package ca-certificates-java 20110426 failed to install/upgrade during upgrade to Oneiric: fix path to libnss3 for multiarch

i am able to confirm this bug. i will add some helpful info.

gnomefreak@Develpment:~$ uname -a && lsb_release -a
Linux Develpment 2.6.38-8-generic-pae #42-Ubuntu SMP Mon Apr 11 05:17:09 UTC 2011 i686 athlon i386 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu oneiric (development branch)
Release: 11.10
Codename: oneiric

I'm running linux-image-2.6.38-8-generic-pae atm since linux-image-2.6.39-1-generic-pae is not working for me.

Here is what i get when i try to remove the package.

gnomefreak@Develpment:~$ remove --purge ca-certificates-java
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 default-jre-headless : Depends: openjdk-6-jre-headless (>= 6b14) but it is not going to be installed
 openjdk-6-jre : Depends: openjdk-6-jre-headless (>= 6b22-1.10.1-0ubuntu1) but it is not going to be installed
                 Recommends: icedtea-netx but it is not going to be installed
E: Broken packages
gnomefreak@Develpment:~$ install -f
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 72 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up ca-certificates-java (20110426) ...
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
 at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
 at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
 at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
 at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
 at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
 at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
 at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
 at sun.security.jca.ProviderList.getService(ProviderList.java:330)
 at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
 at java.security.Security.getImpl(Security.java:696)
 at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
 at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
 at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
 at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
 at sun.security.x509.X509Key.parse(X509Key.java:168)
 at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
 at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
 at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
 at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
 at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
 at sun.security.provider.X509Factory.engineGenerateCertificate(X5...

This is because of Bug #778726.

Thanks for your report.

This is because libnss3 installs the librairy in /usr/lib/i386-linux-gnu/libnss3.so rather than /usr/lib/libnss3.so

To workaround it open a terminal and run the following command:
$ sudo ln -s /usr/lib/i386-linux-gnu/libnss3.so /usr/lib/

Then install ca-certificates-java again.

This workaround could break other applications and is not advised to be left permanently on the system.

a better work around is to edit
/etc/java-6-openjdk/security/nss.cfg

fixed in openjdk-6_6b23~pre1-0ubuntu2

still broken for me.

# dpkg -l | grep -E '(ca-certificates-java|openjdk-6|icedtea-6)'
iF ca-certificates-java 20110426 Common CA certificates (JKS keystore)
iU icedtea-6-jre-cacao 6b23~pre1-0ubuntu2 Alternative JVM for OpenJDK, using Cacao
iU openjdk-6-jre-headless 6b23~pre1-0ubuntu2 OpenJDK Java runtime, using Hotspot JIT (headless)
iU openjdk-6-jre-lib 6b23~pre1-0ubuntu2 OpenJDK Java runtime (architecture independent libraries)

4 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]?
Setting up ca-certificates-java (20110426) ...
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
        at sun.security.jca.ProviderList.getService(ProviderList.java:330)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
        at java.security.Security.getImpl(Security.java:696)
        at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
        at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
        at sun.security.x509.X509Key.parse(X509Key.java:168)
        at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
        at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
        at java.security.KeyStore.load(KeyStore.java:1201)
        at UpdateCertificates.createKeyStore(UpdateCertificates.jav...

should I re-open?

Hi Fabien,

After updating openjdk and some apt-get tomfoolery it worked for me. I think, it really needs reproducing upgrading from Natty to Oneiric to re-open IMO.

$ dpkg -l | grep -E '(ca-certificates-java|openjdk-6|icedtea-6)'
ii ca-certificates-java 20110426 Common CA certificates (JKS keystore)
ii icedtea-6-jre-cacao 6b23~pre1-0ubuntu2 Alternative JVM for OpenJDK, using Cacao
ii icedtea-6-jre-jamvm 6b23~pre1-0ubuntu2 Alternative JVM for OpenJDK, using JamVM
ii openjdk-6-jdk 6b23~pre1-0ubuntu2 OpenJDK Development Kit (JDK)
ii openjdk-6-jre 6b23~pre1-0ubuntu2 OpenJDK Java runtime, using Hotspot JIT
ii openjdk-6-jre-headless 6b23~pre1-0ubuntu2 OpenJDK Java runtime, using Hotspot JIT (headless)
ii openjdk-6-jre-lib 6b23~pre1-0ubuntu2 OpenJDK Java runtime (architecture independent libraries)

Thanks.

