud.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

Reply via email to