c_rehash creating bogus links to ca-certificates.crt

Marking as confirmed.

This has been traced to a broken hash directory:

11:40 < kirkland> lrwxrwxrwx 1 root root 19 2011-09-20 01:34 /usr/lib/ssl/certs/55a10908.0 -> ca-certificates.crt
11:40 < kirkland> -rw-r--r-- 1 root root 240312 2011-09-20 01:32 /usr/lib/ssl/certs/ca-certificates.crt

This is expected to point to the specific certificate file, ValiCert_Class_2_VA.pem, instead; but on new installs since the latest upload of the new upstream version of openssl, c_rehash is giving preference to the ca-certificates bundle file over the individual cert files, and libssl subsequently is unable to use ca-certificates.crt for certificate validation.

I would definitely say there's a bug in openssl here, since c_rehash shouldn't create symlinks that the library will be subsequently unable to use; but I think we can work around it in ca-certificates by just making sure the bundle file is moved out of the way at the time we're calling c_rehash - since any time we call c_rehash we're regenerating that bundle file anyway.

12:41 < sbeattie> slangasek: behavior change in c_rehash is likely due to the patch that fixed
                  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628780

This bug was fixed in the package ca-certificates - 20110502+nmu1ubuntu2

---------------
ca-certificates (20110502+nmu1ubuntu2) oneiric; urgency=low

  * Really only call --fresh on upgrade, instead of all the time; thanks to
    Adam Conrad for catching this in the queue.

ca-certificates (20110502+nmu1ubuntu1) oneiric; urgency=low

  * sbin/update-ca-certificates: move the ca-certificates.crt bundle out of
    the way before calling c_rehash, so that symlinks don't accidentally get
    pointed here, breaking openssl certificate verification. LP: #854927.
  * debian/postinst: kludge in support for running
    update-ca-certificates --fresh on upgrade, to ensure we fix up the hash
    for anyone who happened to install from a daily.
 -- Steve Langasek <email address hidden> Tue, 20 Sep 2011 12:49:57 -0700

Following up on the irc comment that Steve Langasek pasted, I can confirm that reverting the patch http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/oneiric/openssl/oneiric/revision/58#debian/patches/c_rehash-multi.patch followed by update-ca-certificates --fresh (without the workaround Steve added) also corrects the hashing/verification issue. However, it does seem like the c_rehash patch is correcting undesirable behavior on its part.

Is this really the entirety of the bug? With the new openssl but the old ca-certificates, I ran:

  $ sudo update-ca-certificates --fresh
  ...
  $ ls -l /usr/lib/ssl/certs/55a10908.0
lrwxrwxrwx 1 root root 19 2011-09-21 13:27 /usr/lib/ssl/certs/55a10908.0 -> ca-certificates.crt
  $ curl -sS http://launchpad.net
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>301 Moved Permanently</title>
  </head><body>
  <h1>Moved Permanently</h1>
  <p>The document has moved <a href="https://launchpad.net/">here</a>.</p>
  <hr>
  <address>Apache/2.2.14 (Ubuntu) Server at launchpad.net Port 80</address>
  </body></html>

What am I missing? While we could certainly change c_rehash to make sure it always prefers .pem files over .crt (and that might be preferable anyway), I wonder why libssl is unable to deal with the .crt files ...

What exactly are you trying to show Colin? You're connecting to http...

Whoops, I'm also unwell today and not thinking clearly. But in any case HTTPS works too:

$ wget https://www.google.com
--2011-09-21 14:52:14-- https://www.google.com/
Resolving www.google.com... 209.85.147.147, 209.85.147.99, 209.85.147.103, ...
Connecting to www.google.com|209.85.147.147|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://encrypted.google.com/ [following]
--2011-09-21 14:52:14-- https://encrypted.google.com/
Resolving encrypted.google.com... 209.85.147.100, 209.85.147.101, 209.85.147.102, ...
Connecting to encrypted.google.com|209.85.147.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'

    [ <=> ] 11,434 --.-K/s in 0.07s

2011-09-21 14:52:15 (165 KB/s) - `index.html' saved [11434]

$ curl -sS https://launchpad.net
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
[...]

Should be fixed by Loïc's recent change:

openssl (1.0.0e-2ubuntu2) oneiric; urgency=low

  * Unapply patch c_rehash-multi and comment it out in the series as it breaks
    parsing of certificates with CRLF line endings and other cases (see
    Debian #642314 for discussion), it also changes the semantics of c_rehash
    directories by requiring applications to parse hash link targets as files
    containing potentially *multiple* certificates rather than exactly one.
    LP: #855454.

 -- Loïc Minier <email address hidden> Tue, 27 Sep 2011 18:13:07 +0200

While this wont happen with current ca-certificates, I think we should revert the changes which caused this bug:
in Debian's 20110421 QA upload, a c_rehash call was added to postinst for upgrades from versions <= 20090814+nmu3, this was an attempt to rebuild the symlinks in /etc/ssl/certs, but because update-ca-certificates wasn't removing /etc/ssl/cert/ca-certificates.crt, it did generate one symlink to this file for the first certificate. With the Debian change from openssl 1.0.0e-1 to support multiple certificates in one file, this probably took even worse proportions. However this probably depended on the order in which c_rehash processed files; it just does readdir() and generates links for the first certificate of each .pem and .crt file it finds.

Now in 20110502+nmu1ubuntu1/20110502+nmu1ubuntu2, a call was added to properly regenerate the links, but kept the plain c_rehash call *after* it in the postinst, so that it might trigger when upgrading from <= 20090814+nmu3 (so upgrades from natty or lucid will cause this).

Because of the new call I've added in20110502+nmu1ubuntu4 to regenerates certs when upgrading from <= 20110502+nmu1ubuntu4, this should be fixed for oneiric users.

Now, what needs to be fixed:
* plain c_rehash is wrong in any case; also an issue in Debian (and the rm needs to be copied there too)
* postinst has tons of update-ca-certificates calls, mine is the strongest one as it affects all updates (from natty); all of these should be dropped after oneiric

Now this could be fixed in oneiric + 1, but it would be clearer to remove these now to prevent any regression when removing the postinst snippets (e.g. leaving the plain c_rehash call alone after oneiric would be wrong).

I've sent a patch to Debian including Steve's changes to remove ca-certificates.crt before running c_rehash in update-ca-certificates; will set bug id once I have it.

This bug was fixed in the package ca-certificates - 20110502+nmu1ubuntu5

---------------
ca-certificates (20110502+nmu1ubuntu5) oneiric; urgency=low

  * Tweak postinst to not run update-ca-certificates multiple times and remove
    dangerous plain c_rehash snippet; LP: #854927.
 -- Loic Minier <email address hidden> Wed, 28 Sep 2011 15:49:34 +0200