Bug 927601
| Summary: | p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kamil Páral <kparal> |
| Component: | ca-certificates | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | jorton, kalevlember, kengert, mclasen, pwouters, stefw, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-05-29 08:57:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
(In reply to comment #0) > I see this when creating a Fedora 19 LiveCD. I assume the same errors are > displayed when installing ca-certificates package in a standard system. No, I never saw it when testing in a f19 VM. I assume that live cd creation happens in a fresh area, I haven't tested that yet. I'm able to reproduce. Stef, this problem is a regression in p11-kit 0.17.4, it can be reproduced by executing the update-ca-trust script. No such errors with 0.17.3 Maybe it's not a regression, but rather the ca-certificates is indeed providing duplicate certs, and thanks to new self-test code in p11-kit this is now being detected... I'm investigating why this happens. I suspect a bug in the ca-cert conversion code that converts two similar input certs to identical output. Yes, the conversion script had made the incorrect assumption that it can uniquely identify certificates using the same label. That isn't true, the NSS root CA list uses identical labels (nicknames) for replacements certs with difficult contents. That helps NSS during certificate validation. I'm building an updated package that includes the serial number as part of the key during the conversion. This works for now, although the script should ideally get reworked to use the issuer name instead of the label for all identication purposes. http://koji.fedoraproject.org/koji/taskinfo?taskID=5178220 In my local testing of the code it fixes the issue. With p11-kit-0.17.4-2.fc19.x86_64 I don't see any more errors while building LiveCD. Kamil, the fix for this bug is in ca-certificates-2012.87-10.0 - did you pick that up? Yes, ca-certificates-2012.87-10.0.fc19.noarch was included too.
However, I tried to build a 32b version now, and this is what I see:
> Installing: p11-kit-trust ##################### [322/985]
> Installing: ca-certificates ##################### [323/985]
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> Installing: libXxf86dga ##################### [324/985]
p11-kit-0.17.4-2.fc19.i686
ca-certificates-2012.87-10.0.fc19.noarch
(In reply to comment #7) > Yes, ca-certificates-2012.87-10.0.fc19.noarch was included too. Thanks for confirming. > However, I tried to build a 32b version now, and this is what I see: > > > Installing: p11-kit-trust ##################### [322/985] > > Installing: ca-certificates ##################### [323/985] > > p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t > > p11-kit: 'timet >= 0' not true at calc_date Yes, this was reported earlier today already by Ales. We already understand the issue and it will be fixed and warnings go away in the next version of p11-kit, Stef is working on it. The issue is tracked at https://bugs.freedesktop.org/show_bug.cgi?id=62825 No more errors with p11-kit-0.18.2-1.fc19.x86_64. Closing. |
Description of problem: I see this when creating a Fedora 19 LiveCD. I assume the same errors are displayed when installing ca-certificates package in a standard system. > Installing: p11-kit-trust ################### [ 359/1291] > Installing: ca-certificates ################### [ 360/1291] > p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt > p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt Version-Release number of selected component (if applicable): ca-certificates-2012.87-9.fc19.1.noarch p11-kit-0.17.4-1.fc19.x86_64 How reproducible: most probably always, tried once Steps to Reproduce: 1. $ sudo livecd-creator -c ks/spin-kickstarts/fedora-live-desktop.ks --releasever 19