/01_pkcs12-cacerts-workaround.sh
Forked from mikaelhg/01_pkcs12-cacerts-workaround.sh
Created Jun 20, 2018
Workaround for java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
# Ubuntu 18.04 and various Docker images such as openjdk:9-jdk throw exceptions when | |
# Java applications use SSL and HTTPS, because Java 9 changed a file format, if you | |
# create that file from scratch, like Debian / Ubuntu do. | |
# | |
# Before applying, run your application with the Java command line parameter | |
# java -Djavax.net.ssl.trustStorePassword=changeit ... | |
# to verify that this workaround is relevant to your particular issue. | |
# | |
# The parameter by itself can be used as a workaround, as well. | |
# 1. Save an empty JKS file with the default 'changeit' password for Java cacerts. | |
# Use 'printf' instead of 'echo' for Dockerfile RUN compatibility. | |
/usr/bin/printf '\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92' > /etc/ssl/certs/java/cacerts | |
# 2. Re-add all the CA certs into the previously empty file. | |
/var/lib/dpkg/info/ca-certificates-java.postinst configure |
# How to generate an empty keystore for verification. You don't need to do this. | |
# pip3 install --user pyjks | |
import jks | |
def gen_jks(pwd): | |
data = jks.KeyStore.new('jks', []).saves(pwd) | |
text = ''.join(['\\x%02x' % x for x in data]) | |
print('<%s> %s' % (pwd, text)) | |
gen_jks('changeit') |
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty | |
at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:214) | |
at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) | |
at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1926) | |
at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1909) | |
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1436) | |
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) | |
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) | |
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) | |
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581) | |
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509) | |
at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527) | |
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:329) | |
at TestHttps.main(TestHttps.java:8) | |
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty | |
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89) | |
at java.base/sun.security.validator.Validator.getInstance(Validator.java:181) | |
at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:330) | |
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:180) | |
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:192) | |
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133) | |
at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947) | |
at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) | |
at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) | |
at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) | |
at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) | |
at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) | |
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) | |
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) | |
at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) | |
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) | |
... 8 more | |
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty | |
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) | |
at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) | |
at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) | |
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:86) | |
... 23 more |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment