installer: Debian packages cannot be installed together with ca-certificates-java

Because of the dependency of adoptopenjdk-* to ca-certificates-java in debian they are installed at the same time. For some reason both cannot be installed at the same time because ca-certificates-java needs a ready installed java to execute java but ca-certificates-java seems to be installed first so there is no java executable yet.

We have to look how openjdk-8-jre-headless does the magic in the debian package. It seems that the problem is this:

setup_path()
{
    for jvm in java-7-openjdk-$arch java-7-openjdk \
               oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
               java-8-openjdk-$arch java-8-openjdk \
               oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
               java-9-openjdk-$arch java-9-openjdk \
               oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
               java-10-openjdk-$arch java-10-openjdk \
               oracle-java10-jre-$arch oracle-java10-server-jre-$arch oracle-java10-jdk-$arch \
               java-11-openjdk-$arch java-11-openjdk \
               oracle-java11-jre-$arch oracle-java11-server-jre-$arch oracle-java11-jdk-$arch \
               java-12-openjdk-$arch java-12-openjdk \
               oracle-java12-jre-$arch oracle-java12-server-jre-$arch oracle-java12-jdk-$arch \
               java-13-openjdk-$arch java-13-openjdk \
               oracle-java13-jre-$arch oracle-java13-server-jre-$arch oracle-java13-jdk-$arch \
               java-14-openjdk-$arch java-14-openjdk \
               oracle-java14-jre-$arch oracle-java14-server-jre-$arch oracle-java14-jdk-$arch \
               java-15-openjdk-$arch java-15-openjdk \
               oracle-java15-jre-$arch oracle-java15-server-jre-$arch oracle-java15-jdk-$arch \
               java-16-openjdk-$arch java-16-openjdk \
               oracle-java16-jre-$arch oracle-java16-server-jre-$arch oracle-java16-jdk-$arch \
               java-17-openjdk-$arch java-17-openjdk \
               oracle-java17-jre-$arch oracle-java17-server-jre-$arch oracle-java17-jdk-$arch; do
        if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
            export JAVA_HOME=/usr/lib/jvm/$jvm
            PATH=$JAVA_HOME/bin:$PATH
            break
        fi
    done
}

I think we could and should patch upstream to include also adoptopenjdk.

But for now i think we have to remove the dependency to ca-certificates-java.

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 2
Comments: 33 (21 by maintainers)

Commits related to this issue

[JENKINS-65069] Refer to AdoptOpenJDK CA issue for Debian 10 Docker image https://issues.jenkins.io/browse/JENKINS-65069 reports that the user was unable to register a custom certificate authority in... — committed to MarkEWaite/jenkins.io by MarkEWaite 3 years ago

Most upvoted comments

Another observation:

The cacerts file created by ca-certificates-java is not used at all without reconfiguration.
I just added our internal CA certificate to /usr/local/share/ca-certificates/ and ran update-ca-certificates.
Afterwards curl was able to connect successfully to one of our internal systems because /etc/ssl/certs/ca-certificates.crt was adapted.
/etc/ssl/certs/java/cacerts was adapted as well.
However you need to convince your java-program by setting system properties so it uses the OS provided cacerts: java -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts. Otherwise java will default to /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/jre/lib/security/cacerts.

mfriedenhagen on May 8, 2019

Good news: This is fixed. 😅 Bad news: The fix is in a holding pattern until Adoptium arrives and I’ve redone the JDK/JRE packages. I don’t want to wrestle with the old infrastructure anymore.

Details: For Debian, there will be a separate package (temporary name: adoptium-ca-certificates). This replaces ca-certificates-java from Debian/Ubuntu. It comes without the circular dependency and only depends on ca-certificates and p11-kit. A JRE/JDK isn’t necessary for its operation. It integrates with the system’s certificate store and its cacerts is automatically updated with update-ca-certificates as the Debian JDK. /etc/ssl/certs/adoptium/cacerts is going to serve as shared keystore for all Adoptium runtimes and will be symlinked.

I did not port the option to use a different keystore password than the default (changeit) or the option to sideload certificates that aren’t included in the local certificate store /usr/local/share/ca-certificates/. If anybody needs that, please speak up. It’s still possible to disable the automatic update via /etc/default/adoptium-ca-certificates.

Red Hat and SUSE flavours won’t need it because their ca-certificates has a cacerts included.

If anyone wants to follow the development, it’s currently on https://github.com/aahlenst/adoptium-ca-certificates and awaiting it’s permanent home. And this time, we even have a full test suite that ensures everything’s working across the board 🤞

aahlenst on Aug 8, 2020

$ docker run --rm -it -v ~/Downloads/adoptopenjdk-8-hotspot_1.8.0\ 212-1_amd64.deb:/tmp/adoptopenjdk-8-hotspot_1.8.0-212-1_amd64.deb debian:stretch-slim

root@dd6bde5b224d:/# apt-get -qq update
root@dd6bde5b224d:/# apt-get install /tmp/adoptopenjdk-8-hotspot_1.8.0-212-1_amd64.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'adoptopenjdk-8-hotspot' instead of '/tmp/adoptopenjdk-8-hotspot_1.8.0-212-1_amd64.deb'
The following additional packages will be installed:
  ca-certificates ca-certificates-java java-common libasound2 libasound2-data libbsd0 libnspr4 libnss3 libsqlite3-0 libssl1.1 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxi6 libxrender1 libxtst6 openssl x11-common
Suggested packages:
  default-jre libasound2-plugins alsa-utils
The following NEW packages will be installed:
  adoptopenjdk-8-hotspot ca-certificates ca-certificates-java java-common libasound2 libasound2-data libbsd0 libnspr4 libnss3 libsqlite3-0 libssl1.1 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxi6 libxrender1 libxtst6 openssl x11-common
0 upgraded, 22 newly installed, 0 to remove and 4 not upgraded.
Need to get 6575 kB/111 MB of archives.
After this operation, 225 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

.... stripped downloads ...

Fetched 6575 kB in 1s (3363 kB/s)            
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libxau6:amd64.
(Reading database ... 6316 files and directories currently installed.)

... stripped unpacking ...

Updating certificates in /etc/ssl/certs...
151 added, 0 removed; done.
Setting up libx11-data (2:1.6.4-3+deb9u1) ...
Setting up libxau6:amd64 (1:1.0.8-1) ...
Setting up libnss3:amd64 (2:3.26.2-1.1+deb9u1) ...
Setting up libxcb1:amd64 (1.12-1) ...
Setting up libx11-6:amd64 (2:1.6.4-3+deb9u1) ...
Setting up libxrender1:amd64 (1:0.9.10-1) ...
Setting up libxext6:amd64 (2:1.3.3-1+b2) ...
Setting up libxi6:amd64 (2:1.7.9-1) ...
Setting up libxtst6:amd64 (2:1.2.3-1) ...
Setting up ca-certificates-java (20170929~deb9u3) ...
/var/lib/dpkg/info/ca-certificates-java.postinst: line 56: java: command not found
dpkg: error processing package ca-certificates-java (--configure):
 subprocess installed post-installation script returned error exit status 127
dpkg: dependency problems prevent configuration of adoptopenjdk-8-hotspot:
 adoptopenjdk-8-hotspot depends on ca-certificates-java; however:
  Package ca-certificates-java is not configured yet.

dpkg: error processing package adoptopenjdk-8-hotspot (--configure):
 dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Processing triggers for ca-certificates (20161130+nmu1+deb9u1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

/etc/ca-certificates/update.d/jks-keystore: 90: /etc/ca-certificates/update.d/jks-keystore: java: not found
E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
done.
Errors were encountered while processing:
 ca-certificates-java
 adoptopenjdk-8-hotspot
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@dd6bde5b224d:/#

The same thing happens when using debian:stretch instead of debian:stretch-slim. And just for completeness the same happens on buster-slim as well.

docker run --rm -it -v ~/Downloads/adoptopenjdk-8-hotspot_1.8.0\ 212-1_amd64.deb:/tmp/adoptopenjdk-8-hotspot_1.8.0-212-1_amd64.deb debian:buster-slim /bin/bash -c 'apt-get -qq update ; export DEBIAN_FRONTEND=noninteractive; apt-get install -y --no-install-recommends /tmp/adoptopenjdk-8-hotspot_1.8.0-212-1_amd64.deb'

Setting up adoptopenjdk-8-hotspot (1.8.0+212-1) ...
update-alternatives: using /usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/appletviewer to provide /usr/bin/appletviewer (appletviewer) in auto mode
update-alternatives: error: error creating symbolic link '/usr/share/man/man1/appletviewer.1.dpkg-tmp': No such file or directory
dpkg: error processing package adoptopenjdk-8-hotspot (--configure):
 installed adoptopenjdk-8-hotspot package post-installation script subprocess returned error exit status 2
dpkg: dependency problems prevent configuration of ca-certificates-java:
 ca-certificates-java depends on default-jre-headless | java8-runtime-headless; however:
  Package default-jre-headless is not installed.
  Package java8-runtime-headless is not installed.
  Package adoptopenjdk-8-hotspot which provides java8-runtime-headless is not configured yet.

dpkg: error processing package ca-certificates-java (--configure):
 dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.28-8) ...
Processing triggers for ca-certificates (20190110) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Errors were encountered while processing:
 adoptopenjdk-8-hotspot
 ca-certificates-java
E: Sub-process /usr/bin/dpkg returned an error code (1)

mfriedenhagen on May 7, 2019