Bug#1030129: ca-certificates-java - Fails to install: Error loading java.security file

Dimitry Andric dimitry at unified-streaming.com
Fri Nov 3 16:56:28 GMT 2023 

FWIW, I can still reproduce the problem with Debian 10 (yeah I know, I should upgrade :), by attempting to install build-essential and openjdk-11-jre-headless in one apt-get invocation. E.g. using a simple Dockerfile:

======================================================================
FROM debian:10

RUN DEBIAN_FRONTEND=noninteractive apt-get -q -y update
RUN DEBIAN_FRONTEND=noninteractive apt-get -q -y upgrade
RUN DEBIAN_FRONTEND=noninteractive apt-get -q -y install build-essential openjdk-11-jre-headless
======================================================================

Results in:

======================================================================
...
#7 21.52 Setting up ca-certificates-java (20190405) ...
#7 21.55 head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory
#7 21.62 Exception in thread "main" java.lang.InternalError: Error loading java.security file
#7 21.62        at java.base/java.security.Security.initialize(Security.java:94)
#7 21.62        at java.base/java.security.Security$1.run(Security.java:79)
#7 21.62        at java.base/java.security.Security$1.run(Security.java:77)
#7 21.62        at java.base/java.security.AccessController.doPrivileged(Native Method)
#7 21.62        at java.base/java.security.Security.<clinit>(Security.java:77)
#7 21.62        at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:176)
#7 21.62        at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
#7 21.62        at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:92)
#7 21.62        at java.base/java.security.AccessController.doPrivileged(Native Method)
#7 21.62        at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:91)
#7 21.62        at java.base/sun.security.jca.Providers.<clinit>(Providers.java:54)
#7 21.62        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
#7 21.62        at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
#7 21.62        at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
#7 21.62        at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
#7 21.62        at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
#7 21.64 dpkg: error processing package ca-certificates-java (--configure):
#7 21.64  installed ca-certificates-java package post-installation script subprocess returned error exit status 1
#7 21.64 dpkg: dependency problems prevent configuration of openjdk-11-jre-headless:amd64:
#7 21.64  openjdk-11-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); however:
#7 21.64   Package ca-certificates-java is not configured yet.
#7 21.64
#7 21.64 dpkg: error processing package openjdk-11-jre-headless:amd64 (--configure):
#7 21.64  dependency problems - leaving unconfigured
#7 21.64 Processing triggers for libc-bin (2.28-10+deb10u2) ...
#7 21.66 Processing triggers for ca-certificates (20200601~deb10u2) ...
#7 21.67 Updating certificates in /etc/ssl/certs...
#7 22.04 0 added, 0 removed; done.
#7 22.04 Running hooks in /etc/ca-certificates/update.d...
#7 22.04
#7 22.12 Exception in thread "main" java.lang.InternalError: Error loading java.security file
#7 22.12        at java.base/java.security.Security.initialize(Security.java:94)
#7 22.12        at java.base/java.security.Security$1.run(Security.java:79)
#7 22.12        at java.base/java.security.Security$1.run(Security.java:77)
#7 22.12        at java.base/java.security.AccessController.doPrivileged(Native Method)
#7 22.12        at java.base/java.security.Security.<clinit>(Security.java:77)
#7 22.12        at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:176)
#7 22.12        at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
#7 22.12        at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:92)
#7 22.12        at java.base/java.security.AccessController.doPrivileged(Native Method)
#7 22.12        at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:91)
#7 22.12        at java.base/sun.security.jca.Providers.<clinit>(Providers.java:54)
#7 22.12        at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
#7 22.12        at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
#7 22.12        at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
#7 22.12        at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
#7 22.12        at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
#7 22.13 E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
#7 22.13 done.
#7 22.15 Errors were encountered while processing:
#7 22.15  ca-certificates-java
#7 22.15  openjdk-11-jre-headless:amd64
#7 22.17 E: Sub-process /usr/bin/dpkg returned an error code (1)
======================================================================

Installing either of those packages in separate apt-get invocations works fine, and the order does not matter.

But I guess the required fix did not get backported to buster?

More information about the pkg-java-maintainers mailing list