Bug#690204: ca-certificates{, -java}: many errors during squeeze->wheezy upgrades, probably related to configuration order and update.d/
Andreas Beckmann
debian at abeckmann.de
Thu Oct 11 07:23:22 UTC 2012
Package: ca-certificates,ca-certificates-java
Version: 20120623
Severity: serious
User: debian-qa at lists.debian.org
Usertags: piuparts
Control: found -1 20120721
Hi,
during a test with piuparts I noticed many errors related to
ca-certificates (or ca-certificates-java?) in successful piuparts tests
(i.e. there were errors, but these were ignored and package installation
did not fail).
I'm not really sure which package(s) is/are the problem here ...
Not knowing any details about these certificates and java ... I think
we are hitting the following problems:
* ca-certificates runs the old version of
/etc/ca-certificates/update.d/jks-keystore (from ca-certificates-java)
because ca-certificates-java is not yet configured
(could this be deferred to a trigger in ca-certificates-java?)
* ca-certificates-java may be configured before openjdk-6-jre-headless
and fails because it uses an old version of
/etc/java-6-openjdk/security/nss.cfg
(may need some Depends/Breaks relationship bumping somewhere?)
I havn't counted, but this seems to happen many many times.
I'm setting the severity to serious because seeing a java backtrace in a
"successful" upgrade does not look OK.
>From ca-certificates-java_20120721.log:
Setting up ca-certificates (20120623) ...
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs... 151 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updating keystore /etc/ssl/certs/java/cacerts...
error adding /etc/ssl/certs/cacert.org.pem
error adding /etc/ssl/certs/ca.pem
error adding /etc/ssl/certs/AddTrust_External_Root.pem
error adding /etc/ssl/certs/AddTrust_Low-Value_Services_Root.pem
error adding /etc/ssl/certs/AddTrust_Public_Services_Root.pem
[...]
error adding /etc/ssl/certs/ePKI_Root_Certification_Authority.pem
error adding /etc/ssl/certs/thawte_Primary_Root_CA_-_G2.pem
error adding /etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pem
failed (VM used: java-6-cacao).
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.
Setting up java-common (0.47) ...
[...]
Setting up openjdk-6-jre-lib (6b24-1.11.4-3) ...
Setting up openjdk-6-jre-headless:amd64 (6b24-1.11.4-3) ...
Installing new version of config file /etc/java-6-openjdk/fontconfig.properties ...
Installing new version of config file /etc/java-6-openjdk/accessibility.properties ...
Installing new version of config file /etc/java-6-openjdk/calendars.properties ...
Installing new version of config file /etc/java-6-openjdk/psfont.properties.ja ...
Installing new version of config file /etc/java-6-openjdk/security/java.policy ...
Installing new version of config file /etc/java-6-openjdk/security/nss.cfg ...
Installing new version of config file /etc/java-6-openjdk/security/java.security ...
Installing new version of config file /etc/java-6-openjdk/psfontj2d.properties ...
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/keytool to provide /usr/bin/keytool (keytool) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/pack200 to provide /usr/bin/pack200 (pack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/rmiregistry to provide /usr/bin/rmiregistry (rmiregistry) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/unpack200 to provide /usr/bin/unpack200 (unpack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/orbd to provide /usr/bin/orbd (orbd) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/servertool to provide /usr/bin/servertool (servertool) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/tnameserv to provide /usr/bin/tnameserv (tnameserv) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode
Setting up libswitch-perl (2.16-2) ...
Setting up ca-certificates-java (20120721) ...
Installing new version of config file /etc/ca-certificates/update.d/jks-keystore ...
Removing diginotar_root_ca
Adding debian:thawte_Primary_Root_CA_-_G3.pem
Adding debian:thawte_Primary_Root_CA_-_G2.pem
Adding debian:ePKI_Root_Certification_Authority.pem
Adding debian:certSIGN_ROOT_CA.pem
[...]
