Red Hat Bugzilla – Bug 1290044
Keystore-Reset after Openjdk-Update
Last modified: 2016-03-16 15:56:07 EDT
Description of problem: Upgrading java-1.8.0-openjdk via dnf seemingly leads to a keystore reset. Version-Release number of selected component (if applicable): Upgrade from java-1.8.0-openjdk-1:1.8.0.65-3.b17.fc23.x86_64 to 1:1.8.0.65-4.b17.fc23.x86_64 Steps to Reproduce: 1. Install java-1.8.0-openjdk-1:1.8.0.65-3.b17.fc23.x86_64 2. Import certificate into the java keystore 3. Update to java-1.8.0-openjdk-1:1.8.0.65-4.b17.fc23.x86_64 Actual results: The previously imported certificate is no longer in the keystore. Expected results: The imported certificate should still be in the keystore.
What keystore are you using? Main keystore is /etc/pki/java/cacerts which definitely survive update.
I used the keystore contained in the jre (/etc/alternatives/jre/lib/security/cacerts) which points to /etc/pki/java/cacerts. All certificates in this keystore have "Creation date: Dec 4, 2015" as observed with /etc/alternatives/keytool -list -v -keystore /etc/pki/java/cacerts. This is the day I installed the update.
Hm. That the link to main cacerts file I mentioned. Are you sure that in the transaction which corrupted it were no update to cacerts? Jdk is NOT maintaining this file. It is just linking it. ca-certificate package is taking care of this file.
You're right, there has been an update of the ca-certificates package in the same transaction. Is that a bug worth reporting to the guys maintaining ca-certificates?
ca-certificates-2015.2.6-1.0.fc23 kengert 2015-11-23 17:00:47 http://koji.fedoraproject.org/koji/packageinfo?packageID=6260 So there was update in start of December. May be related?
(In reply to Sandra Thieme from comment #4) > You're right, there has been an update of the ca-certificates package in the > same transaction. Is that a bug worth reporting to the guys maintaining > ca-certificates? Do you have at least /etc/pki/java/cacerts.rpmsave/old/new/whatever? If so than it is not bug. If not then it is very wrong that cacerts had overwritten this fiel without letting you knew.
I can't find any such thing.
Sorry for being late to this bug. If you look at the files, you can see they are symbolic to a different location. They point to: /etc/pki/ca-trust/extracted/java/cacerts This is a dynamic location, which intentionally gets overwritten by updates of the ca-certificates package. 1-2 years ago, we had introduced a new system for sharing CA certificates between all (or most) applications. It is documented here: man update-ca-trust In other words, please don't manually modify the default Java keystore located at /etc/pki/ca-trust/extracted/java/cacerts Instead, import your CA to the CA source directory as described in the man page, and run update-ca-trust. Please let me know if there's any problem with that.