To comment #5: If what you describe is true, then that is a different bug, somehow. The default cacerts file should be in pkcs12 format, which can't be used by java for some reason. The JKS keystore file can be read, regardless of the keystore type setting in the security file.
However, I am happy about the suggestion to change the keystore.type=jks parameter in the java.security file. Once this change has been made, openjdk-9 can also generate JKS keystores from "udpate-ca-certificates -f" and that is altogether simpler way to recover from this bug than installing JDK 8, let it generate keystore, and then update to JDK 9 that preserves the cacerts in JKS format regardless of the settings of JDK 9. So here are the workaround steps that can be done instead, to fix TLS for Java 9 when the keystore type happens to be PKCS12. 1. edit /etc/java-9-openjdk/security/java.security file. Find the line that says keystore.type = pkcs12 and change that to jks 2. rm /etc/ssl/certs/java/cacerts file 3. run "update-ca-certificates -f" -- You received this bug notification because you are a member of OpenJDK, which is subscribed to ca-certificates-java in Ubuntu. https://bugs.launchpad.net/bugs/1739631 Title: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file Status in ca-certificates-java package in Ubuntu: Confirmed Bug description: I ran into a problem after doing approximately the following on an install of Ubuntu 17.10: sudo apt-get install openjdk-9-jdk maven ca-certificates-java Running "mvn package" on my own project threw this error without downloading anything: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty It seems that all TLS connections fail due to missing trust anchors in Java 9! After some investigation, I discovered that the JDK's lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts, which is provided by ca-certificates-java package. This file appeared to be a PKCS12 file with password "changeit" protecting it. I was able to list its contents using both keytool -list -cacerts and openssl pkcs12 -in cacerts with that password, confirming that the file actually did hold the certificates. Regardless, Java 9 was not able to use the contents of this file for whatever reason. To workaround the issue, I downgraded to openjdk-8-jdk, did rm /etc/ssl/certs/java/cacerts, then did update-ca-certificates -f, then upgraded back to openjdk-9-jdk. The old Java 8 -generated JKS file with empty string as password was usable in the Java 9, permitting mvn and other things to make TLS connections again. The problem can be reintroduced by having java 9 installed and doing rm /etc/ssl/certs/java/cacerts and then update-ca-certificates -f. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: ca-certificates-java 20170930 ProcVersionSignature: Ubuntu 4.13.0-21.24-generic 4.13.13 Uname: Linux 4.13.0-21-generic x86_64 ApportVersion: 2.20.8-0ubuntu5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Thu Dec 21 17:36:05 2017 EcryptfsInUse: Yes InstallationDate: Installed on 2017-12-21 (0 days ago) InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018) PackageArchitecture: all ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=fi_FI.UTF-8 SHELL=/bin/bash SourcePackage: ca-certificates-java UpgradeStatus: Upgraded to bionic on 2017-12-21 (0 days ago) modified.conffile..etc.default.cacerts: [inaccessible: [Errno 13] Lupa evätty: '/etc/default/cacerts'] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
