When upgrading from maverick to oneiric receieved a number of error messages about ssl certs

Bug #873517 reported by Dan Parent on 2011-10-13
This bug affects 36 people
Affects Status Importance Assigned to Milestone
ca-certificates-java (Debian)
Fix Released
ca-certificates-java (Ubuntu)

Bug Description

While performing an upgrade from maverick to oneiric in a 32-bit Ubuntu server environment I noticed that it seemed like every pem file was failiing. I received errors like the following:

error adding /etc/ssl/certs/blah.pem

where blah could be replaced by what seemed like every pem file. My system continues to run fine, I do not run java processes other then the occasional ant build which continues to work as before. Not a fatal bug for myself, thought I'd report it since I noticed the error messages.

Dan Parent (daparent) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates-java (Ubuntu):
status: New → Confirmed
martin suc (martin-suc) wrote :

1. It happened all the time when upgrade to Oneiric. (from 11.04 ; 10 instances).
2. It happened on 32 and 64 bit versions.
3. It happened as well when installed new instance of Ubuntu 11.10.

nils (internationils) wrote :

Same problem here. Links seem to be fine, directories seem fine, privileges seem fine as well. No idea whats going on here

nils (internationils) wrote :
Download full text (7.0 KiB)

Heres something that could be related?
Setting up ca-certificates-java (20110912ubuntu3) ...
Installing new version of config file /etc/ca-certificates/update.d/jks-keystore
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
        at sun.security.x509.X509Key.parse(X509Key.java:168)
        at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:7
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Facto
        at java.security.cert.CertificateFactory.generateCertificate(Certificate
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:5
        at java.security.KeyStore.load(KeyStore.java:1201)
        at UpdateCertificates.createKeyStore(UpdateCertificates.java:65)
        at UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.FileNotFoundException: /usr/lib/libnss3.so
        at sun.security.pkcs11.Secmod.initialize(Secmod.java:186)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
        ... 31 more

... and

Setting up ca-certificates-java (20110912ubuntu3) ...
Installing new version of config file /etc/ca-certificates/update.d/jks-keystore ...
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct

 installed by openjdk-6
        at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
        at sun.security.jca.ProviderList.getService(ProviderList.java:330)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
        at java.security.Security.getImpl(Security.java:696)
        at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
        at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
        at sun.security.x509.X509Key.pars...


Eric Larson (eric-ionrock) wrote :

I've had trouble connecting to services in my organization because the cert verification failed. Here is a traceback from a Python script that hits the error:

Traceback (most recent call last):
  File "/home/eric/bin/qpaste", line 52, in <module>
    resp, content = h.request(paste_url, 'POST', urlencode(data))
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1436, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1188, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1123, in _conn_request
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 911, in connect
    raise SSLHandshakeError(e)
httplib2.SSLHandshakeError: [Errno 1] _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Eric Larson (eric-ionrock) wrote :

The fix for me seemed to be reconfiguring and re-adding all the certs. I made a mistake and removed them all first and then added them back, so I'm not sure if the removal then addition is what fixed the issue.

Eric Larson (eric-ionrock) wrote :

When I say "reconfigure" I do mean running: dpkg-reconfigure ca-certificates and selecting all the certs in the dialog that comes up.

gjohn (gjohn) wrote :

I noticed the same errors about adding certificates/pem files when upgrading to 11.10 Oneiric from 11.04

Ubuntu on Virtualbox 4.1

Installed java sdk on Ubuntu 10.04, using aptitude as:
sudo aptitude install openjdk-6-jdk

Upgrade to 11.10 from Update manager UI
I did not run pending 11.04 updates before starting the upgrade to 11.10

Changed in ca-certificates-java (Debian):
status: Unknown → Fix Released
Daniel Richard G. (skunk) wrote :

I see these error messages on installation of ca-certificates-java on a new Oneiric install:

Setting up ca-certificates-java (20110912ubuntu3) ...
Adding debian:Comodo_AAA_Services_root.pem
Adding debian:TC_TrustCenter_Universal_CA_I.pem
Adding debian:GeoTrust_Primary_Certification_Authority_-_G2.pem
Adding debian:Thawte_Server_CA.pem
Adding debian:signet_ocspklasa3_pem.pem
Adding debian:signet_pca3_pem.pem
Warning: there was a problem reading the certificate file /etc/ssl/certs/NetLock_Arany_=Class_Gold=_F??tan??s??tv??ny.pem. Message:
  /etc/ssl/certs/NetLock_Arany_=Class_Gold=_F??tan??s??tv??ny.pem (No such file or directory)
Adding debian:thawte_Primary_Root_CA.pem
Adding debian:VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
Adding debian:DST_Root_CA_X3.pem
Warning: there was a problem reading the certificate file /etc/ssl/certs/T??B??TAK_UEKAE_K??k_Sertifika_Hizmet_Sa??lay??c??s??_-_S??r??m_3.pem. Message:
  /etc/ssl/certs/T??B??TAK_UEKAE_K??k_Sertifika_Hizmet_Sa??lay??c??s??_-_S??r??m_3.pem (No such file or directory)
Adding debian:WellsSecure_Public_Root_Certificate_Authority.pem
Adding debian:Comodo_Trusted_Services_root.pem
Adding debian:brasil.gov.br.pem
Warning: there was a problem reading the certificate file /etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem. Message:
  /etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem (No such file or directory)
Adding debian:thawte_Primary_Root_CA_-_G3.pem
Adding debian:Comodo_Secure_Services_root.pem
Warning: there was a problem reading the certificate file /etc/ssl/certs/AC_Ra??z_Certic??mara_S.A..pem. Message:
  /etc/ssl/certs/AC_Ra??z_Certic??mara_S.A..pem (No such file or directory)
Adding debian:Thawte_Premium_Server_CA.pem
Adding debian:Sonera_Class_2_Root_CA.pem
Adding debian:Entrust_Root_Certification_Authority.pem
Adding debian:Digital_Signature_Trust_Co._Global_CA_3.pem

As noted in the linked Debian bug report, it seems some script is having trouble handling certificates with special characters in their filenames.

demon.ar (alejandro-moya) wrote :

I'm using the upgrade feature and have the same issue, nov/17

Benjamin Bach (benjaoming) wrote :

Confirmed that it is still present when upgrading to 11.10.

"sudo dpkg-reconfigure ca-certificate" after upgrading + selecting yes to trust all certificates and selecting all of the from a list works as @Eric Larson hinted.

Boris Dušek (dusek) wrote :

I have experienced this issue today when upgrading a 32-bit fully up-to-date 11.04 system to 11.10.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.