java – Error – trustAnchors parameter must be non-empty

java – Error – trustAnchors parameter must be non-empty

This bizarre message means that the trustStore you specified was:

  • empty,
  • not found, or
  • couldnt be opened
    • (due to wrong/missing trustStorePassword, or
    • file access permissions, for example).

See also @AdamPlumbs answer below.

In Ubuntu 18.04, this error has a different cause (JEP 229, switch from the jks keystore default format to the pkcs12 format, and the Debian cacerts file generation using the default for new files) and workaround:

# Ubuntu 18.04 and various Docker images such as openjdk:9-jdk throw exceptions when
# Java applications use SSL and HTTPS, because Java 9 changed a file format, if you
# create that file from scratch, like Debian / Ubuntu do.
#
# Before applying, run your application with the Java command line parameter
#  java -Djavax.net.ssl.trustStorePassword=changeit ...
# to verify that this workaround is relevant to your particular issue.
#
# The parameter by itself can be used as a workaround, as well.

# 0. First make yourself root with sudo bash.

# 1. Save an empty JKS file with the default changeit password for Java cacerts.
#    Use printf instead of echo for Dockerfile RUN compatibility.
/usr/bin/printf xfexedxfexedx00x00x00x02x00x00x00x00xe2x68x6ex45xfbx43xdfxa4xd9x92xddx41xcexb6xb2x1cx63x30xd7x92 > /etc/ssl/certs/java/cacerts

# 2. Re-add all the CA certs into the previously empty file.
/var/lib/dpkg/info/ca-certificates-java.postinst configure

Status (2018-08-07), the bug has been fixed in Ubuntu Bionic LTS 18.04.1 and Ubuntu Cosmic 18.10.


Ubuntu 1770553: [SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)

Ubuntu 1769013: Please merge ca-certificates-java 20180413 (main) from Debian unstable (main)

Ubuntu 1739631: Fresh install with JDK 9 cant use the generated PKCS12 cacerts keystore file

docker-library 145: 9-jdk image has SSL issues

Debian 894979: ca-certificates-java: does not work with OpenJDK 9, applications fail with InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

JDK-8044445 : JEP 229: Create PKCS12 Keystores by Default

JEP 229: Create PKCS12 Keystores by Default


If the issue continues after this workaround, you might want to make sure that youre actually running the Java distribution you just fixed.

$ which java
/usr/bin/java

You can set the Java alternatives to auto with:

$ sudo update-java-alternatives -a
update-alternatives: error: no alternatives for mozilla-javaplugin.so

You can double-check the Java version youre executing:

$ java --version
openjdk 10.0.1 2018-04-17
OpenJDK Runtime Environment (build 10.0.1+10-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 10.0.1+10-Ubuntu-3ubuntu1, mixed mode)

There are alternative workarounds as well, but those have their own side effects which will require extra future maintenance, for no payoff whatsoever.

The next-best workaround is to add the row

javax.net.ssl.trustStorePassword=changeit

to the files

/etc/java-9-openjdk/management/management.properties
/etc/java-11-openjdk/management/management.properties

whichever exists.

The third least problematic workaround is to change the value of

keystore.type=pkcs12

to

keystore.type=jks

in the files

/etc/java-9-openjdk/security/java.security
/etc/java-11-openjdk/security/java.security

whichever exists, and then remove the cacerts file and regenerate it in the manner described on the last row of the workaround script at the top of the post.

java – Error – trustAnchors parameter must be non-empty

This fixed the problem for me on Ubuntu:

sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure

(found here: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1396760)

ca-certificates-java is not a dependency in the Oracle JDK/JRE so this must be explicitly installed.

Leave a Reply

Your email address will not be published.