retitle -1 ca-certificates-java: does not work with OpenJDK 9, applications fail with InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty severity -1 serious thanks
Hello, On Thu, 05 Apr 2018, George B. wrote: > I am getting an error when connecting to HTTPS from java. Looking around > the problem always seems to talk about this package, but please > re-assign if something else is to blame. I confirm the issue. If you have only OpenJDK 9 installed, then the /etc/ssl/certs/java/cacerts file generated by the postinst (or the ca-certificates hook) is not working and will lead to errors like the one you showed. Work-around: $ sudo apt install openjdk-8-jre $ sudo rm /etc/ssl/certs/java/cacerts $ sudo update-ca-certificates --fresh This works because /etc/ca-certificates/update.d/jks-keystore prefers OpenJDK 8 over OpenJDK 9. > Testing with the following code (I don't really know any Java and it's > the first thing I found to test with): > https://gist.github.com/4ndrej/4547029 This was really useful to debug the issue, thank you! My failing java application was much bigger and harder to strace. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.