Problem: My local certificates where removed during an update
We upgraded out Univention UCS recently and all my local certificates I added under /etc/ssl where removed:
Setting up ca-certificates (20200601~deb9u1) ...
Updating certificates in /etc/ssl/certs...
15 added, 40 removed; done.
Before the certificates where there:
root@ucs:~ # ls -al /etc/ssl
rw-r--r-- 1 root root 1392 Aug 15 2019 domca.crt.pem
lrwxrwxrwx 1 root root 13 Aug 15 2019 6cfb734c.0 -> domca.crt.pem
-rw-r--r-- 1 root root 1298 Aug 15 2019 ADDOMRootCA.pem
-rw-r--r-- 1 root root 1299 Aug 15 2019 addom-dom.de.chain.root.ca
Environment
Univention UCS maintains the certificates for its own domain under /etc/univention/ssl. The directory /etc/ssl is used by the operating system for official CAs and certificates. It is updated and cleaned regularly through updates.
Additional certificates should be placed at /usr/share/ca-certificates.
dpkg-reconfigure ca-certificates will rewrite /etc/ca-certificates.conf where update-ca-certificates will look for public certificates and will update or remove certificates in /etc/sslaccording to the .conf file.
In case you will put your own certificates in the file it will be overwritten by dpkg-reconfigure ca during an update.
Solution
Put your additional certificates under /usr/share/ca-certificates thus they will be included when update-ca-certificates is running.