[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Launchpad Bug Tracker]

This bug was fixed in the package ca-certificates-java -
20180516ubuntu1~18.04.1

---
ca-certificates-java (20180516ubuntu1~18.04.1) bionic; urgency=medium

  * Backport from Cosmic. (LP: #1770553)

ca-certificates-java (20180516ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable (LP: #1771815). Remaining changes:
- debian/control: Bump javahelper build dependency.
- debian/rules:
  + Explicitly depend on openjdk-11-jre-headless, needed to configure.
  + Replace javac arguments '-source 1.7 -target 1.7' with '--release 7'
as, per JEP-247, it also takes care of setting the right -bootclasspath
argument.

ca-certificates-java (20180516) unstable; urgency=medium

  * Team upload.

  [ Tiago Stürmer Daitx ]
  * debian/jks-keystore.hook.in: don't create a jvm-*.cfg file, a default file
with the right configuration is already supplied by the openjdk packages.
  * debian/jks-keystore.hook.in, debian/postinst.in: Only export JAVA_HOME
and update PATH if a known jvm was found.
  * debian/postinst.in: Detect PKCS12 cacert keystore generated by
previous ca-certificates-java and convert them to JKS. (Closes: #898678)
(LP: #1771363)

  [ Matthias Klose ]
  * debian/rules: Explicitly depend on openjdk-11-jre-headless, needed to
configure.

  [ Emmanuel Bourg ]
  * Use salsa.debian.org Vcs-* URLs

ca-certificates-java (20180413ubuntu1) cosmic; urgency=medium

  * Merge from debian unstable. Remaining changes: (LP: #1769013,
LP: #1739631)
+ debian/control: Bump javahelper build dependency.
+ debian/rules:
  - Explicitly depend on openjdk-11-jre-headless, needed to configure.
  - Replace javac arguments '-source 1.7 -target 1.7' with '--release 7'
as, per JEP-247, it also takes care of setting the right -bootclasspath
argument.
  * debian/jks-keystore.hook.in: don't create a jvm-*.cfg file, a default file
with the right configuration is already supplied by the openjdk packages.

ca-certificates-java (20180413) unstable; urgency=medium

  * Team upload.
  * Always generate a JKS keystore instead of using the default format
(Closes: #894979)
  * Look for Java 10 and Java 11 when detecting the JRE
  * Removed Damien Raude-Morvan from the uploaders (Closes: #889412)
  * Standards-Version updated to 4.1.4
  * Switch to debhelper level 11

 -- Tiago Stürmer Daitx   Thu, 17 May 2018
14:10:59 +

** Changed in: ca-certificates-java (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Mikael Gueck]

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Mikael Gueck]

** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Mikael Gueck]

Tested the proposed fix version 20180516ubuntu1~18.04.1 in a Docker
container, and it DID fix the issue, both as an upgrade to a previously
installed package version 20170930ubuntu1, and as a first install.

Verification steps: Ran the TestHttps program from
https://git.mikael.io/mikaelhg/broken-docker-jdk9-cacerts. It
successfully completed without throwing an exception, after the upgrade
to 20180516ubuntu1~18.04.1.

Verified package version:

root@89353b964227:/app# apt-cache show ca-certificates-java
Package: ca-certificates-java
Architecture: all
Version: 20180516ubuntu1~18.04.1
Multi-Arch: foreign
Priority: optional
Section: misc
Origin: Ubuntu
Maintainer: Ubuntu Developers 
Original-Maintainer: Debian Java Maintainers 

Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 42
Depends: ca-certificates (>= 20121114), openjdk-11-jre-headless | 
java8-runtime-headless, libnss3 (>= 3.12.9+ckbi-1.82-0ubuntu3~)
Filename: 
pool/main/c/ca-certificates-java/ca-certificates-java_20180516ubuntu1~18.04.1_all.deb
Size: 12156
MD5sum: fed1dbe07d960d581a8870b6e103eb69
SHA1: c0305a200fb55296a077014af3fd3ad7a4de756d
SHA256: 2c312d1c8a14781fc9a074569c9d591e17e00419ab9597a148223d0ac4065bb2
Description: Common CA certificates (JKS keystore)
Description-md5: 304cd3554728e5d076f8ecbb3b5057d8
Task: kubuntu-desktop, kubuntu-full
Supported: 5y

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Łukasz Zemczak]

Hello Antti, or anyone else affected,

Accepted ca-certificates-java into bionic-proposed. The package will
build now and be available at https://launchpad.net/ubuntu/+source/ca-
certificates-java/20180516ubuntu1~18.04.1 in a few hours, and then in
the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: ca-certificates-java (Ubuntu Bionic)
   Status: Confirmed => Fix Committed

** Tags added: verification-needed verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Tiago Stürmer Daitx]

** Description changed:

  [Impact]
  Any user doing a new install can be affected as soon as they install any 
openjdk-11 package.
  
