Bug 1290044 - Keystore-Reset after Openjdk-Update
Keystore-Reset after Openjdk-Update
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
23
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kai Engert (:kaie)
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-09 09:48 EST by Sandra Thieme
Modified: 2016-03-16 15:56 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-16 15:56:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sandra Thieme 2015-12-09 09:48:10 EST
Description of problem:
Upgrading java-1.8.0-openjdk via dnf seemingly leads to a keystore reset.

Version-Release number of selected component (if applicable):
Upgrade from java-1.8.0-openjdk-1:1.8.0.65-3.b17.fc23.x86_64 to 1:1.8.0.65-4.b17.fc23.x86_64

Steps to Reproduce:
1. Install java-1.8.0-openjdk-1:1.8.0.65-3.b17.fc23.x86_64
2. Import certificate into the java keystore
3. Update to java-1.8.0-openjdk-1:1.8.0.65-4.b17.fc23.x86_64

Actual results:
The previously imported certificate is no longer in the keystore.

Expected results:
The imported certificate should still be in the keystore.
Comment 1 jiri vanek 2015-12-09 10:34:45 EST
What keystore are you using? Main keystore is /etc/pki/java/cacerts which definitely  survive update.
Comment 2 Sandra Thieme 2015-12-09 10:44:32 EST
I used the keystore contained in the jre (/etc/alternatives/jre/lib/security/cacerts) which points to /etc/pki/java/cacerts. All certificates in this keystore have "Creation date: Dec 4, 2015" as observed with /etc/alternatives/keytool -list -v -keystore /etc/pki/java/cacerts. This is the day I installed the update.
Comment 3 jiri vanek 2015-12-09 10:49:50 EST
Hm. That the link to main cacerts file  I mentioned. Are you sure that in the transaction which corrupted it were no update to cacerts?

Jdk is NOT maintaining this file. It is just linking it. ca-certificate package is taking care of this file.
Comment 4 Sandra Thieme 2015-12-09 10:55:33 EST
You're right, there has been an update of the ca-certificates package in the same transaction. Is that a bug worth reporting to the guys maintaining ca-certificates?
Comment 5 jiri vanek 2015-12-09 10:58:31 EST
ca-certificates-2015.2.6-1.0.fc23 	kengert 	2015-11-23 17:00:47

http://koji.fedoraproject.org/koji/packageinfo?packageID=6260

So there was update in start of December. May be related?
Comment 6 jiri vanek 2015-12-09 11:02:19 EST
(In reply to Sandra Thieme from comment #4)
> You're right, there has been an update of the ca-certificates package in the
> same transaction. Is that a bug worth reporting to the guys maintaining
> ca-certificates?



Do you have at least   /etc/pki/java/cacerts.rpmsave/old/new/whatever? If so than it is not bug.
If not then it is very wrong that cacerts had overwritten this  fiel without letting you knew.
Comment 7 Sandra Thieme 2015-12-09 14:08:34 EST
I can't find any such thing.
Comment 8 Kai Engert (:kaie) 2016-03-16 15:56:07 EDT
Sorry for being late to this bug.

If you look at the files, you can see they are symbolic to a different location.
They point to:
  /etc/pki/ca-trust/extracted/java/cacerts

This is a dynamic location, which intentionally gets overwritten by updates of the ca-certificates package.

1-2 years ago, we had introduced a new system for sharing CA certificates between all (or most) applications.

It is documented here:
  man update-ca-trust

In other words, please don't manually modify the default Java keystore 
located at /etc/pki/ca-trust/extracted/java/cacerts
Instead, import your CA to the CA source directory as described in the man page, and run update-ca-trust.

Please let me know if there's any problem with that.

Note You need to log in before you can comment on or make changes to this bug.