Ubuntu
ca-certificates-java package

keytool error on postinst, local CA certificate

Bug #779929 reported by Tim Cutts
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ca-certificates-java (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: ca-certificates-java

Description: Ubuntu 10.04.2 LTS
Release: 10.04

ca-certificates-java:
  Installed: 20100406ubuntu1
  Candidate: 20100406ubuntu1
  Version table:
 *** 20100406ubuntu1 0
        990 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

Here at the Sanger Institute we have our own local CA. We distribute the certificate for that CA to all of our machines using cfengine. This works fine with the regular ca-certificates stuff on both Debian and Ubuntu. But it fails with ca-certificates-java, as follows:

The keytool invocation in the postinst script which attempts to add the certificate fails, and the error is discarded, so it's not immediately obvious what went wrong.

I edited the postinst script to include set -x so that I could get something out of it, and noticed (1) that the init script deletes the temporary output file even if the script fails, which means that you can't see the errors. So, I changed it so that it doesn't delete the tempfile if there are errors, and this then showed me that the following part of the script execution path shows the error being generated:

+ LANG=C
+ LC_ALL=C
+ keytool -importcert -trustcacerts -keystore /etc/ssl/certs/java/cacerts -providerClass sun.security.pkcs11.SunPKCS11 -providerArg '${java.home}/lib/security/nss.cfg' -noprompt -storepass changeit -alias genome_research_ltd_certificate_authority_cert_pem -file /usr/share/ca-certificates/sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
+ grep -q 'Signature not available' /tmp/fileW2Zx2A
+ echo ' error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem'
  error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
++ expr 0 + 1
+ errors=1

and the log entry says:

keytool error: java.security.ProviderException: Secmod module already configured

Google doesn't have much to say about this particular error. This is causing us serious issues, since it's causing dpkg and aptitude to fall over on most machines, perpetually trying to run the ca-certificates-java postinst script.

Hopefully you know what that error means...

Launchpad Janitor (janitor)
Changed in ca-certificates-java (Ubuntu):
status: New → Confirmed
Revision history for this message
Tim Cutts (timc) wrote :

Any chance of this bug receiving some attention? While Canonical still supported the Sun JRE packages, there was a workaround, but now that those packages have been dropped, that workaround no longer exists, making the issue much more serious.

Revision history for this message
Vladimir Petko (vpa1977) wrote :

EOL reached for the affected version April 30, 2015.

Closing as Invalid.

Changed in ca-certificates-java (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.