update-ca-certificates fails due to no /etc/ssl/certs/java directory existing

Bug #1895435 reported by Stephen Fletcher
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ca-certificates-java (Ubuntu)

Bug Description

/etc/ssl/certs/java/cacerts cannot update when running /usr/local/share/ca-certificates and attempting to update when ca-certificates-java package is installed

Issue Description:

When /etc/ssl/certs/java is not available the update-ca-certificates fails with the following taceback:

org.debian.security.UnableToSaveKeystoreException: There was a problem saving the new Java keystore.
        at org.debian.security.KeyStoreHandler.save(KeyStoreHandler.java:86)
        at org.debian.security.UpdateCertificates.finish(UpdateCertificates.java:108)
        at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:54)
Caused by: java.io.FileNotFoundException: /etc/ssl/certs/java/cacerts (No such file or directory)
        at java.base/java.io.FileOutputStream.open0(Native Method)
        at java.base/java.io.FileOutputStream.open(FileOutputStream.java:298)
        at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:237)
        at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:126)
        at org.debian.security.KeyStoreHandler.save(KeyStoreHandler.java:82)
        ... 2 more
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.

No updated /etc/ssl/certs/java/cacerts is created.


        if [ ! -d "/etc/ssl/certs/java" ]; then
         mkdir -p /etc/ssl/certs/java

Tags: patch fr-3181
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for reporting this issue, do you mind if I make the bug public so other developers can see it and have the opportunity to resolve it?

Revision history for this message
Stephen Fletcher (mridion) wrote :

Issue occurs in /etc/ca-certificates/update.d/jks-keystore

Attached is a patch to create the directory if missing and set correct permissions.

affects: ca-certificates (Ubuntu) → ca-certificates-java (Ubuntu)
Revision history for this message
Stephen Fletcher (mridion) wrote :

sure no problem. I have added a fix for the issue. ca-certificates-java does appear to correctly create the directory on installation. It just fails to be recreated if deleted through the normal update script.
None of core ssl cert update component is affected. It would only potentially fail for any further custom hook scripts that are added by the end user if the included one is run first.

description: updated
Revision history for this message
Stephen Fletcher (mridion) wrote :

I modified the patch to ensure the original directory permissions are recreated

Alex Murray (alexmurray)
information type: Private Security → Public
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch to recreate /etc/ssl/certs/java if missing with original permissions when jks-keystore hook run via update-ca-certificates" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates-java (Ubuntu):
status: New → Confirmed
Vladimir Petko (vpa1977)
tags: added: fr-3181
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.