Error - trustAnchors parameter must be non-empty

Question

I m trying to configure my e-mail on Jenkins Hudson  and I constantly receive the error   java security InvalidAlgorithmParameterException  the trustAnchors parameter must be     non-empty   I ve seen a good amount of information online about the error  but I have not gotten any to work  I m using Sun s JDK on Fedora Linux  not OpenJDK    Here are a few things I ve tried  I tried following the advice from this post  but copying the cacerts from Windows over to my Fedora box hosting Jenkins didn t work   I tried following this guide as I m trying to configure Gmail as my SMTP server  but it didn t work either  I also tried to download and move those cacert files manually and move them over to my Java folder using a variation of the commands on this guide   I am open to any suggestions as I m currently stuck right now  I have gotten it to work from a Windows Hudson server  but I am struggling on Linux

User · Answer

For me it was caused by the lack of a trustedCertEntry in the truststore.

To test, use:

keytool -list -keystore keystore.jks

It gives me:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

cert-alias, 31-Jul-2017, PrivateKeyEntry

Even though my PrivateKeyEntry contains a CA it needed to be imported separately:

keytool -import -alias root-ca1 -file rootca.crt -keystore keystore.jks

It imports the certificate, and then re-running keytool -list -keystore keystore.jks now gives:

Your keystore contains 2 entries

cert-alias, 31-Jul-2017, PrivateKeyEntry,
Certificate fingerprint (SHA1):
<fingerprint>
root-ca1, 04-Aug-2017, trustedCertEntry,
Certificate fingerprint (SHA1):
<fingerprint>

Now it has a trustedCertEntry, and Tomcat will start successfully.

User · Answer

I ran  sudo update-ca-certificates -f   to create a certificate file  and then   sudo  var lib dpkg info ca-certificates-java postinst configure    and then change the command line of jar execution   sudo java -cp xx jar lib   co com ixxx clixxxlarxa Main

User · Answer

If you experience this on Ubuntu with JDK9 and Maven  you can add this JVM option - first check if the path exists   -Djavax net ssl trustStore  etc ssl certs java cacerts   If the file is missing  try to install the ca-certificates-java as someone noted   sudo apt install ca-certificates-java

User · Answer

I had this issue when trying to use Maven 3  after upgrading from Ubuntu nbsp 16 04 LTS  Xenial Xerus  to Ubuntu nbsp 18 04 LTS  Bionic Beaver    Checking  usr lib jvm java-8-oracle jre lib security showed that my cacerts file was a symbolic link pointing to  etc ssl certs java cacerts   I also had a file suspiciously named cacerts original   I renamed cacerts original to cacerts  and that fixed the issue

User · Answer

I got the same error when sending emails  but NOT always  In my case I ve changed one line of code to get a new Session object every time   MimeMessage message   new MimeMessage Session getDefaultInstance props  authenticator      to  MimeMessage message   new MimeMessage Session getInstance props  authenticator      Since then sending e-mails works every time   The error I got      javax mail MessagingException  Could not convert socket to TLS        nested exception is      javax net ssl SSLException                   java lang RuntimeException  Unexpected error                          java security InvalidAlgorithmParameterException  the trustAnchors    parameter must be non-empty     at                                    com sun mail smtp SMTPTransport startTLS SMTPTransport java 1907      at    com sun mail smtp SMTPTransport protocolConnect SMTPTransport java 666          at javax mail Service connect Service java 317      at    javax mail Service connect Service java 176      at           javax mail Service connect Service java 125      at           javax mail Transport send0 Transport java 194      at         javax mail Transport send Transport java 124

User · Answer

Fall into this using Amazon SDK v2  Windows 10 and JDK8  Amazon SDK was complaining about credentials loading  I solved this by replacing the security cacert file of JDK8 by the JDK11 one

