retitle -1 ca-certificates-java: does not work with OpenJDK 9, applications 
fail with InvalidAlgorithmParameterException: the trustAnchors parameter must 
be non-empty
severity -1 serious


On Thu, 05 Apr 2018, George B. wrote:
> I am getting an error when connecting to HTTPS from java. Looking around
> the problem always seems to talk about this package, but please
> re-assign if something else is to blame.

I confirm the issue. If you have only OpenJDK 9 installed, then the
/etc/ssl/certs/java/cacerts file generated by the postinst (or the
ca-certificates hook) is not working and will lead to errors like the one
you showed.

$ sudo apt install openjdk-8-jre
$ sudo rm /etc/ssl/certs/java/cacerts
$ sudo update-ca-certificates --fresh

This works because /etc/ca-certificates/update.d/jks-keystore prefers
OpenJDK 8 over OpenJDK 9.

> Testing with the following code (I don't really know any Java and it's
> the first thing I found to test with):

This was really useful to debug the issue, thank you! My failing java
application was much bigger and harder to strace.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS:
Learn to master Debian:

This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to