Bug#894979: ca-certificates-java: SSL error: "the trustAnchors parameter must be non-empty"

George B. i93.borg at gmail.com
Thu Apr 5 20:00:43 BST 2018 

Package: ca-certificates-java
Version: 20170930
Severity: important

Hello,

I am getting an error when connecting to HTTPS from java. Looking around
the problem always seems to talk about this package, but please
re-assign if something else is to blame.

Testing with the following code (I don't really know any Java and it's
the first thing I found to test with):

https://gist.github.com/4ndrej/4547029

```
borisov at glossy:~ $ java SSLPoke google.com 443
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:214)
        at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1969)
        at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1921)
        at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1904)
        at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1830)
        at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
        at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81)
        at SSLPoke.main(SSLPoke.java:23)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89)
        at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
        at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:330)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:180)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:192)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)
        at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)
        at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777)
        at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264)
        at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1092)
        at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026)
        at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
        at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
        at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
        at java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733)
        at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67)
        ... 2 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:86)
        ... 18 more
```

I have tried "sudo update-ca-certificates -f" but that did not help.


Thanks,

George

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates-java depends on:
ii  ca-certificates                                  20170717
ii  default-jre-headless [java8-runtime-headless]    2:1.9-63
ii  libnss3                                          2:3.35-2
ii  openjdk-9-jre-headless [java8-runtime-headless]  9.0.4+12-4

ca-certificates-java recommends no packages.

ca-certificates-java suggests no packages.

-- Configuration Files:
/etc/default/cacerts [Errno 13] Permission denied: '/etc/default/cacerts'

-- debconf-show failed

More information about the pkg-java-maintainers mailing list