User · Answer

I ran into this solution from blog post Fixing the trustAnchors problem when running OpenJDK 7 on OS X   Fixing the trustAnchors problem when running OpenJDK 7 on OS nbsp X  If you re running OpenJDK 7 on OS nbsp X and have seen this exception   Unexpected error  java security InvalidAlgorithmParameterException  the trustAnchors     parameter must be non-empty   There s a simple fix  Just link in the same cacerts file that Apple   s JDK 1 6 uses   cd    usr libexec java home -v 1 7  jre lib security ln -fsh  System Library Java Support CoreDeploy bundle Contents Home lib security cacerts   You need to do this for every OpenJDK version you have installed  Just change -v 1 7 to the version you want to fix  Run  usr libexec java home -V to see all the JREs and JDKs you have installed   Perhaps the OpenJDK guys could add this to their install scripts

User · Answer

On Red Hat Linux I got this issue resolved by importing the certificates to  etc pki java cacerts

User · Answer

I expected things like this  being that I use an alternate JVM in my Talend Open Studio  support at the moment exists only until JDK 1 7   I use 8 for security purposes    anyway   Update your certificate store   sudo update-ca-certificates -f    then   add a new value in your initialization parameters  sudo gedit   path to your architecture specific ini i e  TOS DI   ini   Djavax net ssl trustStore  etc ssl certs java cacerts    For me  the second entry worked  I think  depending on the version of Talend Open Studio TEnt   JVM  it has a different parameter name  but it looks for the same keystore file

User · Answer

on ubuntu 14 04 with openjdk 11 from ppa openjdk-r ppa this worked for me   in java security change keystore type to   keystore type jks   then   sudo dpkg --purge --force-depends ca-certificates-java sudo apt-get install ca-certificates-java   when you check if it worked  be sure you are not using any daemon with old java still running  eg  --no-daemon option for gradle   this bug describes everything nicely and will help you understand what s going on https   bugs launchpad net ubuntu  source ca-certificates-java  bug 1739631

User · Answer

For me it got resolved just by upgrading a Jenkins plugin   Email Extension Plugin   to the latest version  2 61    These two plugins are responsible for email configuration in Jenkins    Email Extension Email Extension Template

User · Answer

I also encountered this on OS X after updating OS nbsp X v10 9  Mavericks   when the old Java 6 was being used and tried to access an HTTPS URL  The fix was the inverse of Peter Kriens  I needed to copy the cacerts from the 1 7 space to the location linked by the 1 6 version    as root  umask 022 mkdir -p  System Library Java Support CoreDeploy bundle Contents Home lib security cp    usr libexec java home -v 1 7  jre lib security cacerts        System Library Java Support CoreDeploy bundle Contents Home lib security

User · Answer

You may also encounter this error after upgrading to Spring Boot 1 4 1  or newer  because it brings along Tomcat 8 5 5 as part of its dependencies   The problem is due to the way that Tomcat deals with the trust store  If you happen to have specified your trust store location as the same as your keystore in the Spring Boot configuration  you ll likely get the trustAnchors parameter must be non-empty message when starting the application   server ssl key-store classpath server jks server ssl trust-store classpath server jks   Simply remove the server ssl trust-store configuration unless you know that you need it  in which case consult the links below   The following issues contain more details about the problem    HTTPS Tomcat connector fails to start with 1 4 1  7069 SSL-client-auth with self-signed cert stopped working  7406 Upgrade to Tomcat 8 5 5  6703

User · Answer

Some OpenJDK vendors releases caused this by having an empty cacerts file distributed with the binary  The bug is explained here  https   github com AdoptOpenJDK openjdk-build issues 555  You can copy to adoptOpenJdk8 jre lib security cacerts the file from an old instalation like c  Program Files Java jdk1 8 0 192 jre lib security cacerts   The AdoptOpenJDK buggy version is https   github com AdoptOpenJDK openjdk8-releases releases download jdk8u172-b11 OpenJDK8 x64 Win jdk8u172-b11 zip

User · Answer

On Ubuntu      sudo apt install ca-certificates-java   or     sudo apt-get install ca-certificates-java   sorted it for me

User · Answer

I had the same error  and the problem was not in configuring the JDK  but a simple wrong path to the JKS file in application properties file under trust-store  parameter  double-check if the path is correct

User · Answer

I encountered this problem with the Android SDK sdkmanager  For me this solution worked    Go to  usr lib jvm java-8-oracle jre lib security  Replace cacert with cacert original   The cacert file was a tiny one  22B   I have installed oracle-java8-installer from ppa webupd8team java  according to this manual  https   docs nativescript org start ns-setup-linux

User · Answer

I had this error message on Java 9 0 1 on Linux  It was due to a known bug of the JDK  where the cacerts file is empty in the  tar gz binary package  downloaded from http   jdk java net 9     See the  known issues  paragraph of JDK 9 0 1 Release Notes  saying  TLS does not work by default on OpenJDK 9    On Debian Ubuntu  and probably other derivaties   a simple workaround is to replace the cacerts file with the one from the  ca-certificates-java  package   sudo apt install ca-certificates-java cp  etc ssl certs java cacerts  path to jdk-9 0 1 lib security cacerts   On Red Hat Linux CentOS  you can do the same from the  ca-certificates  package   sudo yum install ca-certificates cp  etc pki java cacerts  path to jdk-9 0 1 lib security cacerts

User · Answer

I m a fan of portability  so I don t install java  just download the tar gz and export some values in the path and everything works  I fought with this issue and no solution  install or update operative systems certs  worked for me  Error in my case was clear  empty cacerts inside my jdk  I don t know why  but my jdk tar gz had an empty cacerts file     some openjdk jre lib security cacerts   32 bytes Downloaded from   https   download java net openjdk jdk8u41 ri openjdk-8u41-b04-linux-x64-14 jan 2020 tar gz https   download java net java GA jdk9 9 binaries openjdk-9 linux-x64 bin tar gz  Fix After several attempts I found a correct jdk tar gz with a cacerts file with size 101 KB I downloaded this open jdk from https   github com AdoptOpenJDK openjdk8-upstream-binaries  https   github com AdoptOpenJDK openjdk8-upstream-binaries releases download jdk8u262-b10 OpenJDK8U-jdk-jfr x64 linux 8u262b10 tar gz  I found this url in this Dockerfile    https   github com docker-library openjdk blob b5d14d9165fad693901c285d6e7bbc36d1cde41f 8 jdk Dockerfile

User · Answer

For the record  none of the answers here worked for me  My Gradle build started failing mysteriously with this error  unable to fetch HEAD from Maven central for a particular POM file   It turned out that I had JAVA HOME set to my own personal build of OpenJDK  which I had built for debugging a javac issue  Setting it back to the JDK installed on my system fixed it

User · Answer

I ve had lot of security issues after upgrading to OS nbsp X v10 9  Mavericks     SSL problem with Amazon AWS Peer not authenticated with Maven and Eclipse trustAnchors parameter must be non-empty   I applied this Java update and it fixed all my issues  http   support apple com kb DL1572 viewlocale en US

User · Answer

EJP basically answered the question  and I realize this has an accepted answer   but I just dealt with this edge-case gotcha and wanted to immortalize my solution   I had the InvalidAlgorithmParameterException error on a hosted Jira server that I had previously set up for SSL-only access  The issue was that I had set up my keystore in the PKCS 12 format  but my truststore was in the JKS format   In my case  I had edited my server xml file to specify the keystoreType to PKCS  but I did not specify the truststoreType  so it defaults to whatever the keystoreType is  Specifying the truststoreType explicitly as JKS solved it for me

User · Answer

On Ubuntu 18 04 I needed to use OpenJDK 1 7 for the maintenance of an old project  I downloaded the binary package  But when I executed my script on it I got the same error   The solution was to remove the cacerts file of the downloaded JDK in the jre lib security folder and then to create it as symlink to the systems cacerts file in  etc ssl certs java    sudo ln -s  etc ssl certs java cacerts  path to downloaded java jre lib security cacerts

User · Answer

Removing the ca-certificates-java package and installing it again worked for me  Ubuntu MATE 17 10  Artful Aardvark     sudo dpkg --purge --force-depends ca-certificates-java  sudo apt-get install ca-certificates-java   Thank you  jdstrand  Comment 1 for bug 983302  Re  ca-certificates-java fails to install Java cacerts on Oneiric Ocelot

