Re: [Q] 9.1 amd64 openJDK11 error on certificates
Found a work around for this problem. I am guessing, that, perhaps, not many people using JDK 11 on NetBSD 9.x. It presents itself any time an HTTPS URL is used. So gradle, maven, any program that uses network classes that rely on HTTPS protocol would see this -- script start -- # ts1000: workaround to fix cacert store for OpenJDK 11 on NetBSD 9.1 # this workaround just reimports existing certificates in $JAVA_HOME/lib/security/cacerts # into a JKS format store, and then just replaces the cacerts with the JKS version # must be done as root # also assuming keytool is in the $PATH # that is: we have export JAVA_HOME=/usr/pkg/java/openjdk11 # and export PATH=${PATH}:${JAVA_HOME}/bin cd /usr/pkg/java/openjdk11/lib/security keytool -importkeystore -srckeystore /usr/pkg/java/openjdk11/lib/security/cacerts-destkeystore /usr/pkg/java/openjdkmv cacerts cacerts.org ln -s cacerts.jks cacerts -- script end -- Similar problem was with Docker. I picked up a solution from there https://github.com/docker-library/openjdk/pull/263/files I also updated the gnats issue report with the workaround https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=55758 On 2020-10-24 21:00, ts1000 wrote: Hello, I have a java project organized by Gradle. First thing that gradle does, is it downloads dependencies. But that first step is not working on netBSD-9.1 amd64 I tried with pkgin, as well as building openjdk11 from source. Error is the same. I also installed, with pkgin, ca-certificates-20200601 mozilla-rootcerts-1.0.20200529nb1 But that did not help. Would appreciate any pointers on where to look The error I am getting is: -- begin -- nbsd1$ bash gradlew Downloading https://services.gradle.org/distributions/gradle-6.5.1-all.zip Exception in thread "main" javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1576) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:453) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250) at org.gradle.wrapper.Download.downloadInternal(Download.java:67) at org.gradle.wrapper.Download.download(Download.java:52) at org.gradle.wrapper.Install$1.call(Install.java:62) at org.gradle.wrapper.Install$1.call(Install.java:48) at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69) at org.gradle.wrapper.Install.createDist(Install.java:48) at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107) at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:62) Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:102) at java.base/sun.security.validator.Validator.getInstance(Validator.java:181) at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at
Re: [Q] 9.1 amd64 openJDK11 error on certificates
I have logged an issue ( https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=55758 ) on this. However, would appreciate if somebody could help with guidance on this. I had found a cacerts file in the openjdk directory and seems to contain entries (see below) but it is not clear what I need to do so that gradle and anything else thats trying to use https in openJDK11 would work --- nbsd1# pwd /usr/pkg/java/openjdk11/lib/security nbsd1# keytool -list -keystore cacerts -storepass changeit | more Warning: use -cacerts option to access cacerts keystore Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 146 entries mozilla-rootcert-0, Oct 30, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99 mozilla-rootcert-1, Oct 30, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E mozilla-rootcert-10, Oct 30, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): A0:23:4F:3B:C8:52:7C:A5:62:8E:EC:81:AD:5D:69:89:5D:A5:68:0D:C9:1D:1C:B8:47:7F:33:F8:78:B9:5B:0B mozilla-rootcert-100, Oct 30, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24 mozilla-rootcert-101, Oct 30, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28 mozilla-rootcert-102, Oct 30, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A mozilla-rootcert-103, Oct 30, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE mozilla-rootcert-104, Oct 30, 2020, trustedCertEntry, Certificate fingerprint (SHA-256): 30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F --More--(byte 1565) On 2020-10-25 18:26, ts1000 wrote: Thank you for the followups. I do not think I am clear on what I need to do to fix it. Is there a specific package that I could install with pkgin or from pkgsrc that could fix this? I have made my dev environment work with OpenJDK11 on OpenBSD, FreeBSD as well as others. But in those, there were no additional steps needed. So I am just not very familiar with this niche of setting up certificates for a jdk installation. Thank you in advance for any guidance. On 2020-10-25 09:43, Mike Pumford wrote: On 25/10/2020 07:56, Michael van Elst wrote: ts1...@rad2know.net (ts1000) writes: But that first step is not working on netBSD-9.1 amd64 I tried with pkgin, as well as building openjdk11 from source. Error is the same. I also installed, with pkgin, ca-certificates-20200601 mozilla-rootcerts-1.0.20200529nb1 The mozilla certificates aren't used by Java. You probably have to import them with keytool or similar. That's true they are not. Java 8 builds its own cert store when it builds. Looking at my Java 11 pkgsrc build from last week it appears to import the mozilla root certs into its keystore as part of the build process. However at the end of the build process the openjdk8 package installs the certificate in the install phase but the openjdk11 package does not! No I know that some NetBSD people are against auto cert install but given the pain of doing it for java it should probably be at least a package option and in the absence of an option it seems to me that mimicing openjdk8 and installing the certs is a good idea. I'd be strongly against not installing the certs on openjdk8 as that would mean I'd have to manually fix that up every time I did a package update. Mike
