Manual intervention is needed for upgrading the ca-certificates-utils package to version 20170307


(Neofytos Kolokotronis) #1

This announcement is also available in Italian, Spanish and Taiwanese Mandarin.

Hello everyone,

the upgrade of ca-certificates-utils to version 20170307 requires manual intervention because a symlink which used to be generated in the post-install script has now been moved into the package.

As deleting the symlink may leave you unable to download packages, perform this upgrade in the steps described below.

  1. Attempt a standard system upgrade:

    $ sudo pacman -Syu

    If your mirror has synchronised since this announcement was published, you will receive ca-certificates-utils version 20170307, but then get the following error during installation:

    error: failed to commit transaction (conflicting files)
    ca-certificates-utils: /etc/ssl/certs/ca-certificates.crt exists in filesystem
    Errors occurred, no packages were upgraded.

    Only proceed to step 2 if you get this error. If you do not get the error, just proceed with the normal upgrade until your mirror has synced and this error comes up.

  2. Remove the conflicting file:

    $ sudo rm /etc/ssl/certs/ca-certificates.crt
  3. Perform the upgrade again using the packages already downloaded in Step 1:

    $ sudo pacman -Su

It should be safe to answer yes to any package replacement question by pacman. If you are in doubt, or face another issue in relation to this update, please ask or report it here and we will be happy to help.

Once this announcement is published, it will take most of our mirrors 12-24 hours before they synchronize and make this update available. To check when the mirror(s) of your choice last synchronized with the origin, have a look at the mirror status page on our website.

Se necesita intervención manual para actualizar el paquete ca-certificates-utils a la versión 20170307
Manual interventions - what you need to know
P11-kit and security chain upgrade is now available in [testing]
(tom) #2

to much effort because the --force option does the same.
and yes, i suggest --force because the pakages are tested an we know what will be happen

sudo pacman -Syu --force

(Neofytos Kolokotronis) #3

A full upgrade with --force is never recommended. You never know what a full upgrade means for a particular system and what else you might be forcing.

So step 1 was required to make sure the error is present. If you want to use the force switch, the safe way to do this would be to replace step 2 with sudo pacman -S --force ca-certificates-utils.

(richard.llom) #4

after the ca-certificate update I have multiple problems with SSL:

from pacman

:: Synchronizing package databases...
error: failed retrieving file 'lib32.db' from : SSL certificate problem: unable to get local issuer certificate
 lib32 is up to date
error: failed retrieving file 'core.db' from : SSL certificate problem: unable to get local issuer certificate
 core is up to date
error: failed retrieving file 'desktop.db' from : SSL certificate problem: unable to get local issuer certificate
 desktop is up to date
error: failed retrieving file 'gtk.db' from : SSL certificate problem: unable to get local issuer certificate
 gtk is up to date

from smplayer (smtube/playing yt-vids in smplaer is not working anymore):

[21:26:49:453] LoadPage::gotResponse: error: QNetworkReply::NetworkError(SslHandshakeFailedError) : "SSL handshake failed"

and Steam is also refusing to connect:

Connection Error: Could not connect to the Steam Network.

(Luca Giambonini) #5

Please double check that you have the correct package installed:


This kind of errors occours when there is a mismatch of the certificates.

(richard.llom) #6

In order to try to fix it I downgraded and then reinstalled the newest version. Seems to work now.

(Luca Giambonini) #7

Ok great!
is really important to follow the update steps on the announcement, otherwise your get a compromised system.

(ericjs) #8

Hmm. I foolishly did the upgrade without reading this first. I did something slightly different than these steps:

  1. I did the equivalent to 1 using Octopi
  2. I moved my ca-certificates.crt to save it away rather than delete it (I assume this difference doesn’t matter)
  3. I ran sudo pacman -Syu

Is my system in some way borked by having used -Su instead if -Syu? Is there anything I need to do?

While I got errors at the beginning of the 3rd step for each repo like “error: failed retrieving file ‘lib32.db’” it did seem to have downloaded and upgraded the packages.

(tom) #9

this doesn’t mater because the y options synchronize your pacman date base with the chakra mirrors and show you packages upgradable packages.

i think so perhaps is this a case for pacman --force option but before you download the package you should search the package cache for this package.
simple try:

sudo pacman -U --force /var/cache/pacman/pkg/ca-certificates-20170307-2-x86_64.pkg.tar.xz

this will install ca-certificates-20170307-2-x86_64.pkg.tar.xz if it is in your packages cache

(Rémy Epke) #10

The --force is strong in this one.

Too strong.

(Neofytos Kolokotronis) #11

Indeed the use of force here is not needed, as @ericjs already removed the conflicting file.

But yes, the suggestion to use pacman -U to upgrade from the local cache should fix the issue.

(tom) #12


here stands thirty two characters :stuck_out_tongue:

(Rémy Epke) #13

You know full well why, Tom, you’ve been told a couple of times already.
Don’t. Use. --force.

(tom) #14

i don’t know why in general but i know -Syu could be difficult if i don’t know what will be happen because it is hidden to me but if i know what will be happen there will no problem arise :wink:

(Facundo Gabriel Adorno) #15

The upgrade was successfully made! I had to run manually the sudo rm /etc/ssl/certs/ca-certificates.crt and then the upgrade continued ok! Thanks!!

(totte) closed #16