User · Answer

In Ubuntu nbsp 12 10  Quantal Quetzal  or later  the certificates are held in the ca-certificates-java package  Using -Djavax net ssl trustStore  etc ssl certs java cacerts will pick them up regardless of what JDK you re using

User · Answer

In Ubuntu 18 04  this error has a different cause  JEP 229  switch from the jks keystore default format to the pkcs12 format  and the Debian cacerts file generation using the default for new files  and workaround     Ubuntu 18 04 and various Docker images such as openjdk 9-jdk throw exceptions when   Java applications use SSL and HTTPS  because Java 9 changed a file format  if you   create that file from scratch  like Debian   Ubuntu do      Before applying  run your application with the Java command line parameter    java -Djavax net ssl trustStorePassword changeit       to verify that this workaround is relevant to your particular issue      The parameter by itself can be used as a workaround  as well     0  First make yourself root with  sudo bash      1  Save an empty JKS file with the default  changeit  password for Java cacerts       Use  printf  instead of  echo  for Dockerfile RUN compatibility   usr bin printf   xfe xed xfe xed x00 x00 x00 x02 x00 x00 x00 x00 xe2 x68 x6e x45 xfb x43 xdf xa4 xd9 x92 xdd x41 xce xb6 xb2 x1c x63 x30 xd7 x92   gt   etc ssl certs java cacerts    2  Re-add all the CA certs into the previously empty file   var lib dpkg info ca-certificates-java postinst configure     Status  2018-08-07   the bug has been fixed in Ubuntu Bionic LTS 18 04 1 and Ubuntu Cosmic 18 10       Ubuntu 1770553   SRU  backport ca-certificates-java from cosmic  20180413ubuntu1    Ubuntu 1769013  Please merge ca-certificates-java 20180413  main  from Debian unstable  main    Ubuntu 1739631  Fresh install with JDK 9 can t use the generated PKCS12 cacerts keystore file   docker-library 145  9-jdk image has SSL issues   Debian 894979  ca-certificates-java  does not work with OpenJDK 9  applications fail with InvalidAlgorithmParameterException  the trustAnchors parameter must be non-empty   JDK-8044445   JEP 229  Create PKCS12 Keystores by Default   JEP 229  Create PKCS12 Keystores by Default    If the issue continues after this workaround  you might want to make sure that you re actually running the Java distribution you just fixed     which java  usr bin java   You can set the Java alternatives to  auto  with     sudo update-java-alternatives -a update-alternatives  error  no alternatives for mozilla-javaplugin so   You can double-check the Java version you re executing     java --version openjdk 10 0 1 2018-04-17 OpenJDK Runtime Environment  build 10 0 1 10-Ubuntu-3ubuntu1  OpenJDK 64-Bit Server VM  build 10 0 1 10-Ubuntu-3ubuntu1  mixed mode      There are alternative workarounds as well  but those have their own side effects which will require extra future maintenance  for no payoff whatsoever   The next-best workaround is to add the row  javax net ssl trustStorePassword changeit   to the files   etc java-9-openjdk management management properties  etc java-11-openjdk management management properties   whichever exists   The third least problematic workaround is to change the value of  keystore type pkcs12   to   keystore type jks   in the files    etc java-9-openjdk security java security  etc java-11-openjdk security java security   whichever exists  and then remove the cacerts file and regenerate it in the manner described on the last row of the workaround script at the top of the post

User · Answer

Actually you only need to execute   sudo chmod  x   gradlew   It works for me   And if it is too slow  you can execute     gradlew clean build   Why so many negative votes

User · Answer

System setProperty  javax net ssl trustStore    C   Users  user-id  Desktop  tomcat  cacerts    System setProperty  javax net ssl trustStorePassword    passwd      You have to add the above two lines to your code  It is not able to find the truststore

User · Answer

You must add the cert file to your java keystore Go to chrom   open the website   save the certificate in txt format  Go to cmd  keytool -import -trustcacerts -keystore  JAVA HOME jre lib security cacerts -storepass changeit -alias Root -import -file Trustedcaroot txt  https   knowledge digicert com solution SO4085 html  This has worked like a charm

