Red Hat Bugzilla – Bug 1290044
Keystore-Reset after Openjdk-Update
Last modified: 2016-03-16 15:56:07 EDT
Description of problem:
Upgrading java-1.8.0-openjdk via dnf seemingly leads to a keystore reset.
Version-Release number of selected component (if applicable):
Upgrade from java-1.8.0-openjdk-1:18.104.22.168-3.b17.fc23.x86_64 to 1:22.214.171.124-4.b17.fc23.x86_64
Steps to Reproduce:
1. Install java-1.8.0-openjdk-1:126.96.36.199-3.b17.fc23.x86_64
2. Import certificate into the java keystore
3. Update to java-1.8.0-openjdk-1:188.8.131.52-4.b17.fc23.x86_64
The previously imported certificate is no longer in the keystore.
The imported certificate should still be in the keystore.
What keystore are you using? Main keystore is /etc/pki/java/cacerts which definitely survive update.
I used the keystore contained in the jre (/etc/alternatives/jre/lib/security/cacerts) which points to /etc/pki/java/cacerts. All certificates in this keystore have "Creation date: Dec 4, 2015" as observed with /etc/alternatives/keytool -list -v -keystore /etc/pki/java/cacerts. This is the day I installed the update.
Hm. That the link to main cacerts file I mentioned. Are you sure that in the transaction which corrupted it were no update to cacerts?
Jdk is NOT maintaining this file. It is just linking it. ca-certificate package is taking care of this file.
You're right, there has been an update of the ca-certificates package in the same transaction. Is that a bug worth reporting to the guys maintaining ca-certificates?
ca-certificates-2015.2.6-1.0.fc23 kengert 2015-11-23 17:00:47
So there was update in start of December. May be related?
(In reply to Sandra Thieme from comment #4)
> You're right, there has been an update of the ca-certificates package in the
> same transaction. Is that a bug worth reporting to the guys maintaining
Do you have at least /etc/pki/java/cacerts.rpmsave/old/new/whatever? If so than it is not bug.
If not then it is very wrong that cacerts had overwritten this fiel without letting you knew.
I can't find any such thing.
Sorry for being late to this bug.
If you look at the files, you can see they are symbolic to a different location.
They point to:
This is a dynamic location, which intentionally gets overwritten by updates of the ca-certificates package.
1-2 years ago, we had introduced a new system for sharing CA certificates between all (or most) applications.
It is documented here:
In other words, please don't manually modify the default Java keystore
located at /etc/pki/ca-trust/extracted/java/cacerts
Instead, import your CA to the CA source directory as described in the man page, and run update-ca-trust.
Please let me know if there's any problem with that.