openssl: Error: 'rehash' is an invalid command.

[orbea]

OS: Gentoo
LibreSSL: 4.0.0
ca-certificates: 20240203.3.98

The update-ca-certificates command uses openssl rehash which LibreSSL lacks.

# update-ca-certificates 
Updating certificates in /etc/ssl/certs...
openssl:Error: 'rehash' is an invalid command.

Standard commands
asn1parse         ca                certhash          ciphers           
cms               crl               crl2pkcs7         dgst              
dh                dhparam           dsa               dsaparam          
ec                ecparam           enc               errstr            
gendh             gendsa            genpkey           genrsa            
ocsp              passwd            pkcs12            pkcs7             
pkcs8             pkey              pkeyparam         pkeyutl           
prime             rand              req               rsa               
rsautl            s_client          s_server          s_time            
sess_id           smime             speed             ts                
verify            version           x509              

Message Digest commands (see the `dgst' command for more details)
md4               md5               ripemd160         sha1              
sha224            sha256            sha384            sha512            
sm3               sm3WithRSAEncryption

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
chacha            des               des-cbc           des-cfb           
des-ecb           des-ede           des-ede-cbc       des-ede-cfb       
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb      
des-ede3-ofb      des-ofb           des3              desx              
idea              idea-cbc          idea-cfb          idea-ecb          
idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc        
rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb           
rc4               rc4-40            sm4               sm4-cbc           
sm4-cfb           sm4-ecb           sm4-ofb

ADDED_CNT=$(wc -l < "$ADDED")
REMOVED_CNT=$(wc -l < "$REMOVED")

if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
then
  # only run if set of files has changed
  # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash`
  # from exiting with an error. See #895482, #895473.
  find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read -r orphan
  do
    rm -f "$orphan"
    if [ "$verbose" = 1 ]; then
      echo "Removed orphan symlink $orphan"
    fi
  done
  if [ "$verbose" = 0 ]
  then
    openssl rehash . > /dev/null
  else
    openssl rehash -v .
  fi
fi

The OpenSSL documentation states:

This command is generally equivalent to the external script c_rehash, except for minor differences noted below.
https://docs.openssl.org/master/man1/openssl-rehash/

While the LibreSSL changelog states for 2.1.4:

New openssl(1) command 'certhash' replaces the c_rehash script.

Replacing openssl rehash with openssl certhash seems to allow update-ca-certificates to add certificates successfully.

Should LibreSSL match the name of the OpenSSL rehash command to increase compatibility or is there a preferable way of resolving this?

[giovannimanzoni]

Yes, it's crazy that rehash is missing !!!