Error - trustAnchors parameter must be non-empty
This bizarre message means that the trustStore you specified was:
- empty,
- not found, or
- couldn't be opened
- (due to wrong/missing
trustStorePassword, or - file access permissions, for example).
- (due to wrong/missing
See also @AdamPlumb's answer below.
In Ubuntu 18.04, this error has a different cause (JEP 229, switch from the jks keystore default format to the pkcs12 format, and the Debian cacerts file generation using the default for new files) and workaround:
# Ubuntu 18.04 and various Docker images such as openjdk:9-jdk throw exceptions when# Java applications use SSL and HTTPS, because Java 9 changed a file format, if you# create that file from scratch, like Debian / Ubuntu do.## Before applying, run your application with the Java command line parameter# java -Djavax.net.ssl.trustStorePassword=changeit ...# to verify that this workaround is relevant to your particular issue.## The parameter by itself can be used as a workaround, as well.# 0. First make yourself root with 'sudo bash'.# 1. Save an empty JKS file with the default 'changeit' password for Java cacerts.# Use 'printf' instead of 'echo' for Dockerfile RUN compatibility./usr/bin/printf '\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92' > /etc/ssl/certs/java/cacerts# 2. Re-add all the CA certs into the previously empty file./var/lib/dpkg/info/ca-certificates-java.postinst configureStatus (2018-08-07), the bug has been fixed in Ubuntu Bionic LTS 18.04.1 and Ubuntu Cosmic 18.10.
🗹 Ubuntu 1770553: [SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)
🗹 Ubuntu 1769013: Please merge ca-certificates-java 20180413 (main) from Debian unstable (main)
🗹 Ubuntu 1739631: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file
🗹 docker-library 145: 9-jdk image has SSL issues
🗹 JDK-8044445 : JEP 229: Create PKCS12 Keystores by Default
🖺 JEP 229: Create PKCS12 Keystores by Default
If the issue continues after this workaround, you might want to make sure that you're actually running the Java distribution you just fixed.
$ which java/usr/bin/javaYou can set the Java alternatives to 'auto' with:
$ sudo update-java-alternatives -aupdate-alternatives: error: no alternatives for mozilla-javaplugin.soYou can double-check the Java version you're executing:
$ java --versionopenjdk 10.0.1 2018-04-17OpenJDK Runtime Environment (build 10.0.1+10-Ubuntu-3ubuntu1)OpenJDK 64-Bit Server VM (build 10.0.1+10-Ubuntu-3ubuntu1, mixed mode)There are alternative workarounds as well, but those have their own side effects which will require extra future maintenance, for no payoff whatsoever.
The next-best workaround is to add the row
javax.net.ssl.trustStorePassword=changeitto the files
/etc/java-9-openjdk/management/management.properties/etc/java-11-openjdk/management/management.propertieswhichever exists.
The third least problematic workaround is to change the value of
keystore.type=pkcs12to
keystore.type=jksin the files
/etc/java-9-openjdk/security/java.security/etc/java-11-openjdk/security/java.securitywhichever exists, and then remove the cacerts file and regenerate it in the manner described on the last row of the workaround script at the top of the post.
This fixed the problem for me on Ubuntu:
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure(found here: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1396760)
ca-certificates-java is not a dependency in the Oracle JDK/JRE so this must be explicitly installed.