Bug#1020289: ca-certificates-java upgrade problem
Sven Mueller
smu at google.com
Mon Sep 19 12:30:00 BST 2022
Package: ca-certificates-java
Version: 20220719
Hi.
As you might know, we have a number of machines running a derivative
of Debian (testing) at Google. I noticed a cluster of machines failing
upgrades due to ca-certificates-java failing in postinst.
More specifically:
# dpkg --configure -a
Setting up ca-certificates-java (20220719) ...
org.debian.security.InvalidKeystorePasswordException: Cannot open Java
keystore. Is the password correct?
at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:68)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:52)
at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.IOException: Keystore was tampered with, or
password was incorrect
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:795)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at org.debian.security.KeyStoreHandler.load(KeyStoreHandler.java:66)
... 3 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:793)
... 6 more
Which looks like https://bugs.debian.org/787277 at first glance. Which
in turn says that this is expected to happen when the keystore
passphrase as changed without updating /etc/default/cacerts. However,
in that case, I would have expected `keytool -cacerts -list` to also
fail when I give it the default `changeit` passphrase? Am I wrong with
that expectation?
Would a copy of /etc/ssl/certs/java/cacerts from an affected machine
help to debug this? - Well, I attached one. I'd very much appreciate
if you could have a look and tell me if anything about it is broken
because of something we (probably the user of that machine) did or if
there is any other issue at hand.
Kind regards,
Sven
-------------- next part --------------
A non-text attachment was scrubbed...
Name: broken-cacerts
Type: application/octet-stream
Size: 174036 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220919/bfe286bc/attachment-0001.obj>
More information about the pkg-java-maintainers
mailing list