Re: [Q] 9.1 amd64 openJDK11 error on certificates
Thank you for the followups. I do not think I am clear on what I need to do to fix it. Is there a specific package that I could install with pkgin or from pkgsrc that could fix this? I have made my dev environment work with OpenJDK11 on OpenBSD, FreeBSD as well as others. But in those, there were no additional steps needed. So I am just not very familiar with this niche of setting up certificates for a jdk installation. Thank you in advance for any guidance. On 2020-10-25 09:43, Mike Pumford wrote: On 25/10/2020 07:56, Michael van Elst wrote: ts1...@rad2know.net (ts1000) writes: But that first step is not working on netBSD-9.1 amd64 I tried with pkgin, as well as building openjdk11 from source. Error is the same. I also installed, with pkgin, ca-certificates-20200601 mozilla-rootcerts-1.0.20200529nb1 The mozilla certificates aren't used by Java. You probably have to import them with keytool or similar. That's true they are not. Java 8 builds its own cert store when it builds. Looking at my Java 11 pkgsrc build from last week it appears to import the mozilla root certs into its keystore as part of the build process. However at the end of the build process the openjdk8 package installs the certificate in the install phase but the openjdk11 package does not! No I know that some NetBSD people are against auto cert install but given the pain of doing it for java it should probably be at least a package option and in the absence of an option it seems to me that mimicing openjdk8 and installing the certs is a good idea. I'd be strongly against not installing the certs on openjdk8 as that would mean I'd have to manually fix that up every time I did a package update. Mike
Re: [Q] 9.1 amd64 openJDK11 error on certificates
On 25/10/2020 07:56, Michael van Elst wrote: ts1...@rad2know.net (ts1000) writes: But that first step is not working on netBSD-9.1 amd64 I tried with pkgin, as well as building openjdk11 from source. Error is the same. I also installed, with pkgin, ca-certificates-20200601 mozilla-rootcerts-1.0.20200529nb1 The mozilla certificates aren't used by Java. You probably have to import them with keytool or similar. That's true they are not. Java 8 builds its own cert store when it builds. Looking at my Java 11 pkgsrc build from last week it appears to import the mozilla root certs into its keystore as part of the build process. However at the end of the build process the openjdk8 package installs the certificate in the install phase but the openjdk11 package does not! No I know that some NetBSD people are against auto cert install but given the pain of doing it for java it should probably be at least a package option and in the absence of an option it seems to me that mimicing openjdk8 and installing the certs is a good idea. I'd be strongly against not installing the certs on openjdk8 as that would mean I'd have to manually fix that up every time I did a package update. Mike
Re: [Q] 9.1 amd64 openJDK11 error on certificates
ts1...@rad2know.net (ts1000) writes: >But that first step is not working on netBSD-9.1 amd64 >I tried with pkgin, as well as building openjdk11 from source. >Error is the same. >I also installed, with pkgin, >ca-certificates-20200601 >mozilla-rootcerts-1.0.20200529nb1 The mozilla certificates aren't used by Java. You probably have to import them with keytool or similar. -- -- Michael van Elst Internet: mlel...@serpens.de "A potential Snark may lurk in every tree."
[Q] 9.1 amd64 openJDK11 error on certificates
Hello, I have a java project organized by Gradle. First thing that gradle does, is it downloads dependencies. But that first step is not working on netBSD-9.1 amd64 I tried with pkgin, as well as building openjdk11 from source. Error is the same. I also installed, with pkgin, ca-certificates-20200601 mozilla-rootcerts-1.0.20200529nb1 But that did not help. Would appreciate any pointers on where to look The error I am getting is: -- begin -- nbsd1$ bash gradlew Downloading https://services.gradle.org/distributions/gradle-6.5.1-all.zip Exception in thread "main" javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1576) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:453) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250) at org.gradle.wrapper.Download.downloadInternal(Download.java:67) at org.gradle.wrapper.Download.download(Download.java:52) at org.gradle.wrapper.Install$1.call(Install.java:62) at org.gradle.wrapper.Install$1.call(Install.java:48) at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69) at org.gradle.wrapper.Install.createDist(Install.java:48) at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107) at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:62) Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:102) at java.base/sun.security.validator.Validator.getInstance(Validator.java:181) at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ... 14 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.base/java.security.cert.PKIXParameters.(PKIXParameters.java:120) at java.base/java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:104) at java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:99) ... 30 more nbsd1$ -- end -- java env: nbsd1$ java --version openjdk 11.0.8-internal 2020-07-14 OpenJDK Runtime Environment (build