Ubuntu
ca-certificates-java package

When upgrading from maverick to oneiric receieved a number of error messages about ssl certs

Bug #873517 reported by Dan Parent
182
This bug affects 36 people
Affects Status Importance Assigned to Milestone
ca-certificates-java (Debian)
Fix Released
Unknown
ca-certificates-java (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

While performing an upgrade from maverick to oneiric in a 32-bit Ubuntu server environment I noticed that it seemed like every pem file was failiing. I received errors like the following:

error adding /etc/ssl/certs/blah.pem

where blah could be replaced by what seemed like every pem file. My system continues to run fine, I do not run java processes other then the occasional ant build which continues to work as before. Not a fatal bug for myself, thought I'd report it since I noticed the error messages.

Revision history for this message
Dan Parent (daparent) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates-java (Ubuntu):
status: New → Confirmed
Revision history for this message
martin suchanek (martin-suc) wrote :

1. It happened all the time when upgrade to Oneiric. (from 11.04 ; 10 instances).
2. It happened on 32 and 64 bit versions.
3. It happened as well when installed new instance of Ubuntu 11.10.

Revision history for this message
nils (internationils) wrote :

Same problem here. Links seem to be fine, directories seem fine, privileges seem fine as well. No idea whats going on here

Revision history for this message
nils (internationils) wrote :
Download full text (7.0 KiB)

Heres something that could be related?
Setting up ca-certificates-java (20110912ubuntu3) ...
Installing new version of config file /etc/ca-certificates/update.d/jks-keystore
 ...
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
        at sun.security.x509.X509Key.parse(X509Key.java:168)
        at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:7
5)
        at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705)
        at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1747)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196)
        at sun.security.provider.X509Factory.engineGenerateCertificate(X509Facto
ry.java:107)
        at java.security.cert.CertificateFactory.generateCertificate(Certificate
Factory.java:322)
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:763)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:5
5)
        at java.security.KeyStore.load(KeyStore.java:1201)
        at UpdateCertificates.createKeyStore(UpdateCertificates.java:65)
        at UpdateCertificates.main(UpdateCertificates.java:51)
Caused by: java.io.FileNotFoundException: /usr/lib/libnss3.so
        at sun.security.pkcs11.Secmod.initialize(Secmod.java:186)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:197)
        ... 31 more
done.

... and

Setting up ca-certificates-java (20110912ubuntu3) ...
Installing new version of config file /etc/ca-certificates/update.d/jks-keystore ...
Exception in thread "main" java.security.ProviderException: Could not initialize NSS
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:201)
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct

 installed by openjdk-6
onstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
        at sun.security.jca.ProviderList.getProvider(ProviderList.java:232)
        at sun.security.jca.ProviderList.getService(ProviderList.java:330)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:157)
        at java.security.Security.getImpl(Security.java:696)
        at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:130)
        at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:121)
        at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
        at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:381)
        at sun.security.x509.X509Key.pars...

Read more...

Revision history for this message
Eric Larson (eric-ionrock) wrote :

I've had trouble connecting to services in my organization because the cert verification failed. Here is a traceback from a Python script that hits the error:

Traceback (most recent call last):
  File "/home/eric/bin/qpaste", line 52, in <module>
    resp, content = h.request(paste_url, 'POST', urlencode(data))
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1436, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1188, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1123, in _conn_request
    conn.connect()
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 911, in connect
    raise SSLHandshakeError(e)
httplib2.SSLHandshakeError: [Errno 1] _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Revision history for this message
Eric Larson (eric-ionrock) wrote :

The fix for me seemed to be reconfiguring and re-adding all the certs. I made a mistake and removed them all first and then added them back, so I'm not sure if the removal then addition is what fixed the issue.

Revision history for this message
Eric Larson (eric-ionrock) wrote :

When I say "reconfigure" I do mean running: dpkg-reconfigure ca-certificates and selecting all the certs in the dialog that comes up.

