Comment 4 for bug 289934

can't reproduce this behaviour; the postinst uses a fresh (pregenerated) cacerts file, and the postinst succeeds with your ca-certificates.conf. Did you change anything in /etc/default/cacerts ?