Bug#894979: ca-certificates-java: SSL error: "the trustAnchors parameter must be non-empty"

2018-04-12 Thread Raphael Hertzog 
retitle -1 ca-certificates-java: does not work with OpenJDK 9, applications 
fail with InvalidAlgorithmParameterException: the trustAnchors parameter must 
be non-empty
severity -1 serious
thanks

Hello,

On Thu, 05 Apr 2018, George B. wrote:
> I am getting an error when connecting to HTTPS from java. Looking around
> the problem always seems to talk about this package, but please
> re-assign if something else is to blame.

I confirm the issue. If you have only OpenJDK 9 installed, then the
/etc/ssl/certs/java/cacerts file generated by the postinst (or the
ca-certificates hook) is not working and will lead to errors like the one
you showed.

Work-around:
$ sudo apt install openjdk-8-jre
$ sudo rm /etc/ssl/certs/java/cacerts
$ sudo update-ca-certificates --fresh

This works because /etc/ca-certificates/update.d/jks-keystore prefers
OpenJDK 8 over OpenJDK 9.

> Testing with the following code (I don't really know any Java and it's
> the first thing I found to test with):
> https://gist.github.com/4ndrej/4547029

This was really useful to debug the issue, thank you! My failing java
application was much bigger and harder to strace.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#894979: ca-certificates-java: SSL error: "the trustAnchors parameter must be non-empty"

2018-04-05 Thread George B. 
Package: ca-certificates-java
Version: 20170930
Severity: important

Hello,

I am getting an error when connecting to HTTPS from java. Looking around
the problem always seems to talk about this package, but please
re-assign if something else is to blame.

Testing with the following code (I don't really know any Java and it's
the first thing I found to test with):

https://gist.github.com/4ndrej/4547029

```
borisov@glossy:~ $ java SSLPoke google.com 443
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: 
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter 
must be non-empty
at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:214)
at 
java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1969)
at 
java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1921)
at 
java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1904)
at 
java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1830)
at 
java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
at 
java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81)
at SSLPoke.main(SSLPoke.java:23)
Caused by: java.lang.RuntimeException: Unexpected error: 
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter 
must be non-empty
at 
java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:89)
at 
java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
at 
java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:330)
at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:180)
at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:192)
at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133)
at 
java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947)
at 
java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777)
at 
java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264)
at 
java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1092)
at 
java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026)
at 
java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
at 
java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
at 
java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at 
java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
at 
java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733)
at 
java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67)
... 2 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors 
parameter must be non-empty
at 
java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at 
java.base/java.security.cert.PKIXParameters.(PKIXParameters.java:120)
at 
java.base/java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:104)
at 
java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:86)
... 18 more
```

I have tried "sudo update-ca-certificates -f" but that did not help.


Thanks,

George

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates-java depends on:
ii  ca-certificates  20170717
ii  default-jre-headless [java8-runtime-headless]2:1.9-63
ii  libnss3  2:3.35-2
ii  openjdk-9-jre-headless [java8-runtime-headless]  9.0.4+12-4

ca-certificates-java recommends no packages.

ca-certificates-java suggests no packages.

-- Configuration Files:
/etc/default/cacerts [Errno 13] Permission denied: '/etc/default/cacerts'

-- debconf-show failed

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.