So we had to update ca-certificates to call c_rehash over the /etc/ssl/certs directory to fix bad symlinks, and this seems to have exposed a bug in ca-certificates-java: /etc/ca-certificates/update.d/jks-keystore is removing the system libnss3.so from users' systems on failure due to a wrong path.
The fix for ca-certificates-java has been uploaded to the archive and will be published ASAP.
So we had to update ca-certificates to call c_rehash over the /etc/ssl/certs directory to fix bad symlinks, and this seems to have exposed a bug in ca-certificates -java: /etc/ca- certificates/ update. d/jks-keystore is removing the system libnss3.so from users' systems on failure due to a wrong path.
The fix for ca-certificates -java has been uploaded to the archive and will be published ASAP.