I'm not sure that changing the trust store password, or setting
javax.net.ssl.trustStorePassword by default, is the right way to fix
this. Oracle's JRE contains a keystore with the same password
("changeit") but doesn't require this property to be set.I noticed that /etc/ssl/certs/java/cacerts in 18.04 is a PKCS12 keystore, whereas the keystore bundled with Oracle's JRE (as well as the cacerts in 17.10) is a JKS keystore: sam@sam-desktop:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | grep 'Keystore type:' Keystore type: PKCS12 sam@sam-desktop:~$ keytool -list -keystore jre-10.0.1/lib/security/cacerts -storepass changeit | grep 'Keystore type:' Keystore type: JKS If I convert my cacerts file, then things start to work again: sam@sam-desktop:~$ sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old ... sam@sam-desktop:~$ sudo keytool -importkeystore -destkeystore /etc/ssl/certs/java/cacerts -deststoretype jks -deststorepass changeit -srckeystore /etc/ssl/certs/java/cacerts.old -srcstoretype pkcs12 -srcstorepass changeit ... sam@sam-desktop:~$ java HttpsTester Response code: 200 It worked! Not sure why a PKCS12 keystore needs a password but a JKS one doesn't, but maybe whatever is generating /etc/ssl/certs/java/cacerts just needs to be changed to generate JKS keystores again? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743139 Title: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-9/+bug/1743139/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
