ca-certificates-java doesn't create /etc/ssl/certs/java/cacerts

Bug #1396760 reported by us2000 on 2014-11-26
114
This bug affects 23 people
Affects Status Importance Assigned to Milestone
ca-certificates-java (Debian)
Fix Released
Unknown
ca-certificates-java (Ubuntu)
High
Unassigned

Bug Description

Ubuntu server 14.10 64 bit:
sudo apt-get install openjdk-8-jre-headless
installs also ca-certificates-java which results in follwing error during install:

...
Setting up ca-certificates-java (20140324) ...
/var/lib/dpkg/info/ca-certificates-java.postinst: line 53: java: command not found
/var/lib/dpkg/info/ca-certificates-java.postinst: line 66: java: command not found
done.
Processing triggers for ca-certificates (20140325) ...
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
/etc/ca-certificates/update.d/jks-keystore: 82: /etc/ca-certificates/update.d/jks-keystore: java: not found
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.
...

This results in an unconfigued empty /etc/ssl/certs/java/cacerts.
This induces errors in user applications like " javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Solution:
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure

The root cause for the error is to me unknown, maybe wrong sequence order during package configuration?

BR
us2000

Description: Ubuntu 14.10
Release: 14.10

ca-certificates-java:
  Installed: 20140324
  Candidate: 20140324
  Version table:
 *** 20140324 0
        500 http://de.archive.ubuntu.com/ubuntu/ utopic/main amd64 Packages
        100 /var/lib/dpkg/status
openjdk-8-jre-headless:
  Installed: 8u40~b09-1
  Candidate: 8u40~b09-1
  Version table:
 *** 8u40~b09-1 0
        500 http://de.archive.ubuntu.com/ubuntu/ utopic/universe amd64 Packages
        100 /var/lib/dpkg/status

us2000 (q-launchpad-r) on 2014-11-26
affects: lubuntu-meta (Ubuntu) → ca-certificates-java (Ubuntu)
Hans Joachim Desserud (hjd) wrote :

Thanks for taking your time to report this issue and help making Ubuntu better.

I stumbled across this issue after I had reported a similar one. (Bug 1406483 where I triggered it by installing maven and openjdk-8-jdk)

I was able to reproduce this issue when installing openjdk-8-jre-headless on Ubuntu 14.10, though when I tried on Ubuntu Vivid it added the certificates and worked fine. Tough I don't see why it would as neither openjdk-8 nor the ca-certificates-java package has changed between these two releases.

(Oh, and I also found bug 983302 where it looks like the same issue has plagued the headless package for openjdk-7)

Changed in ca-certificates-java (Ubuntu):
status: New → Confirmed
tags: added: utopic
Changed in ca-certificates-java (Ubuntu):
importance: Undecided → High
Tianon Gravi (tianon) wrote :

Has this also been reported upstream in Debian? I can't find anything related in the BTS.

Hans Joachim Desserud (hjd) wrote :

>Has this also been reported upstream in Debian?

No, I don't think so. I've tried here with a minimal Sid VM, but I have not been able to reproduce this issue nor bug 1406483 which I stumbled across recently. So while I would normally forward bugs to Debian, I am hesitant since I'm not able to trigger the issue there. I don't really know how to investigate this issue further so I'm open to suggestions.

us2000 (q-launchpad-r) wrote :

Reproduce with Virtualbox:

lubuntu-14.10-desktop-amd64.iso (md5:60e666e9459ec52e56aa6cbd94d6895e)
No install, boot into life-system
(Kernel Boot Parameter vga=791 for display bug)
Then in the Live-System:
 sudo apt-get update
 sudo apt-get install openjdk-8-jre-headless

--or--

ubuntu-14.10-server-amd64.iso (md5:91bd1cfba65417bfa04567e4f64b5c55)
Default install, only openssh-server installed
Then in the installed system:
 sudo apt-get update
 sudo apt-get install openjdk-8-jre-headless

Java bug also triggered, when you do an system update before java install:
 sudo apt-get update
 sudo apt-get upgrade
 sudo apt-get dist-upgrade
 reboot
 sudo apt-get update
 sudo apt-get install openjdk-8-jre-headless

debian-live-7.7.0-amd64-lxde-desktop.iso
-->could not be tested, there exists no openjdk-8-* package in default apt config

Best regards us2000

us2000 (q-launchpad-r) wrote :

fetched java version in ubuntu: 8u40~b09-1_amd64

Tianon Gravi (tianon) wrote :

https://bugs.debian.org/775775 :D

(more reproducing, and a patch)

Hans Joachim Desserud (hjd) wrote :

>https://bugs.debian.org/775775

Thanks, I wasn't able to trigger this on Debian. I've attached a bug watch so that we'll be notified when the issue is fixed.

Changed in ca-certificates-java (Debian):
status: Unknown → New
Sturm Flut (sturmflut) wrote :

I've just run into this bug on Vivid with OpenJDK 8u45-b14-1_amd64 and ca-certificates-java 20140324. The solution proposed by the original poster of this bug report worked.

Mondane (mondane-woodworker) wrote :

Same problem on a clean Ubuntu 15.04 installation.

Mondane (mondane-woodworker) wrote :

NB OpenJDK was installed after I installed this package: http://sourceforge.net/projects/davmail/files/davmail/4.6.1/davmail_4.6.1-2343-1_all.deb/download . Maybe it's a dependency related issue?

tags: added: vivid
guyvdb (guyvdb-gmail) wrote :

Same problem here on a fully updated 15.04. The reported solution works. This bug breaks the use of sbt and maven build systems.

Thanks alot !

I think for me the problem came from installing openjdk-8-jre first and then openjdk-8-jdk. I used sudo apt-get install. Anyways, your solution worked perfectly.

Changed in ca-certificates-java (Debian):
status: New → Fix Released
Benjamin Drung (bdrung) wrote :

This bug is fixed in ca-certificates-java 20160321 (see bug #1560405) in Ubuntu 16.04 (xenial).

Changed in ca-certificates-java (Ubuntu):
status: Confirmed → Fix Released

We just ran into this bug on 14.04
How come it never got backported? This is a super serious issue, and just led to a outage on our site :(

Hans Joachim Desserud (hjd) wrote :

>How come it never got backported?

I guess nobody requested it for an older release before now, see https://wiki.ubuntu.com/StableReleaseUpdates#Procedure for details.

Though, I do wonder whether what you are experiencing is the exact same issue. According to bug 1560405 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775775 it looks like this was fixed by adding support for openjdk-8, but that doesn't seem to be available in 14.04 (https://launchpad.net/ubuntu/+source/openjdk-8). So... I'm not sure if that would actually fix things or if you are encountering a separate but similar issue.

We bring in Java 8 from openjdk-r. Not having supported Java 8 in Trusty is one of our other huge gripes, and arguably the fact that it's not integrated and tested but you have to use a PPA instead is part of why these problems don't get found until users try to use the software :)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.