the trustAnchors parameter must be non-empty

Bug #1743139 reported by Marvin on 2018-01-13
This bug affects 9 people
Affects Status Importance Assigned to Milestone
openjdk-11 (Ubuntu)
openjdk-9 (Ubuntu)

Bug Description

When trying to access anything using Java + HTTPS, the process is terminated with an Adding to the command line flags of java fixes this problem.

Either the trust store's password should be changed, or this flag sould be added by default.

Mittles (mittles) wrote :

I have been able to replicate this bug. It becomes apparent when attempting to run Minecraft.jar, the official Minecraft Java client under OpenJDK 9 on a fresh install of Ubuntu Mate 18.04 Beta 2.

I was able to find a solution though it isn't a proper fix. Purge all related packages and install the older openjdk-8-jre first, then an newer version on top of it. It looks like the default packages are not installing the certificates properly.

See under amb85. Ubuntu MATE 18.04 includes a ppa in the Software Boutique which installs Minecraft, but it runs into the same issue as using Minecraft.jar from Mojang's website.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-9 (Ubuntu):
status: New → Confirmed
Sam Uong (samuong) wrote :

I'm not sure that changing the trust store password, or setting by default, is the right way to fix this. Oracle's JRE contains a keystore with the same password ("changeit") but doesn't require this property to be set.

I noticed that /etc/ssl/certs/java/cacerts in 18.04 is a PKCS12 keystore, whereas the keystore bundled with Oracle's JRE (as well as the cacerts in 17.10) is a JKS keystore:

sam@sam-desktop:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: PKCS12
sam@sam-desktop:~$ keytool -list -keystore jre-10.0.1/lib/security/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: JKS

If I convert my cacerts file, then things start to work again:

sam@sam-desktop:~$ sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old
sam@sam-desktop:~$ sudo keytool -importkeystore -destkeystore /etc/ssl/certs/java/cacerts -deststoretype jks -deststorepass changeit -srckeystore /etc/ssl/certs/java/cacerts.old -srcstoretype pkcs12 -srcstorepass changeit
sam@sam-desktop:~$ java HttpsTester
Response code: 200
It worked!

Not sure why a PKCS12 keystore needs a password but a JKS one doesn't, but maybe whatever is generating /etc/ssl/certs/java/cacerts just needs to be changed to generate JKS keystores again?

Sam Uong (samuong) wrote :

This looks like it's been fixed in debian with

  * Always generate a JKS keystore instead of using the default format
    (Closes: #894979)

ChaoGuo (nsguochao) wrote :

This issue still exists in 18.04 and affects almost everyone i know using ubuntu 18.04.

The scripts of whatever package should only generate jks keystore instead of pkcs12.

Michael Rushanan (micharu123) wrote :

Sam Uong's recommendation of switching the PKCS12 keystore type to JKS fixes the InvalidAlgorithmParameterException.

I experienced this bug while using both openjdk-1.8-jdk and default-jdk package installs on Ubuntu 18.04. For those that might similarly discover this bug when attempting to run their gradle builds, you need to:

1. Follow Sam Uong's post above
2. Kill all gradle processes
3. Re-run your gradle build scripts

I figure this small bit of text may be indexed and help others that narrow their search on gradle.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-11 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers