Fixing Java CA Certificates on openSUSE

Recently switched back to openSUSE after a brief stint with Ubuntu. I guess you need to try other things out to know how good you have it, eh?  Anyway, I’m playing with Leiningen and Quil, but for some reason or other, I could not get Leiningen to self-install, because of an exception: problem accessing trust Invalid keystore format

It turns out that the java keystore is somehow corrupt on OpenJDK / openSUSE 12.3. Not sure who’s at fault, but here’s how to fix it.

  1. Become root:
    $ su -
  2. Verify the certificates file:
    # file $(readlink /usr/lib64/jvm/java-1.7.0-openjdk/jre/lib/security/cacerts)
    /var/lib/ca-certificates/java-cacerts: data
  3. Oops, file should identify this as a Java KeyStore. Must be corrupt. Replace it:
    # rm /var/lib/ca-certificates/java-cacerts
    # /usr/sbin/update-ca-certificates
    creating /var/lib/ca-certificates/java-cacerts ...
    144 added, 0 removed.
    creating /var/lib/ca-certificates/gcj-cacerts ...
    imporing AffirmTrust_Premium_ECC.pem failed:
    imporing COMODO_ECC_Certification_Authority.pem failed:
    imporing GeoTrust_Primary_Certification_Authority_G2.pem failed:
    imporing VeriSign_Class_3_Public_Primary_Certification_Authority_G4.pem failed:
    imporing thawte_Primary_Root_CA_G2.pem failed:
    2 added, 0 removed.
  4. Hmm, something’s up with gcj-cacerts (not just all those “imporing”s, seems the PEM files are corrupted too?)… Anyway, re-verify the java-cacerts:
    # file /var/lib/ca-certificates/java-cacerts
    /var/lib/ca-certificates/java-cacerts: Java KeyStore
  5. Good to go (sort-of?)

3 thoughts on “Fixing Java CA Certificates on openSUSE

  1. I am really interested in what you like in OpenSUSE over Ubuntu. I am pretty much the opposite: long time Debian/Ubuntu user. I tried OpenSUSE, but switched back to Ubuntu after a week or so.

    I chalked mine up to “It’s the devil I know”.

    • Hey Alex,

      It is the devil you know, I guess (or the lizard)! There are parts of Debian/Ubuntu I preferr (.deb for instance, and apt-get build-dep ), but openSUSE is the only distro’ that I’ve returned to twice, so that told me something right off. The whole distro’ feels more professional, like it is serious about computing and won’t change technical direction on the whim of some CEO. Also, if the world’s fastest (when I switched back) supercomputer is running SLES, there must be something awesome about it. Cue fanboy rave:

      The “killer app” for me is KDE. Yes, there’s Kubuntu, but when last I tried that (11.04 or something?), it was not well integrated to the distro, had it’s own system tools separate from the more widely used GNOME ones (meaning less known in community), and the help system was broken with topics appearing to be listed twice. Also – to my mind at least – any *buntu flavour that isn’t the main Ubuntu, is treated as a 2nd-class citizen on the forums and the documentation.

      OpenSUSE’s documentation is the best I have ever used for any system, be that Linux, Unix (Solaris), MacOS X or even my sweet little 8-bit Amstrad. It is well worth reading. If you don’t like to read manuals then I guess this isn’t such a big point.

      Yast is allright (it’s showing its age and is a little under-maintained these days), but the big draw-card in system tools for me is Zypper, which is like aptitude/yum only you don’t need to muck in config files for repo management, and it’s fast. For oS 12.3 I was also interested in its integration with snapper/btrfs filesystem rollback. Also Compiz came from the Novel Labs work originally.

Comments are closed.