← Back to team overview

openjdk team mailing list archive

[Bug 779929] [NEW] keytool error on postinst, local CA certificate

 

Public bug reported:

Binary package hint: ca-certificates-java

Description:	Ubuntu 10.04.2 LTS
Release:	10.04

ca-certificates-java:
  Installed: 20100406ubuntu1
  Candidate: 20100406ubuntu1
  Version table:
 *** 20100406ubuntu1 0
        990 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status


Here at the Sanger Institute we have our own local CA.  We distribute the certificate for that CA to all of our machines using cfengine.  This works fine with the regular ca-certificates stuff on both Debian and Ubuntu.  But it fails with ca-certificates-java, as follows:

The keytool invocation in the postinst script which attempts to add the
certificate fails, and the error is discarded, so it's not immediately
obvious what went wrong.

I edited the postinst script to include set -x so that I could get
something out of it, and noticed (1) that the init script deletes the
temporary output file even if the script fails, which means that you
can't see the errors. So, I changed it so that it doesn't delete the
tempfile if there are errors, and this then showed me that the following
part of the script execution path shows the error being generated:

+ LANG=C
+ LC_ALL=C
+ keytool -importcert -trustcacerts -keystore /etc/ssl/certs/java/cacerts -providerClass sun.security.pkcs11.SunPKCS11 -providerArg '${java.home}/lib/security/nss.cfg' -noprompt -storepass changeit -alias genome_research_ltd_certificate_authority_cert_pem -file /usr/share/ca-certificates/sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
+ grep -q 'Signature not available' /tmp/fileW2Zx2A
+ echo ' error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem'
  error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
++ expr 0 + 1
+ errors=1

and the log entry says:

keytool error: java.security.ProviderException: Secmod module already
configured

Google doesn't have much to say about this particular error. This is
causing us serious issues, since it's causing dpkg and aptitude to fall
over on most machines, perpetually trying to run the ca-certificates-
java postinst script.

Hopefully you know what that error means...

** Affects: ca-certificates-java (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/779929

Title:
  keytool error on postinst, local CA certificate

Status in “ca-certificates-java” package in Ubuntu:
  New

Bug description:
  Binary package hint: ca-certificates-java

  Description:	Ubuntu 10.04.2 LTS
  Release:	10.04

  ca-certificates-java:
    Installed: 20100406ubuntu1
    Candidate: 20100406ubuntu1
    Version table:
   *** 20100406ubuntu1 0
          990 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status

  
  Here at the Sanger Institute we have our own local CA.  We distribute the certificate for that CA to all of our machines using cfengine.  This works fine with the regular ca-certificates stuff on both Debian and Ubuntu.  But it fails with ca-certificates-java, as follows:

  The keytool invocation in the postinst script which attempts to add
  the certificate fails, and the error is discarded, so it's not
  immediately obvious what went wrong.

  I edited the postinst script to include set -x so that I could get
  something out of it, and noticed (1) that the init script deletes the
  temporary output file even if the script fails, which means that you
  can't see the errors. So, I changed it so that it doesn't delete the
  tempfile if there are errors, and this then showed me that the
  following part of the script execution path shows the error being
  generated:

  + LANG=C
  + LC_ALL=C
  + keytool -importcert -trustcacerts -keystore /etc/ssl/certs/java/cacerts -providerClass sun.security.pkcs11.SunPKCS11 -providerArg '${java.home}/lib/security/nss.cfg' -noprompt -storepass changeit -alias genome_research_ltd_certificate_authority_cert_pem -file /usr/share/ca-certificates/sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
  + grep -q 'Signature not available' /tmp/fileW2Zx2A
  + echo ' error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem'
    error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
  ++ expr 0 + 1
  + errors=1

  and the log entry says:

  keytool error: java.security.ProviderException: Secmod module already
  configured

  Google doesn't have much to say about this particular error. This is
  causing us serious issues, since it's causing dpkg and aptitude to
  fall over on most machines, perpetually trying to run the ca-
  certificates-java postinst script.

  Hopefully you know what that error means...



Follow ups

References