java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Bug #1743139 reported by Marvin on 2018-01-13
34
This bug affects 7 people
Affects Status Importance Assigned to Milestone
openjdk-9 (Ubuntu)
Undecided
Unassigned

Bug Description

When trying to access anything using Java + HTTPS, the process is terminated with an java.security.InvalidAlgorithmParameterException. Adding -Djavax.net.ssl.trustStorePassword=changeit to the command line flags of java fixes this problem.

Either the trust store's password should be changed, or this flag sould be added by default.

Mittles (mittles) wrote :

I have been able to replicate this bug. It becomes apparent when attempting to run Minecraft.jar, the official Minecraft Java client under OpenJDK 9 on a fresh install of Ubuntu Mate 18.04 Beta 2. https://i.imgur.com/HRzRl8J.png

I was able to find a solution though it isn't a proper fix. Purge all related packages and install the older openjdk-8-jre first, then an newer version on top of it. It looks like the default packages are not installing the certificates properly.

See https://askubuntu.com/questions/971059/17-10-openjdk-and-oracle-jdk-8-and-9-the-trustanchors-parameter-must-be-non-empt under amb85. Ubuntu MATE 18.04 includes a ppa in the Software Boutique which installs Minecraft, but it runs into the same issue as using Minecraft.jar from Mojang's website.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-9 (Ubuntu):
status: New → Confirmed
Sam Uong (samuong) wrote :

I'm not sure that changing the trust store password, or setting javax.net.ssl.trustStorePassword by default, is the right way to fix this. Oracle's JRE contains a keystore with the same password ("changeit") but doesn't require this property to be set.

I noticed that /etc/ssl/certs/java/cacerts in 18.04 is a PKCS12 keystore, whereas the keystore bundled with Oracle's JRE (as well as the cacerts in 17.10) is a JKS keystore:

sam@sam-desktop:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: PKCS12
sam@sam-desktop:~$ keytool -list -keystore jre-10.0.1/lib/security/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: JKS

If I convert my cacerts file, then things start to work again:

sam@sam-desktop:~$ sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old
...
sam@sam-desktop:~$ sudo keytool -importkeystore -destkeystore /etc/ssl/certs/java/cacerts -deststoretype jks -deststorepass changeit -srckeystore /etc/ssl/certs/java/cacerts.old -srcstoretype pkcs12 -srcstorepass changeit
...
sam@sam-desktop:~$ java HttpsTester
Response code: 200
It worked!

Not sure why a PKCS12 keystore needs a password but a JKS one doesn't, but maybe whatever is generating /etc/ssl/certs/java/cacerts just needs to be changed to generate JKS keystores again?

Sam Uong (samuong) wrote :

This looks like it's been fixed in debian with https://launchpad.net/debian/+source/ca-certificates-java/20180413:

  * Always generate a JKS keystore instead of using the default format
    (Closes: #894979)

ChaoGuo (nsguochao) wrote :

This issue still exists in 18.04 and affects almost everyone i know using ubuntu 18.04.

The scripts of whatever package should only generate jks keystore instead of pkcs12.

Michael Rushanan (micharu123) wrote :

Sam Uong's recommendation of switching the PKCS12 keystore type to JKS fixes the InvalidAlgorithmParameterException.

I experienced this bug while using both openjdk-1.8-jdk and default-jdk package installs on Ubuntu 18.04. For those that might similarly discover this bug when attempting to run their gradle builds, you need to:

1. Follow Sam Uong's post above
2. Kill all gradle processes
3. Re-run your gradle build scripts

I figure this small bit of text may be indexed and help others that narrow their search on gradle.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers