Bug 936709

Created attachment 639776 [details]
example certificate, which reproduces the failure

I am aware that this report is a duplicate of https://bugzilla.opensuse.org/show_bug.cgi?id=918944 . Howewever, that report was closed as "works for me" and I can only state it does not work for me. Also https://bugzilla.opensuse.org/show_bug.cgi?id=911202 has a (misplaced) comment where a user mentions that it does not work from him.

Steps to reproduce:

1. Copy CA certificate into /etc/pki/trust/anchors

(tested certificate attached, I have tried various filenames, but it does not make a difference. I have also tested the undocumented location 
/etc/pki/trust, that makes no difference either)

2. run update-ca-certificates (as root)


Expected result:

the certificate is included into /var/lib/ /var/lib/ca-certificates/ca-bundle.pem

(you can test using grep 94Uc= /var/lib/ca-certificates/ca-bundle.pem
or md5sum /.snapshots/*/snapshot/var/lib/ca-certificates/ca-bundle.pem /var/lib/ca-certificates/ca-bundle.pem if you run snapper)

Also the contents of /var/lib/ca-certificates/pem/* should be updated
so that grep 94Uc= /var/lib/ca-certificates/pem/*
produces a match.

Observed result:

/var/lib/ca-certificates/ca-bundle.pem is unchanged in 13.2

grep 94Uc= /var/lib/ca-certificates/pem/* produces no match in 13.2

(both tests are successful 13.1)


Further debugging: strace -ff -o ucc.strace update-ca-certificates shows that the new certificate gets memory mapped several time without error. Both in the documented location /etc/pki/trust/anchors and in the undocumented location /etc/pki/trust. Could not see from strace what goes wrong that the certificate is not included.