Revision history for this message
gjohn (gjohn) wrote :

I noticed the same errors about adding certificates/pem files when upgrading to 11.10 Oneiric from 11.04

Ubuntu on Virtualbox 4.1

Installed java sdk on Ubuntu 10.04, using aptitude as:
sudo aptitude install openjdk-6-jdk

Upgrade to 11.10 from Update manager UI
I did not run pending 11.04 updates before starting the upgrade to 11.10

Bug Watch Updater (bug-watch-updater)
Changed in ca-certificates-java (Debian):
status: Unknown → Fix Released
Revision history for this message
Daniel Richard G. (skunk) wrote :

I see these error messages on installation of ca-certificates-java on a new Oneiric install:

Setting up ca-certificates-java (20110912ubuntu3) ...
Adding debian:Comodo_AAA_Services_root.pem
Adding debian:TC_TrustCenter_Universal_CA_I.pem
Adding debian:GeoTrust_Primary_Certification_Authority_-_G2.pem
Adding debian:Thawte_Server_CA.pem
Adding debian:signet_ocspklasa3_pem.pem
[...]
Adding debian:signet_pca3_pem.pem
Warning: there was a problem reading the certificate file /etc/ssl/certs/NetLock_Arany_=Class_Gold=_F??tan??s??tv??ny.pem. Message:
  /etc/ssl/certs/NetLock_Arany_=Class_Gold=_F??tan??s??tv??ny.pem (No such file or directory)
Adding debian:thawte_Primary_Root_CA.pem
[...]
Adding debian:VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
Adding debian:DST_Root_CA_X3.pem
Warning: there was a problem reading the certificate file /etc/ssl/certs/T??B??TAK_UEKAE_K??k_Sertifika_Hizmet_Sa??lay??c??s??_-_S??r??m_3.pem. Message:
  /etc/ssl/certs/T??B??TAK_UEKAE_K??k_Sertifika_Hizmet_Sa??lay??c??s??_-_S??r??m_3.pem (No such file or directory)
Adding debian:WellsSecure_Public_Root_Certificate_Authority.pem
Adding debian:Comodo_Trusted_Services_root.pem
[...]
Adding debian:brasil.gov.br.pem
Warning: there was a problem reading the certificate file /etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem. Message:
  /etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem (No such file or directory)
Adding debian:thawte_Primary_Root_CA_-_G3.pem
[...]
Adding debian:Comodo_Secure_Services_root.pem
Warning: there was a problem reading the certificate file /etc/ssl/certs/AC_Ra??z_Certic??mara_S.A..pem. Message:
  /etc/ssl/certs/AC_Ra??z_Certic??mara_S.A..pem (No such file or directory)
Adding debian:Thawte_Premium_Server_CA.pem
[...]
Adding debian:Sonera_Class_2_Root_CA.pem
Adding debian:Entrust_Root_Certification_Authority.pem
Adding debian:Digital_Signature_Trust_Co._Global_CA_3.pem
done.

As noted in the linked Debian bug report, it seems some script is having trouble handling certificates with special characters in their filenames.

Revision history for this message
demon.ar (alejandro-moya) wrote :

I'm using the upgrade feature and have the same issue, nov/17

Revision history for this message
Benjamin Bach (benjaoming) wrote :

Confirmed that it is still present when upgrading to 11.10.

"sudo dpkg-reconfigure ca-certificate" after upgrading + selecting yes to trust all certificates and selecting all of the from a list works as @Eric Larson hinted.

Revision history for this message
Boris Dušek (dusek) wrote :

I have experienced this issue today when upgrading a 32-bit fully up-to-date 11.04 system to 11.10.

Revision history for this message
Vladimir Petko (vpa1977) wrote :

Ubuntu 11.10 (Oneiric Ocelot) End of Life reached on May 9, 2013.

Changed in ca-certificates-java (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.