Currently the cert refresh scriptlets are being run after package installation.
In the case of upgrade as always the new package is installed before the old package is removed so it was running the refresh with the to be removed files still in place.
- Explicitly on initial installation only in the %post.
- Run after package is removed during an upgrade in the %postun.
We can not run on removal since /usr/sbin/cern-import-certs-java is not available anyway.