Bug#894979: ca-certificates-java: SSL error: "the trustAnchors parameter must be non-empty"
Raphael Hertzog
hertzog at debian.org
Thu Apr 12 17:11:17 BST 2018
retitle -1 ca-certificates-java: does not work with OpenJDK 9, applications fail with InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
severity -1 serious
thanks
Hello,
On Thu, 05 Apr 2018, George B. wrote:
> I am getting an error when connecting to HTTPS from java. Looking around
> the problem always seems to talk about this package, but please
> re-assign if something else is to blame.
I confirm the issue. If you have only OpenJDK 9 installed, then the
/etc/ssl/certs/java/cacerts file generated by the postinst (or the
ca-certificates hook) is not working and will lead to errors like the one
you showed.
Work-around:
$ sudo apt install openjdk-8-jre
$ sudo rm /etc/ssl/certs/java/cacerts
$ sudo update-ca-certificates --fresh
This works because /etc/ca-certificates/update.d/jks-keystore prefers
OpenJDK 8 over OpenJDK 9.
> Testing with the following code (I don't really know any Java and it's
> the first thing I found to test with):
> https://gist.github.com/4ndrej/4547029
This was really useful to debug the issue, thank you! My failing java
application was much bigger and harder to strace.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
More information about the pkg-java-maintainers
mailing list