Simple OpenJDK installation failure

[Mark Carroll]

A minimal reproducer is:

$ docker run -it debian:bullseye
# apt-get update
# apt-get install openjdk-17-jre-headless

which presently fails with,

Setting up ca-certificates-java (20190909) ...
head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory
Exception in thread "main" java.lang.InternalError: Error loading java.security file
at java.base/java.security.Security.initialize(Security.java:106)
at java.base/java.security.Security$1.run(Security.java:84)
at java.base/java.security.Security$1.run(Security.java:82)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/java.security.Security.<clinit>(Security.java:82)
at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
dpkg: error processing package ca-certificates-java (--configure):
installed ca-certificates-java package post-installation script subprocess returned error exit status 1

What puzzles me is why I haven't run into this before and why
nobody else seems to be either, judging by my failure to find
any current reports of this. Not sure if to submit a new bug
and, if so, against which package.

-- Mark

[Marco Moock]

Am 17.06.2023 um 07:14:21 Uhr schrieb Mark Carroll:

> $ docker run -it debian:bullseye
> # apt-get update
> # apt-get install openjdk-17-jre-headless

Does it also occur in a normal Debian installation without docker?

[Mark Carroll]

I don't know, I don't presently have a spare machine handy onto which I
can install a fresh bullseye to check. Having said that, I'd wonder why
the dockerized version would be any different for JRE installation.

-- Mark

[Marco Moock]

Am 18.06.2023 um 16:55:15 Uhr schrieb Mark Carroll:

> I don't know, I don't presently have a spare machine handy onto which
> I can install a fresh bullseye to check. Having said that, I'd wonder
> why the dockerized version would be any different for JRE
> installation.

Docker might be different.

Why don't you install VirtualBox on your machine and install Debian
inside?

[Adrian Caspersz]

On 17/06/2023 07:14, Mark Carroll wrote:
> A minimal reproducer is:
>
> $ docker run -it debian:bullseye
> # apt-get update
> # apt-get install openjdk-17-jre-headless

A containerised OS image running under docker has a lot stripped out
that foils usage of traditional installation tools that you would use in
the full OS context. There is not much of an init process.

That said, you have got so far. I wonder what would happen if you
downloaded the certs and made them available to the container though a
volume mount.

But I wouldn't start here.

You could instead use a docker image of OpenJDK, built running under
various linux flavors.

https://www.baeldung.com/ops/java-openjdk-docker-images-slim-vs-slim-stretch-vs-stretch-vs-alpine

Unfortunately, OpenJDK under docker has been deprecated since July 2022,
and users are being pointed elsewhere (something from Amazon, ugh)

Why not install an OS under VirtualBox?

For setup speed, you could use Vagrant images in that already prebuilt
with Java and other requirements for your project.

--
Adrian C

[Richard Kettlewell]

Mark Carroll <mt...@ixod.org> writes:
> A minimal reproducer is:
>
> $ docker run -it debian:bullseye
> # apt-get update
> # apt-get install openjdk-17-jre-headless
>
> which presently fails with,
>
> Setting up ca-certificates-java (20190909) ...
> head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such
> file or directory

I see the same behavior. I don’t have time to investigate further right
now but I note that the following behaves better:

# apt-get update
# apt-get install ca-certificates-java
# apt-get install openjdk-17-jre-headless

> What puzzles me is why I haven't run into this before and why
> nobody else seems to be either, judging by my failure to find
> any current reports of this. Not sure if to submit a new bug
> and, if so, against which package.

I’d report against ca-certificates-java and let the maintainer diagnose.

--
https://www.greenend.org.uk/rjk/

[Mark Carroll]

On 19 Jun 2023, Richard Kettlewell wrote:

> I see the same behavior. I don’t have time to investigate further right
> now but I note that the following behaves better:
>
> # apt-get update
> # apt-get install ca-certificates-java
> # apt-get install openjdk-17-jre-headless

Indeed it does! Thanks for confirming.

>> What puzzles me is why I haven't run into this before and why
>> nobody else seems to be either, judging by my failure to find
>> any current reports of this. Not sure if to submit a new bug
>> and, if so, against which package.
>
> I’d report against ca-certificates-java and let the maintainer diagnose.

Thank you. It's most helpful to have the workaround but _if_ this is
_supposed_ to work then it's also good if I let somebody know that it
doesn't so I've now reported it as #1038635 (wow, we're up to seven
digits).

At least it does seem to be fixed for bookworm, testing further before
I'm sure though.

-- Mark