Bug#635571: ca-certificates-java: Fails in update-ca-certificates hook

Chris Chiappa chris+debian at chiappa.net
Wed Jul 27 02:43:02 UTC 2011 

Package: ca-certificates-java
Version: 20110531
Severity: normal


A recent dist-upgrade caused my update-ca-certificates to fail:

# update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
          at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
          at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
          at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
          at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
          at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
          at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
          at java.security.AccessController.doPrivileged(Native Method)
          at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
          at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
          at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
          at sun.security.jca.ProviderList.getService(ProviderList.java:330)
          at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
          at java.security.Security.getImpl(Security.java:696)
          at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
          at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
          at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
          at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
          at sun.security.x509.X509Key.parse(X509Key.java:168)
          at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
          at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
          at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
          at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
          at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
          at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
          at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
          at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
          at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
          at java.security.KeyStore.load(KeyStore.java:1201)
          at UpdateCertificates.createKeyStore(UpdateCertificates.java:65)
          at UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.FileNotFoundException: /usr/lib/libnss3.so
       at sun.security.pkcs11.Secmod.initialize(Secmod.java:186)
       at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
       ... 31 more
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.

Symlinking /usr/lib/i386-linux-gnu/libnss3.so to /usr/lib changes the error:

Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
          at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
          at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
          at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
          at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
          at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
          at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
          at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
          at java.security.AccessController.doPrivileged(Native Method)
          at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
          at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
          at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
          at sun.security.jca.ProviderList.getService(ProviderList.java:330)
          at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
          at java.security.Security.getImpl(Security.java:696)
          at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
          at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
          at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
          at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
          at sun.security.x509.X509Key.parse(X509Key.java:168)
          at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
          at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
          at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
          at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
          at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
          at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
          at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
          at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
          at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
          at java.security.KeyStore.load(KeyStore.java:1201)
          at UpdateCertificates.createKeyStore(UpdateCertificates.java:65)
          at UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.IOException: NSS initialization failed
       at sun.security.pkcs11.Secmod.initialize(Secmod.java:216)
       at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
       ... 31 more
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.

Downgrading to ca-certificates-java_20100412_all makes the problem go
away.  Note that I previously had some problems with the
ca-certificates.crt file (see Bug#635570) but I believe that should be
fixed at this point (at least, other things that were causing me
problems seem happy now).

I had previously installed the "Java Cryptography Extension" to use a
4096 bit key (no idea if that is related).

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ca-certificates-java depends on:
ii  ca-certificates             20110502     Common CA certificates
ii  default-jre-headless [java6 1:1.6-40     Standard Java or Java compatible R
ii  openjdk-6-jre-headless [jav 6b18-1.8.7-5 OpenJDK Java runtime, using Hotspo
ii  sun-java6-jre [java6-runtim 6.26-1       Sun Java(TM) Runtime Environment (

Versions of packages ca-certificates-java recommends:
ii  libnss3-1d                    3.12.10-3  Network Security Service libraries

ca-certificates-java suggests no packages.

-- Configuration Files:
/etc/default/cacerts [Errno 13] Permission denied: u'/etc/default/cacerts'

-- no debconf information

More information about the pkg-java-maintainers mailing list