update-ca-certificates removes content of ca-certificates.crt

[joda01]

Version (k3OS / kernel)
v0.10.2
5.0.0-43-generic #47~18.04.1 SMP Wed Apr 1 16:27:01 UTC 2020

Architecture
x86_64

Describe the bug
When executing update-ca-certificates the ca-certificates.crt in /etc/ssl/certs is override by the last found crt file in /usr/local/share/ca-certificates. If this directory does not exist the ca-certificates.crt is empty (cleared) after executing the update-ca-certificates command.

To Reproduce

• Boot K3OS
• Login and execute sudo update-ca-certificates

Expected behavior

• If no certificates are provided in /usr/local/share/ca-certificates nothing should happen.
• If there are certificates in in I would expect that this certificates will be appended to the
  ca-certificates.crt file.

Actual behavior
The ca-certificates.crt is empty after executing the command (see description above)

Additional context
Actually I made a workaround:

1. Moved the /etc/ssl/certs/ca-certificates.crt to /usr/local/share/ca-certificates
2. Manually append all wanted certificates with cat *.crt >> /usr/local/share/ca-certificates/ca-certificates.crt
3. Created directory mkdir -p /etc/ca-certificates/update.d/
4. Executed command sudo update-ca-certificates

[kidac]

I can confirm this bug. The descriped workaround works.

[t0xicCode]

I ended up having the same issue, so I built a little tool that can be used to add new certificates to the bundle without removing any of the existing ones. It's idempotent so it can be ran at every boot without issue. I called it add-ca-certificates.

Would love to get feedback & see if the k3OS folks would like to integrate it into k3OS itself.

[philomory]

Just a note, I've figured out exactly where this error is coming from. The problem is that the k3os build process doesn't keep /etc/ca-certificates.conf from the ca-certificates package; the update-ca-certificates command builds the /etc/ssl/certs/ca-certificates.crt bundle by pulling individual certificates from two places:

1. /usr/local/share/ca-certificates/* for user-supplied certificates, and
2. /usr/share/ca-certificates/* for system-default certificates

However, there's an important caveat: when pulling certificates from /usr/share/ca-certificates/, the update-ca-certificates command doesn't just pull every certificate in the directory; instead, it only includes certificates specifically mentioned in the file /etc/ca-certificates.conf. Since K3OS doesn't have the /etc/ca-certificates.conf that comes by default with the ca-certificates package, it means that none of the default system certificates are included in the bundle generated by update-ca-certificates.