  [Cause]
  The ca-certificate-java version 20170930 (or earlier) used OpenJDK's default 
keystore to create /etc/ssl/certs/java/cacerts - if the file already existed 
its contents were just updated without changing the keystore type.
  
  From openjdk-9 upwards the default keystore type changed from 'jks' to
  'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without
  supplying a password (or by supplying an empty one) while a PKCS12
  keystore requires a password to be set.
  
  Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will
  fail to be loaded as, by default, the truststore password is empty - in
  order to avoid that the user must set
  -Djavax.net.ssl.trustStorePassword= or define it in /etc/java-
  XX-openjdk/management/management.properties. A JKS keystore will work
  normally, as the certificates in it can be ready when the truststore
  password is empty.
  
  Ubuntu does *not* set the javax.net.ssl.trustStorePassword by default
  thus any user that got a cacerts generated in JKCS12 won't be able
  to use any secure connections from java.
  
- [Test Case]
+ [Test Case - Fix not applied]
  Start on a new bionic install/chroot without openjdk
  
  1. Install openjdk-11
  $ sudo apt-get install openjdk-11-jdk
  
  2. Test the keystore with an empty password (optional) and make sure it is a 
PKCS12
  $ keytool -list -cacerts
  Enter keystore password: 
  * WARNING WARNING WARNING *
  * The integrity of the information stored in your keystore *
  * has NOT been verified! In order to verify its integrity, *
  * you must provide your keystore password. *
  * WARNING WARNING WARNING *
  Keystore type: PKCS12
  Keystore provider: SUN
  Your keystore contains 0 entries
  
  3. Test with the "changeit" password
  $ keytool -list -cacerts
  Enter keystore password: changeit
  Keystore type: PKCS12
  Keystore provider: SUN
  Your keystore contains 133 entries
  
  
  4. Create the java test file
  $ cat 

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Tiago Stürmer Daitx]

** Description changed:

- I ran into a problem after doing approximately the following on an
- install of Ubuntu 17.10:
+ [Impact]
+ Any user doing a new install can be affected as soon as they install any 
openjdk-11 package.
+ 
+ [Cause]
+ The ca-certificate-java version 20170930 (or earlier) used OpenJDK's default 
keystore to create /etc/ssl/certs/java/cacerts - if the file already existed 
its contents were just updated without changing the keystore type.
+ 
+ From openjdk-9 upwards the default keystore type changed from 'jks' to
+ 'pkcs12' [1] by means of JEP 229 [2]. A JKS keystore can be read without
+ supplying a password (or by supplying an empty one) while a PKCS12
+ keystore requires a password to be set.
+ 
+ Thus a /etc/ssl/certs/java/cacerts created in the pkcs12 format will
+ fail to be loaded as, by default, the truststore password is empty - in
+ order to avoid that the user must set
+ -Djavax.net.ssl.trustStorePassword= or define it in /etc/java-
+ XX-openjdk/management/management.properties. A JKS keystore will work
+ normally, as the certificates in it can be ready when the truststore
+ password is empty.
+ 
+ Ubuntu does *not* set the javax.net.ssl.trustStorePassword by default
+ thus any user that got a cacerts generated in JKCS12 won't be able
+ to use any secure connections from java.
+ 
+ [Test Case]
+ Start on a new bionic install/chroot without openjdk
+ 
+ 1. Install openjdk-11
+ $ sudo apt-get install openjdk-11-jdk
+ 
+ 2. Test the keystore with an empty password (optional) and make sure it is a 
PKCS12
+ $ keytool -list -cacerts
+ Enter keystore password: 
+ * WARNING WARNING WARNING *
+ * The integrity of the information stored in your keystore *
+ * has NOT been verified! In order to verify its integrity, *
+ * you must provide your keystore password. *
+ * WARNING WARNING WARNING *
+ Keystore type: PKCS12
+ Keystore provider: SUN
+ Your keystore contains 0 entries
+ 
+ 3. Test with the "changeit" password
+ $ keytool -list -cacerts
+ Enter keystore password: changeit
+ Keystore type: PKCS12
+ Keystore provider: SUN
+ Your keystore contains 133 entries
+ 
+ 
+ 4. Create the java test file
+ $ cat 

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Sam Uong]

** Changed in: ca-certificates-java (Ubuntu Bionic)
   Status: Triaged => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Matthias Klose]

** Changed in: ca-certificates-java (Ubuntu Bionic)
 Assignee: (unassigned) => Tiago Stürmer Daitx (tdaitx)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Brian Murray]

** Changed in: ca-certificates-java (Ubuntu Bionic)
Milestone: None => ubuntu-18.04.1

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Bug Watch Updater]

** Changed in: ca-certificates-java (Debian)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Julian Andres Klode]

** Also affects: ca-certificates-java (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: ca-certificates-java (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: ca-certificates-java (Ubuntu)
   Importance: Undecided => High

