Bug#635571: ca-certificates-java: Fails in update-ca-certificates hook
Chris Chiappa
chris+debian at chiappa.net
Wed Jul 27 02:43:02 UTC 2011
Package: ca-certificates-java
Version: 20110531
Severity: normal
A recent dist-upgrade caused my update-ca-certificates to fail:
# update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
at sun.security.jca.ProviderList.getService(ProviderList.java:330)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
at java.security.Security.getImpl(Security.java:696)
at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
at sun.security.x509.X509Key.parse(X509Key.java:168)
at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1201)
at UpdateCertificates.createKeyStore(UpdateCertificates.java:65)
at UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.FileNotFoundException: /usr/lib/libnss3.so
at sun.security.pkcs11.Secmod.initialize(Secmod.java:186)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
... 31 more
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.
Symlinking /usr/lib/i386-linux-gnu/libnss3.so to /usr/lib changes the error:
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
at sun.security.jca.ProviderList.getService(ProviderList.java:330)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
at java.security.Security.getImpl(Security.java:696)
at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
at sun.security.x509.X509Key.parse(X509Key.java:168)
at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75)
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:107)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:322)
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1201)
at UpdateCertificates.createKeyStore(UpdateCertificates.java:65)
at UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.IOException: NSS initialization failed
at sun.security.pkcs11.Secmod.initialize(Secmod.java:216)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
... 31 more
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.
Downgrading to ca-certificates-java_20100412_all makes the problem go
away. Note that I previously had some problems with the
ca-certificates.crt file (see Bug#635570) but I believe that should be
fixed at this point (at least, other things that were causing me
problems seem happy now).
I had previously installed the "Java Cryptography Extension" to use a
4096 bit key (no idea if that is related).
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages ca-certificates-java depends on:
ii ca-certificates 20110502 Common CA certificates
ii default-jre-headless [java6 1:1.6-40 Standard Java or Java compatible R
ii openjdk-6-jre-headless [jav 6b18-1.8.7-5 OpenJDK Java runtime, using Hotspo
ii sun-java6-jre [java6-runtim 6.26-1 Sun Java(TM) Runtime Environment (
Versions of packages ca-certificates-java recommends:
ii libnss3-1d 3.12.10-3 Network Security Service libraries
ca-certificates-java suggests no packages.
-- Configuration Files:
/etc/default/cacerts [Errno 13] Permission denied: u'/etc/default/cacerts'
-- no debconf information
More information about the pkg-java-maintainers
mailing list