Removing addtrust_low_value_services_root
Adding debian:AddTrust_Low-Value_Services_Root.pem
Removing addtrust_external_root
Adding debian:AddTrust_External_Root.pem
Removing ca
Adding debian:ca.pem
Removing cacert_org
Adding debian:cacert.org.pem
done.
That seems to have succeeded finally.
>From bsh_2.0b4-12.log:
Setting up ca-certificates (20120623) ...
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs... 151 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updating keystore /etc/ssl/certs/java/cacerts...
error adding /etc/ssl/certs/cacert.org.pem
error adding /etc/ssl/certs/ca.pem
[...]
error adding /etc/ssl/certs/thawte_Primary_Root_CA_-_G2.pem
error adding /etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pem
failed (VM used: java-6-cacao).
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.
Setting up java-common (0.47) ...
Setting up openjdk-6-jre-lib (6b24-1.11.4-3) ...
Setting up ca-certificates-java (20120721) ...
Installing new version of config file /etc/ca-certificates/update.d/jks-keystore ...
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
at sun.security.jca.ProviderList.getService(ProviderList.java:330)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
at java.security.Security.getImpl(Security.java:696)
at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
at sun.security.x509.X509Key.parse(X509Key.java:168)
at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1751)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1201)
at UpdateCertificates.openKeyStore(UpdateCertificates.java:94)
at UpdateCertificates.<init>(UpdateCertificates.java:79)
at UpdateCertificates.main(UpdateCertificates.java:63)
Caused by: java.io.FileNotFoundException: /usr/lib/libnss3.so
at sun.security.pkcs11.Secmod.initialize(Secmod.java:186)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
... 32 more
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
at sun.security.jca.ProviderList.getService(ProviderList.java:330)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
at java.security.Security.getImpl(Security.java:696)
at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
at sun.security.x509.X509Key.parse(X509Key.java:168)
at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1751)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1201)
at UpdateCertificates.openKeyStore(UpdateCertificates.java:94)
at UpdateCertificates.<init>(UpdateCertificates.java:79)
at UpdateCertificates.main(UpdateCertificates.java:63)
Caused by: java.io.FileNotFoundException: /usr/lib/libnss3.so
at sun.security.pkcs11.Secmod.initialize(Secmod.java:186)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
... 32 more
done.
Setting up openjdk-6-jre-headless:amd64 (6b24-1.11.4-3) ...
Installing new version of config file /etc/java-6-openjdk/fontconfig.properties ...
Installing new version of config file /etc/java-6-openjdk/accessibility.properties ...
Installing new version of config file /etc/java-6-openjdk/calendars.properties ...
Installing new version of config file /etc/java-6-openjdk/psfont.properties.ja ...
Installing new version of config file /etc/java-6-openjdk/security/java.policy ...
Installing new version of config file /etc/java-6-openjdk/security/nss.cfg ...
Installing new version of config file /etc/java-6-openjdk/security/java.security ...
Installing new version of config file /etc/java-6-openjdk/psfontj2d.properties ...
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/keytool to provide /usr/bin/keytool (keytool) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/pack200 to provide /usr/bin/pack200 (pack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/rmiregistry to provide /usr/bin/rmiregistry (rmiregistry) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/unpack200 to provide /usr/bin/unpack200 (unpack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/orbd to provide /usr/bin/orbd (orbd) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/servertool to provide /usr/bin/servertool (servertool) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/tnameserv to provide /usr/bin/tnameserv (tnameserv) in auto mode
update-alternatives: using /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/jexec to provide /usr/bin/jexec (jexec) in auto mode
That seems to have failed finally.
Cheers,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ca-certificates-java_20120721.log.gz
Type: application/x-gzip
Size: 29174 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20121011/a020b37b/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bsh_2.0b4-12.log.gz
Type: application/x-gzip
Size: 29030 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20121011/a020b37b/attachment-0003.bin>
More information about the pkg-java-maintainers
mailing list