*sigh* that was not the question. I sure know how to workaround it (*), but others may not.
The fix is in openjdk-6-jre-headless but it is not applied because ca-certificates-java is a dependency and must be done first, it's a catch 22 situation.

(*) "dpkg --configure -a --force-all" to let the "fix" in followed by a regular upgrade.

As Fabien said, today I was still having this problem, with all updates installed from doing dist-upgrade. Making a symlink fixed it, but I don't think this bug can be considered "fixed" if it's still breaking for people who have already upgraded to O. The dependencies as they are seem to ensure the fix won't ever actually make it into the system.

I'm reopening because it's reproducible and not fixed in a release upgrade scenario.

TEST CASE:
1. Install Natty
2. Install openjdk-6-jre
3. Changes release to Oneiric in /etc/apt/sources.list
4. apt-get update && apt-get upgrade

In https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/779174/comments/16, I presume you mean "apt-get update && apt-get dist-upgrade" for step 4, since "apt-get upgrade" won't install new packages or remove installed ones, and thus would often perform a partial upgrade producing a mixed Natty/Oneiric system of dubious functionality.

With that modification, and starting with a command-line only Natty system (freshly installed from the Natty i386 Alternate CD), I was able to reproduce the bug today. However, after running those commands, I then ran "apt-get dist-upgrade" again, and it was able to configure ca-certificates-java successfully. This workaround (of simply updating again, to trigger a re-attempt at configuring the package) had also worked on my fully-fledged graphical Oneiric system created by updating from Natty (that was the system on which I reported duplicate bug 779327) when the original fix for this bug was released. It also works when I create makeshift Oneiric live CD's by using the procedure at https://help.ubuntu.com/community/LiveCDCustomization and upgrading the live CD system's unpacked squashfs filesystem in the chroot (that is, in the chroot, ca-certificates-java initially fails to install, but when I run "apt-get upgrade" / "apt-get dist-upgrade" after the first attempt, it is installed/configured successfully).

That simple workaround has always been effective for me, but I'm not sure if it's effective in all cases. It would stand to reason that perhaps it's not, because if it is, then why have there been so many more sophisticated and cumbersome workarounds proposed here? If it is, then I think this should still be considered a bug needing fixing (packages are supposed to install correctly the first time), but perhaps its importance should be changed from Critical to Low. Or if it's important to document the bug it its original form as having Critical importance, perhaps this could be re-marked Fix Released and a new bug opened to document its new, more easily worked around form. That is, of course, assuming that it's as easily worked around on other systems as on mine, and for all I know, that might not be the case.

you're right that's written upgrade but should be read dist-upgrade. I changed the test case.

The problem is that ca-certificates-java is upgraded before the new version of openjdk-6-jre-headless which fixes this problem. So the problem is fixed but not the upgrade situation.

This bug was fixed in the package openjdk-6 - 6b23~pre2-0ubuntu1

---------------
openjdk-6 (6b23~pre2-0ubuntu1) oneiric; urgency=low

  * Fix non-bootstrap builds.
  * Depend against multiarch libnss3. LP: #779174.
  * Run jtreg tests using JamVM too.
  * Don't run the jtreg tests with the NSS security provider enabled.
  * Update JamVM to 20110528.
 -- Matthias Klose <email address hidden> Sat, 28 May 2011 15:43:50 +0200

still broken for me

Setting up ca-certificates (20110502+nmu1ubuntu2) ...
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
 at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
 at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
 at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
 at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
 at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
 at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
 at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
 at sun.security.jca.ProviderList.getService(ProviderList.java:330)
 at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
 at java.security.Security.getImpl(Security.java:696)
 at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
 at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
 at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
 at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
 at sun.security.x509.X509Key.parse(X509Key.java:168)
 at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
 at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
 at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
 at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
 at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
 at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
 at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
 at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
 at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
 at java.security.KeyStore.load(KeyStore.java:1201)
 at UpdateCertificates.createKeyStore(UpdateCertificates.java:65)
 at UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.FileNotFoundException: /usr/lib/x86_64-linux-gnu/libnss3.so
 at sun.security.pkcs11.Secmod.initialize(Secmod.java:186)
 at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
 ... 31 more
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.

@SWmail
That's Bug #855171.