User · Answer

I ran into this exact problem on OS X  using JDK 1 7  after upgrading to OS nbsp X v10 9  Mavericks   The fix that worked for me was to simply reinstall the Apple version of Java  available at http   support apple com kb DL1572

User · Answer

I found yet another reason for this error  which is not related to Ubuntu   I tried setting up mutual TLS in a Spring boot 2 app and ran into this issue after using a truststore that had only a private key entry and no trusted certificate entry    This is my Spring Boot TLS configuration  server port 8443 server ssl key-alias oba-tls server ssl key-password mypw server ssl key-store-password mypw server ssl key-store classpath keys tls-keystore pfx server ssl key-store-type PKCS12 server ssl enabled true server ssl client-auth need  server ssl trust-store classpath keys truststore pfx server ssl trust-store-password mypw server ssl trust-store-type PKCS12 server ssl ciphers ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 server ssl protocol TLS server ssl enabled-protocols TLSv1 2   For generating truststore pfx I had to use the following commands to make it work   openssl req -newkey rsa 2048 -nodes -keyout private key -x509 -out cert crt  keytool -importcert -alias oba-trust -file cert crt -keystore truststore jks  keytool -importkeystore -srckeystore truststore jks -destkeystore truststore pfx -srcstoretype JKS - deststoretype PKCS12 -deststorepass yourpassword

User · Answer

This fixed the problem for me on Ubuntu   sudo  var lib dpkg info ca-certificates-java postinst configure    found here  https   bugs launchpad net ubuntu  source ca-certificates-java  bug 1396760   ca-certificates-java is not a dependency in the Oracle JDK JRE so this must be explicitly installed

User · Answer

I faced this problem while running a particular suite of Android for testing on Ubuntu nbsp 14 04  Trusty Tahr   Two things worked for me as suggested by shaheen   sudo update-ca-certificates -f  sudo  var lib dpkg info ca-certificates-java postinst configure

User · Answer

On Ubuntu 18 04 the root cause is a conflict between openjdk-11-jdk  which is default  and other packages depending on it  It has already been fixed in Debian and will be included in Ubuntu shortly  Meanwhile the simplest workaround is to demote your java to version 8  Other solutions employing ca-certificates-java are much more complicated   First remove conflicting packages   sudo apt-get remove --purge openjdk  java-common default-jdk sudo apt-get autoremove --purge   Check whether you successfully removed all related packages by   sudo update-alternatives --config java   The system shall prompt you there is no Java available to config  otherwise this workaround fails   Then reinstall required packages   sudo apt-get install openjdk-8-jdk

User · Answer

I ran  sudo update-ca-certificates -f   to create a certificate file  and then   sudo  var lib dpkg info ca-certificates-java postinst configure   I was back in business  thanks guys  It is a pity it s not included in the installation  but I got there in the end

User · Answer

This bizarre message means that the trustStore you specified was   empty  not found  or couldn t be opened   due to wrong missing trustStorePassword  or file access permissions  for example      See also  AdamPlumb s answer below

User · Answer

I got this error when using a truststore which was exported using a IBM Websphere JDK keytool in  PKCS12 format and trying to communicate over SSL using that file on an Oracle JRE   My solution was to run on an IBM JRE or convert the truststore to JKS using an IBM Websphere keytool  so I was able to run it in an Oracle JRE

User · Answer

For my case I didn t had specified VM Arguments fully    Run Configurations    gt   under Apache Tomcat  any server  gt   x   Arguments  gt  VM arguments    Make sure all VM Arguments are set tup correctly

