Bug 1290044 - Keystore-Reset after Openjdk-Update
Summary: Keystore-Reset after Openjdk-Update
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: ca-certificates
Version: 23
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-09 14:48 UTC by thieme.sandra
Modified: 2016-03-16 19:56 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-16 19:56:07 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description thieme.sandra 2015-12-09 14:48:10 UTC 
Description of problem:
Upgrading java-1.8.0-openjdk via dnf seemingly leads to a keystore reset.

Version-Release number of selected component (if applicable):
Upgrade from java-1.8.0-openjdk-1:1.8.0.65-3.b17.fc23.x86_64 to 1:1.8.0.65-4.b17.fc23.x86_64

Steps to Reproduce:
1. Install java-1.8.0-openjdk-1:1.8.0.65-3.b17.fc23.x86_64
2. Import certificate into the java keystore
3. Update to java-1.8.0-openjdk-1:1.8.0.65-4.b17.fc23.x86_64

Actual results:
The previously imported certificate is no longer in the keystore.

Expected results:
The imported certificate should still be in the keystore.
Comment 1 jiri vanek 2015-12-09 15:34:45 UTC 
What keystore are you using? Main keystore is /etc/pki/java/cacerts which definitely  survive update.
Comment 2 thieme.sandra 2015-12-09 15:44:32 UTC 
I used the keystore contained in the jre (/etc/alternatives/jre/lib/security/cacerts) which points to /etc/pki/java/cacerts. All certificates in this keystore have "Creation date: Dec 4, 2015" as observed with /etc/alternatives/keytool -list -v -keystore /etc/pki/java/cacerts. This is the day I installed the update.
Comment 3 jiri vanek 2015-12-09 15:49:50 UTC 
Hm. That the link to main cacerts file  I mentioned. Are you sure that in the transaction which corrupted it were no update to cacerts?

Jdk is NOT maintaining this file. It is just linking it. ca-certificate package is taking care of this file.
Comment 4 thieme.sandra 2015-12-09 15:55:33 UTC 
You're right, there has been an update of the ca-certificates package in the same transaction. Is that a bug worth reporting to the guys maintaining ca-certificates?
Comment 5 jiri vanek 2015-12-09 15:58:31 UTC 
ca-certificates-2015.2.6-1.0.fc23 	kengert 	2015-11-23 17:00:47

http://koji.fedoraproject.org/koji/packageinfo?packageID=6260

So there was update in start of December. May be related?
Comment 6 jiri vanek 2015-12-09 16:02:19 UTC 
(In reply to Sandra Thieme from comment #4)
> You're right, there has been an update of the ca-certificates package in the
> same transaction. Is that a bug worth reporting to the guys maintaining
> ca-certificates?



Do you have at least   /etc/pki/java/cacerts.rpmsave/old/new/whatever? If so than it is not bug.
If not then it is very wrong that cacerts had overwritten this  fiel without letting you knew.
Comment 7 thieme.sandra 2015-12-09 19:08:34 UTC 
I can't find any such thing.
Comment 8 Kai Engert (:kaie) (inactive account) 2016-03-16 19:56:07 UTC 
Sorry for being late to this bug.

If you look at the files, you can see they are symbolic to a different location.
They point to:
  /etc/pki/ca-trust/extracted/java/cacerts

This is a dynamic location, which intentionally gets overwritten by updates of the ca-certificates package.

1-2 years ago, we had introduced a new system for sharing CA certificates between all (or most) applications.

It is documented here:
  man update-ca-trust

In other words, please don't manually modify the default Java keystore 
located at /etc/pki/ca-trust/extracted/java/cacerts
Instead, import your CA to the CA source directory as described in the man page, and run update-ca-trust.

Please let me know if there's any problem with that.
Note You need to log in before you can comment on or make changes to this bug.