Error - trustAnchors parameter must be non-empty

java jenkins jakarta-mail hudson

I'm trying to configure my e-mail on Jenkins/Hudson, and I constantly receive the error:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be
    non-empty

I've seen a good amount of information online about the error, but I have not gotten any to work. I'm using Sun's JDK on Fedora Linux (not OpenJDK).

Here are a few things I've tried. I tried following the advice from this post, but copying the cacerts from Windows over to my Fedora box hosting Jenkins didn't work. I tried following this guide as I'm trying to configure Gmail as my SMTP server, but it didn't work either. I also tried to download and move those cacert files manually and move them over to my Java folder using a variation of the commands on this guide.

I am open to any suggestions as I'm currently stuck right now. I have gotten it to work from a Windows Hudson server, but I am struggling on Linux.


Solution 1:

This bizarre message means that the trustStore you specified was:

  • empty,
  • not found, or
  • couldn't be opened
    • (due to wrong/missing trustStorePassword, or
    • file access permissions, for example).

See also @AdamPlumb's answer below.

Solution 2:

In Ubuntu 18.04, this error has a different cause (JEP 229, switch from the jks keystore default format to the pkcs12 format, and the Debian cacerts file generation using the default for new files) and workaround:

# Ubuntu 18.04 and various Docker images such as openjdk:9-jdk throw exceptions when
# Java applications use SSL and HTTPS, because Java 9 changed a file format, if you
# create that file from scratch, like Debian / Ubuntu do.
#
# Before applying, run your application with the Java command line parameter
#  java -Djavax.net.ssl.trustStorePassword=changeit ...
# to verify that this workaround is relevant to your particular issue.
#
# The parameter by itself can be used as a workaround, as well.

# 0. First make yourself root with 'sudo bash'.

# 1. Save an empty JKS file with the default 'changeit' password for Java cacerts.
#    Use 'printf' instead of 'echo' for Dockerfile RUN compatibility.
/usr/bin/printf '\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92' > /etc/ssl/certs/java/cacerts

# 2. Re-add all the CA certs into the previously empty file.
/var/lib/dpkg/info/ca-certificates-java.postinst configure

Status (2018-08-07), the bug has been fixed in Ubuntu Bionic LTS 18.04.1 and Ubuntu Cosmic 18.10.

🗹 Ubuntu 1770553: [SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)

🗹 Ubuntu 1769013: Please merge ca-certificates-java 20180413 (main) from Debian unstable (main)

🗹 Ubuntu 1739631: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

🗹 docker-library 145: 9-jdk image has SSL issues

🗹 Debian 894979: ca-certificates-java: does not work with OpenJDK 9, applications fail with InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

🗹 JDK-8044445 : JEP 229: Create PKCS12 Keystores by Default

🖺 JEP 229: Create PKCS12 Keystores by Default

If the issue continues after this workaround, you might want to make sure that you're actually running the Java distribution you just fixed.

$ which java
/usr/bin/java

You can set the Java alternatives to 'auto' with:

$ sudo update-java-alternatives -a
update-alternatives: error: no alternatives for mozilla-javaplugin.so

You can double-check the Java version you're executing:

$ java --version
openjdk 10.0.1 2018-04-17
OpenJDK Runtime Environment (build 10.0.1+10-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 10.0.1+10-Ubuntu-3ubuntu1, mixed mode)

There are alternative workarounds as well, but those have their own side effects which will require extra future maintenance, for no payoff whatsoever.

The next-best workaround is to add the row

javax.net.ssl.trustStorePassword=changeit

to the files

/etc/java-9-openjdk/management/management.properties
/etc/java-11-openjdk/management/management.properties

whichever exists.

The third least problematic workaround is to change the value of

keystore.type=pkcs12

to 

keystore.type=jks

in the files 

/etc/java-9-openjdk/security/java.security
/etc/java-11-openjdk/security/java.security

whichever exists, and then remove the cacerts file and regenerate it in the manner described on the last row of the workaround script at the top of the post.

Related

CSS technique for a horizontal line with words in the middle
Triggering change detection manually in Angular
File Upload using AngularJS
Computational complexity of Fibonacci Sequence
Changing the "tick frequency" on x or y axis in matplotlib
Difference between \n and \r?
Using explicitly numbered repetition instead of question mark, star and plus
Error message "Strict standards: Only variables should be passed by reference"
EF: Include with where clause [duplicate]
Using JFreeChart to display recent changes in a time series
How do I read a string entered by the user in C?
MySQL pivot table query with dynamic columns