Bug#1069251: ca-certificates-java: keystore is not updated
Arnaud Rebillout
arnaudr at debian.org
Tue Mar 24 08:11:09 GMT 2026
The issue is easy to reproduce: just setup eg. a trixie Debian system
with ca-certificates, ca-certificates-java and default-jre-headless
installed. Then add Debian sid to the APT sources and reinstall the
package ca-certificates.
Typical output:
```
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt, it does not contain
exactly one certificate or CRL
5 added, 11 removed; done.
Processing triggers for ca-certificates (20260223) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Processing triggers for ca-certificates-java (20240118) ...
done.
```
What's worth noting above is the duplicate line:
```
5 added, 11 removed; done.
[...]
0 added, 0 removed; done.
```
This line comes from update-ca-certificates. It's duplicated because the
postinst calls it twice: first time without hooks, and the second time
with hooks. However when it runs the second time, certificates were
already processed, that's why we get 0 added and 0 removed.
However, and that's the issue: the whole point with the hooks is that
update-ca-certificates is supposed to pass the list of added and removed
certificates to the hooks. And it doesn't, since this information is
only avail during the first run.
It looks like the whole thing has been broken for years and needs a
non-trivial overhaul to be functional again.
Best,
Arnaud
More information about the pkg-java-maintainers
mailing list