NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [Q] 9.1 amd64 openJDK11 error on certificates

Found a work around for this problem.
I am guessing, that, perhaps, not many people using JDK 11 on NetBSD 9.x. It presents itself any time an HTTPS URL is used. So gradle, maven, any program that uses network classes that rely on HTTPS protocol would see this 



-- script start --
# ts1000: workaround to fix cacert store for OpenJDK 11 on NetBSD 9.1
# this workaround just reimports existing certificates in $JAVA_HOME/lib/security/cacerts # into a JKS format store, and then just replaces the cacerts with the JKS version 

# must be done as root
# also assuming keytool is in the $PATH
# that is:  we have export JAVA_HOME=/usr/pkg/java/openjdk11
# and export PATH=${PATH}:${JAVA_HOME}/bin

cd /usr/pkg/java/openjdk11/lib/security
keytool -importkeystore -srckeystore /usr/pkg/java/openjdk11/lib/security/cacerts -destkeystore /usr/pkg/java/openjdkmv cacerts cacerts.org 
ln -s cacerts.jks cacerts



-- script end --

Similar problem was with Docker.  I picked up a solution from there

https://github.com/docker-library/openjdk/pull/263/files



I also updated the gnats issue report with the workaround
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=55758



On 2020-10-24 21:00, ts1000 wrote:

Hello,
I have a java project organized by Gradle.
First thing that gradle does, is it downloads dependencies.

But that first step is not working on netBSD-9.1 amd64
I tried with pkgin, as well as building openjdk11 from source.
Error is the same.

I also installed, with pkgin,
ca-certificates-20200601
mozilla-rootcerts-1.0.20200529nb1

But that did not help. Would appreciate any pointers on where to look


The error I am getting is:

-- begin --
nbsd1$ bash gradlew
Downloading https://services.gradle.org/distributions/gradle-6.5.1-all.zip 

Exception in thread "main" javax.net.ssl.SSLException: Unexpected
error: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) 
        at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
        at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
        at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
        at
java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1576)
        at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:453)
        at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
        at
java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
        at
java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592)
        at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
        at
java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
at org.gradle.wrapper.Download.downloadInternal(Download.java:67) 
        at org.gradle.wrapper.Download.download(Download.java:52)
        at org.gradle.wrapper.Install$1.call(Install.java:62)
        at org.gradle.wrapper.Install$1.call(Install.java:48)
        at
org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
        at org.gradle.wrapper.Install.createDist(Install.java:48)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107) at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:62) 
Caused by: java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
        at
java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
        at
java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
        at
java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)
        at
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
        at
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189)
        at
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
        at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
        at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
        at
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) 
        at
java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403)
        at
java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
        at
java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        ... 14 more
Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
        at
java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at
java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at
java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at
java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)
        ... 30 more
nbsd1$

-- end --

java env:

nbsd1$ java --version
openjdk 11.0.8-internal 2020-07-14
OpenJDK Runtime Environment (build
11.0.8-internal+0-adhoc.pkgsrc.openjdk-jdk11u-jdk-11.0.8-10-1)
OpenJDK 64-Bit Server VM (build
11.0.8-internal+0-adhoc.pkgsrc.openjdk-jdk11u-jdk-11.0.8-10-1, mixed
mode)
nbsd1$
Home | Main Index | Thread Index | Old Index