** Changed in: ca-certificates-java (Ubuntu Bionic)
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Bug Watch Updater]

** Changed in: ca-certificates-java (Debian)
   Status: Unknown => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Tiago Stürmer Daitx]

** Bug watch added: Debian Bug tracker #898678
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898678

** Also affects: ca-certificates-java (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898678
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Launchpad Bug Tracker]

This bug was fixed in the package ca-certificates-java - 20180413ubuntu1

---
ca-certificates-java (20180413ubuntu1) cosmic; urgency=medium

  * Merge from debian unstable. Remaining changes: (LP: #1769013,
LP: #1739631)
+ debian/control: Bump javahelper build dependency.
+ debian/rules:
  - Explicitly depend on openjdk-11-jre-headless, needed to configure.
  - Replace javac arguments '-source 1.7 -target 1.7' with '--release 7'
as, per JEP-247, it also takes care of setting the right -bootclasspath
argument.
  * debian/jks-keystore.hook.in: don't create a jvm-*.cfg file, a default file
with the right configuration is already supplied by the openjdk packages.

ca-certificates-java (20180413) unstable; urgency=medium

  * Team upload.
  * Always generate a JKS keystore instead of using the default format
(Closes: #894979)
  * Look for Java 10 and Java 11 when detecting the JRE
  * Removed Damien Raude-Morvan from the uploaders (Closes: #889412)
  * Standards-Version updated to 4.1.4
  * Switch to debhelper level 11

 -- Tiago Stürmer Daitx   Fri, 04 May 2018
01:31:24 +

** Changed in: ca-certificates-java (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Don-vip]

See https://bugs.launchpad.net/ubuntu/+source/ca-certificates-
java/+bug/1769013 for merge of ca-certificates-java 20180413

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Mikael Gueck]

Another workaround, used pyjks to generate a minimal JKS file with an empty 
password,
and relying on the certificate file compatibility mode:

echo "storepass=''" >> /etc/default/cacerts
echo -e 
"\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\x57\xbe\xbc\x27\x62\xa2\x1d\x70\xff\xf2\x18\xdd\x59\x68\x01\x1f\xfe\x42\x3a\x69"
 > /etc/ssl/certs/java/cacerts
/var/lib/dpkg/info/ca-certificates-java.postinst configure

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[pkmo-linux]

This issue has been resolved upstream in 20180413
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894979

Can we please see it here sometime soon?

** Bug watch added: Debian Bug tracker #894979
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894979

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[mjw99]

I am seeing this with a 18.04 nightly; this is pretty much a showstopper
for any one developing with Maven.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Antti S. Lankila]

To comment #5: If what you describe is true, then that is a different
bug, somehow. The default cacerts file should be in pkcs12 format, which
can't be used by java for some reason. The JKS keystore file can be
read, regardless of the keystore type setting in the security file.

However, I am happy about the suggestion to change the keystore.type=jks
parameter in the java.security file. Once this change has been made,
openjdk-9 can also generate JKS keystores from "udpate-ca-certificates
-f" and that is altogether simpler way to recover from this bug than
installing JDK 8, let it generate keystore, and then update to JDK 9
that preserves the cacerts in JKS format regardless of the settings of
JDK 9.

So here are the workaround steps that can be done instead, to fix TLS
for Java 9 when the keystore type happens to be PKCS12.

1. edit /etc/java-9-openjdk/security/java.security file. Find the line
that says keystore.type = pkcs12 and change that to jks

2. rm /etc/ssl/certs/java/cacerts file

3. run "update-ca-certificates -f"

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[kb3gtn]

I have noticed a similar issue with openjdk-9 on Ubuntu 18.04 alpha and
getting errors in java applications with exception message:

java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty

This is due to the default cacerts for java installed in
/etc/ssl/certs/java/cacerts being in the jks format where the default
keystore.type for OpenJDK-9 is pkcs12.

A simple work around is to edit
/etc/java-9-openjdk/security/java.security and change
"keystore.type=pkcs12" to "keystore.type=jks"

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Antti S. Lankila]

While it may be so that OpenJDK ships with empty certificates file, this
is not sufficient to explain the issue, or consistent with the bug
report I made. Quoting from the original bug report: "I discovered that
the JDK's lib/security/cacerts is a symlink to
/etc/ssl/certs/java/cacerts, which is provided by ca-certificates-java
package".

This symlink exists, and it is the one used by JDK. The issue was that
JDK9 is unable to read the contents of PKCS12-formatted keystore file,
but is able to read its old JKS keystore file. In both cases, the files
do contain certificates.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Artur Godlinski]

The OpenJDK was shipped with an empty cacerts file, which was fixed with
version 9.0.4 (See:
https://bugs.java.com/view_bug.do?bug_id=JDK-8189131)

Workaround:
Extract the 'cacerts' file from the latest OpenJDK and copy it into 
/etc/ssl/certs/java

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: ca-certificates-java (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs