Ubuntu
ca-certificates-java package

ca-certificates-jave fails to add certificates from TU Berlin

Bug #664412 reported by FFischer
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates-java (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: ca-certificates-java

happens since I added cert files from TU-Berlin ( http://www.tubit.tu-berlin.de/wlan/zugang_und_anleitungen/eduroam_mit_linux_gnome/ )

Link to Cert File http://www.tubit.tu-berlin.de/fileadmin/a40000000/tubIT/Trustcenter/TU-Berlin_Zertifikatkette.pem

Recommende Installation for Ubuntu 10.04 (I'm using 10.10 Netbook Edition)

wget www.tubit.tu-berlin.de/fileadmin/a40000000/tubIT/Trustcenter/TU-Berlin_Zertifikatkette.pem

mkdir -p /usr/share/ca-certificates/tu-berlin.de

mv TU-Berlin_Zertifikatkette.pem /usr/share/ca-certificates/tu-berlin.de/TU-Berlin_Zertifikatkette.pem

echo tu-berlin.de/TU-Berlin_Zertifikatkette.pem >> /etc/ca-certificates.conf

update-ca-certificates

ProblemType: Package
DistroRelease: Ubuntu 10.10
Package: ca-certificates-java 20100412
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic i686
Architecture: i386
Date: Thu Oct 21 08:36:21 2010
ErrorMessage: Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück
InstallationMedia: Ubuntu-Netbook 10.04 "Lucid Lynx" - Release i386 (20100429.4)
PackageArchitecture: all
SourcePackage: ca-certificates-java
Title: package ca-certificates-java 20100412 failed to install/upgrade: Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück

Revision history for this message
FFischer (ffischer) wrote :
Revision history for this message
Tim Cutts (timc) wrote :

Also on lucid, I see something like this on our Ubuntu machines at the Sanger Institute; we have our own local CA, and the keytool invocation in the postinst script which attempts to add the certificate fails. I edited the postinst script to include set -x so that I could get something out of it, and noticed (1) that the init script deletes the temporary output file even if the script fails, which means that you can't see the errors. So, I changed it so that it doesn't delete the tempfile if there are errors, and this then showed me that the following part of the script execution path shows the error being generated:

+ LANG=C
+ LC_ALL=C
+ keytool -importcert -trustcacerts -keystore /etc/ssl/certs/java/cacerts -providerClass sun.security.pkcs11.SunPKCS11 -providerArg '${java.home}/lib/security/nss.cfg' -noprompt -storepass changeit -alias genome_research_ltd_certificate_authority_cert_pem -file /usr/share/ca-certificates/sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
+ grep -q 'Signature not available' /tmp/fileW2Zx2A
+ echo ' error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem'
  error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
++ expr 0 + 1
+ errors=1

and the log entry says:

keytool error: java.security.ProviderException: Secmod module already configured

Google doesn't have much to say about this particular error. This is causing us serious issues, since it's causing dpkg and aptitude to fall over on most machines, perpetually trying to run the ca-certificates-java postinst script.

Revision history for this message
Tim Cutts (timc) wrote :

Sorry - I think my problem's slightly different... it doesn't involve update-ca-certificates. I'll file a separate report.

Revision history for this message
revo (sylvain-mouquet) wrote :

i get this result :
Warning: there was a problem reading the certificate file /etc/ssl/certs/TU-Berlin_Zertifikatkette.pem.pem. Message:
  invalid DER-encoded certificate data

# ls -l /etc/ssl/certs | grep TU
lrwxrwxrwx 1 root root 69 2012-04-01 11:40 TU-Berlin_Zertifikatkette.pem.pem -> /usr/share/ca-certificates/tu-berlin.de/TU-Berlin_Zertifikatkette.pem

Revision history for this message
Vladimir Petko (vpa1977) wrote :

EOL reached for the affected version April 30, 2015.

Closing as Invalid.

Changed in ca-certificates-java (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.