openjdk team mailing list archive

Thread
Date

[Bug 779929] Re: keytool error on postinst, local CA certificate

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Vladimir Petko <779929@xxxxxxxxxxxxxxxxxx>
Date: Thu, 12 Jan 2023 02:46:37 -0000
Reply-to: Bug 779929 <779929@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

EOL reached for the affected version April 30, 2015.

Closing as Invalid.

** Changed in: ca-certificates-java (Ubuntu)
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/779929

Title:
  keytool error on postinst, local CA certificate

Status in ca-certificates-java package in Ubuntu:
  Invalid

Bug description:
  Binary package hint: ca-certificates-java

  Description:	Ubuntu 10.04.2 LTS
  Release:	10.04

  ca-certificates-java:
    Installed: 20100406ubuntu1
    Candidate: 20100406ubuntu1
    Version table:
   *** 20100406ubuntu1 0
          990 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status

  
  Here at the Sanger Institute we have our own local CA.  We distribute the certificate for that CA to all of our machines using cfengine.  This works fine with the regular ca-certificates stuff on both Debian and Ubuntu.  But it fails with ca-certificates-java, as follows:

  The keytool invocation in the postinst script which attempts to add
  the certificate fails, and the error is discarded, so it's not
  immediately obvious what went wrong.

  I edited the postinst script to include set -x so that I could get
  something out of it, and noticed (1) that the init script deletes the
  temporary output file even if the script fails, which means that you
  can't see the errors. So, I changed it so that it doesn't delete the
  tempfile if there are errors, and this then showed me that the
  following part of the script execution path shows the error being
  generated:

  + LANG=C
  + LC_ALL=C
  + keytool -importcert -trustcacerts -keystore /etc/ssl/certs/java/cacerts -providerClass sun.security.pkcs11.SunPKCS11 -providerArg '${java.home}/lib/security/nss.cfg' -noprompt -storepass changeit -alias genome_research_ltd_certificate_authority_cert_pem -file /usr/share/ca-certificates/sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
  + grep -q 'Signature not available' /tmp/fileW2Zx2A
  + echo ' error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem'
    error adding sanger.ac.uk/Genome_Research_Ltd_Certificate_Authority-cert.pem
  ++ expr 0 + 1
  + errors=1

  and the log entry says:

  keytool error: java.security.ProviderException: Secmod module already
  configured

  Google doesn't have much to say about this particular error. This is
  causing us serious issues, since it's causing dpkg and aptitude to
  fall over on most machines, perpetually trying to run the ca-
  certificates-java postinst script.

  Hopefully you know what that error means...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/779929/+subscriptions

References

[Bug 779929] [NEW] keytool error on postinst, local CA certificate
From: Tim Cutts, 2011-05-09