Error - trustAnchors parameter must be non-empty
In Ubuntu 18.04, this error has a different cause (JEP 229, switch from the jks
keystore default format to the pkcs12
format, and the Debian cacerts file generation using the default for new files) and workaround:
# Ubuntu 18.04 and various Docker images such as openjdk:9-jdk throw exceptions when
# Java applications use SSL and HTTPS, because Java 9 changed a file format, if you
# create that file from scratch, like Debian / Ubuntu do.
#
# Before applying, run your application with the Java command line parameter
# java -Djavax.net.ssl.trustStorePassword=changeit ...
# to verify that this workaround is relevant to your particular issue.
#
# The parameter by itself can be used as a workaround, as well.
# 0. First make yourself root with 'sudo bash'.
# 1. Save an empty JKS file with the default 'changeit' password for Java cacerts.
# Use 'printf' instead of 'echo' for Dockerfile RUN compatibility.
/usr/bin/printf '\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92' > /etc/ssl/certs/java/cacerts
# 2. Re-add all the CA certs into the previously empty file.
/var/lib/dpkg/info/ca-certificates-java.postinst configure
Status (2018-08-07), the bug has been fixed in Ubuntu Bionic LTS 18.04.1 and Ubuntu Cosmic 18.10.
ð¹ Ubuntu 1770553: [SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)
ð¹ Ubuntu 1769013: Please merge ca-certificates-java 20180413 (main) from Debian unstable (main)
ð¹ Ubuntu 1739631: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file
ð¹ docker-library 145: 9-jdk image has SSL issues
ð¹ Debian 894979: ca-certificates-java: does not work with OpenJDK 9, applications fail with InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
ð¹ JDK-8044445 : JEP 229: Create PKCS12 Keystores by Default
ðº JEP 229: Create PKCS12 Keystores by Default
If the issue continues after this workaround, you might want to make sure that you're actually running the Java distribution you just fixed.
$ which java
/usr/bin/java
You can set the Java alternatives to 'auto' with:
$ sudo update-java-alternatives -a
update-alternatives: error: no alternatives for mozilla-javaplugin.so
You can double-check the Java version you're executing:
$ java --version
openjdk 10.0.1 2018-04-17
OpenJDK Runtime Environment (build 10.0.1+10-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 10.0.1+10-Ubuntu-3ubuntu1, mixed mode)
There are alternative workarounds as well, but those have their own side effects which will require extra future maintenance, for no payoff whatsoever.
The next-best workaround is to add the row
javax.net.ssl.trustStorePassword=changeit
to the files
/etc/java-9-openjdk/management/management.properties
/etc/java-11-openjdk/management/management.properties
whichever exists.
The third least problematic workaround is to change the value of
keystore.type=pkcs12
to
keystore.type=jks
in the files
/etc/java-9-openjdk/security/java.security
/etc/java-11-openjdk/security/java.security
whichever exists, and then remove the cacerts
file and regenerate it in the manner described on the last row of the workaround script at the top of the post.
This bizarre message means that the trustStore
you specified was:
- empty,
- not found, or
- couldn't be opened
- (due to wrong/missing
trustStorePassword
, or - file access permissions, for example).
- (due to wrong/missing
See also @AdamPlumb's answer below.
This fixed the problem for me on Ubuntu:
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure
(found here: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1396760)
ca-certificates-java
is not a dependency in the Oracle JDK/JRE so this must be explicitly installed.