User · Answer

None of solutions that I found on the Internet worked  but a modified version of Peter Kriens s answer seems to do the job   First find your Java folder by running  usr libexec java home  For me it was the 1 6 0 jdk version  Then go to its lib security subfolder  for me  Library Java JavaVirtualMachines 1 6 0 jdk Contents Home lib security    Then delete the cacerts file if there is one already and search for one on the system with sudo find   -name  cacerts   It found multiple items for me  in versions of Xcode or other applications that I had installed  but also at  Library Internet Plug-Ins JavaAppletPlugin plugin Contents Home lib security cacerts which I chose   Use that file and make a symbolic link to it  while inside the Java folder from before   sudo ln -fsh   Library Internet Plug-Ins JavaAppletPlugin plugin Contents Home lib security cacerts   and it should work   I have both - Java from Apple s 2017-001 download  https   support apple com kb dl1572 - I assume that s where the correct certificates are from  and Oracle s one installed on Mac OS X v10 12  Sierra

User · Answer

Another reason for this is it s actually a valid error  Some nefarious Wi-Fi hotspots will mess with certificates and man-in-the-middle attack you to do who knows what  run away     Some large employers will do this same trick  especially in sensitive network zones so they can monitor all the encrypted traffic  not great from end user perspective  but there may be good reasons for this

User · Answer

In my case the JKS file used in the client application was corrupted  I created a new one and imported the destination server SSL certificates in it  Then I used the new JKS file in the client application as a trust store  like   System setProperty  javax net ssl trustStore  path to your cacerts file     Source  Java SSL and certificate keystore  I use the  KeyStore Explorer  tool to create the new JKS  You can download it from this link  KeyStore Explorer

User · Answer

Marquis of Lorne s answer is accurate  I m adding some info for debugging purposes  To debug this issue  I wrote about it with more details in here  and understand what truststore is being used  or trying to use  you can add the property javax net debug all and then filter the logs about truststore  You can also play with the property javax net ssl trustStore to specify a specific truststore  For example        java -Djavax net debug all -Djavax net ssl trustStore  Another path to cacerts -jar test get https-0 0 1-SNAPSHOT-jar-with-dependencies jar https   www calca com py 2 gt  amp 1  grep -i truststore

User · Answer

The error tells that the system cannot find the truststore in the path provided with the parameter javax net ssl trustStore  Under Windows I copied the cacerts file from jre lib security into the Eclipse install directory  same place as the eclipse ini file  and added the following settings in eclipse ini  -Djavax net ssl trustStore cacerts -Djavax net ssl trustStorePassword changeit -Djavax net ssl trustStoreType JKS  I had some troubles with the path to the cacerts  the  java home  environment variable is somehow overwritten   so I used this trivial solution  The idea is to provide a valid path to the truststore file - ideally it would be to use a relative one  You may also use an absolute path  To make sure the store type is JKS  you would run the following command  keytool -list -keystore cacerts  Keystore type  JKS Keystore provider  SUN  Note  because certificates have expiration dates  or can become invalid for other reasons  do check from time to time if the certificates in cacerts are still valid  You would usually find the valid versions of the certificates in the latest builds of jdk

User · Answer

Slim chance this will help anyone but    for anyone running Java 8 from a Docker Image on a Raspberry Pi  using AMD CPU  I got the following Dockerfile to build and run successfully for me  FROM hypriot rpi-java USER root  WORKDIR  usr build   RUN  usr bin printf   xfe xed xfe xed x00 x00 x00 x02 x00 x00 x00 x00 xe2 x68 x6e x45 xfb x43 xdf xa4 xd9 x92 xdd x41 xce xb6 xb2 x1c x63 x30 xd7 x92   gt   etc ssl certs java cacerts RUN update-ca-certificates -f RUN  var lib dpkg info ca-certificates-java postinst configure  EXPOSE 8080  ARG JAR FILE target app-0 0 1-SNAPSHOT jar  ADD   JAR FILE  app jar  ENTRYPOINT   java    -Djavax net ssl trustStorePassword changeit    -Djavax net ssl trustStore  etc ssl certs java cacerts    -jar    app jar

User · Answer

I have faced with the issue while importing a Gradle project in IntelliJ IDEA 14  A solution was using a local copy of Gradle instead of a wrapper from the project directory

[java] Error - trustAnchors parameter must be non-empty

Examples related to java

Examples related to hudson

Examples related to jakarta-mail

Examples related to jenkins