FWIW, I can still reproduce the problem with Debian 10 (yeah I know, I should upgrade :), by attempting to install build-essential and openjdk-11-jre-headless in one apt-get invocation. E.g. using a simple Dockerfile:
====================================================================== FROM debian:10 RUN DEBIAN_FRONTEND=noninteractive apt-get -q -y update RUN DEBIAN_FRONTEND=noninteractive apt-get -q -y upgrade RUN DEBIAN_FRONTEND=noninteractive apt-get -q -y install build-essential openjdk-11-jre-headless ====================================================================== Results in: ====================================================================== ... #7 21.52 Setting up ca-certificates-java (20190405) ... #7 21.55 head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory #7 21.62 Exception in thread "main" java.lang.InternalError: Error loading java.security file #7 21.62 at java.base/java.security.Security.initialize(Security.java:94) #7 21.62 at java.base/java.security.Security$1.run(Security.java:79) #7 21.62 at java.base/java.security.Security$1.run(Security.java:77) #7 21.62 at java.base/java.security.AccessController.doPrivileged(Native Method) #7 21.62 at java.base/java.security.Security.<clinit>(Security.java:77) #7 21.62 at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:176) #7 21.62 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94) #7 21.62 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:92) #7 21.62 at java.base/java.security.AccessController.doPrivileged(Native Method) #7 21.62 at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:91) #7 21.62 at java.base/sun.security.jca.Providers.<clinit>(Providers.java:54) #7 21.62 at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156) #7 21.62 at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193) #7 21.62 at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50) #7 21.62 at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65) #7 21.62 at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51) #7 21.64 dpkg: error processing package ca-certificates-java (--configure): #7 21.64 installed ca-certificates-java package post-installation script subprocess returned error exit status 1 #7 21.64 dpkg: dependency problems prevent configuration of openjdk-11-jre-headless:amd64: #7 21.64 openjdk-11-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); however: #7 21.64 Package ca-certificates-java is not configured yet. #7 21.64 #7 21.64 dpkg: error processing package openjdk-11-jre-headless:amd64 (--configure): #7 21.64 dependency problems - leaving unconfigured #7 21.64 Processing triggers for libc-bin (2.28-10+deb10u2) ... #7 21.66 Processing triggers for ca-certificates (20200601~deb10u2) ... #7 21.67 Updating certificates in /etc/ssl/certs... #7 22.04 0 added, 0 removed; done. #7 22.04 Running hooks in /etc/ca-certificates/update.d... #7 22.04 #7 22.12 Exception in thread "main" java.lang.InternalError: Error loading java.security file #7 22.12 at java.base/java.security.Security.initialize(Security.java:94) #7 22.12 at java.base/java.security.Security$1.run(Security.java:79) #7 22.12 at java.base/java.security.Security$1.run(Security.java:77) #7 22.12 at java.base/java.security.AccessController.doPrivileged(Native Method) #7 22.12 at java.base/java.security.Security.<clinit>(Security.java:77) #7 22.12 at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:176) #7 22.12 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94) #7 22.12 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:92) #7 22.12 at java.base/java.security.AccessController.doPrivileged(Native Method) #7 22.12 at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:91) #7 22.12 at java.base/sun.security.jca.Providers.<clinit>(Providers.java:54) #7 22.12 at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156) #7 22.12 at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193) #7 22.12 at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50) #7 22.12 at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65) #7 22.12 at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51) #7 22.13 E: /etc/ca-certificates/update.d/jks-keystore exited with code 1. #7 22.13 done. #7 22.15 Errors were encountered while processing: #7 22.15 ca-certificates-java #7 22.15 openjdk-11-jre-headless:amd64 #7 22.17 E: Sub-process /usr/bin/dpkg returned an error code (1) ====================================================================== Installing either of those packages in separate apt-get invocations works fine, and the order does not matter. But I guess the required fix did not get backported to buster?