ChatGPT解决这个技术问题 Extra ChatGPT

Error - trustAnchors parameter must be non-empty

I'm trying to configure my e-mail on Jenkins/Hudson, and I constantly receive the error: 

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be
    non-empty

I've seen a good amount of information online about the error, but I have not gotten any to work. I'm using Sun's JDK on Fedora Linux (not OpenJDK).

Here are a few things I've tried. I tried following the advice from this post, but copying the cacerts from Windows over to my Fedora box hosting Jenkins didn't work. I tried following this guide as I'm trying to configure Gmail as my SMTP server, but it didn't work either. I also tried to download and move those cacert files manually and move them over to my Java folder using a variation of the commands on this guide.

I am open to any suggestions as I'm currently stuck right now. I have gotten it to work from a Windows Hudson server, but I am struggling on Linux.

I don;t know if this helps but I have had this happen in DBeaver and just had to fix it, which apparently also uses java as its nightmare of choice. There were 3 options in driver configuration: Require SSL, Verify Server Certificate, Allow Public Key retrieval. When I uncheck Verify Server Certificate the connection succeeds, prior it was giving this same error for any but a root connection to mysql 8.0.

u
user7610

This bizarre message means that the trustStore you specified was:

empty,

not found, or

couldn't be opened (due to wrong/missing trustStorePassword, or file access permissions, for example).

(due to wrong/missing trustStorePassword, or

file access permissions, for example).

See also @AdamPlumb's answer below.

The answer was with how I was importing it. I seemed to have missed a crucial step. See [Java Error InvalidAlgorithmParameterException][1] [1]: jyotirbhandari.blogspot.com/2011/09/…
Confirmed this answer is correct. I was getting the error under Tomcat. I had my truststore in ${CATALINA_HOME}\conf but CATALINA_HOME was not getting set so Tomcat was looking under \conf for the truststore.
@BubblewareTechnology No, the error was in the filename, not in how you imported the certificate into the file. Your blog isn't correct. You also shouldn't be recommending modifying the JRE$/ cacerts file. It will change next Java upgrade. You need a process that copies it, adds your own certificate to the copy, and uses the copy as the truststore. Repeat every Java upgrade. And you don't need to tell Java about its own truststore at all, only about your own, if it's different.
I'll add a twist: even when the truststore exists, is accessible, is in the right format, if it is COMPLETELY EMPTY, that's the error you can get with various libraries (including Apache HttpClient).
btw this happens e.g. when switching from OracleJDK8 to OpenJDK8 since OpenJDK comes with an empty trust store. Copying the one from OpenJDK11 fixes the problem
M
Mikael Gueck

In Ubuntu 18.04, this error has a different cause (JEP 229, switch from the jks keystore default format to the pkcs12 format, and the Debian cacerts file generation using the default for new files) and workaround: 

# Ubuntu 18.04 and various Docker images such as openjdk:9-jdk throw exceptions when
# Java applications use SSL and HTTPS, because Java 9 changed a file format, if you
# create that file from scratch, like Debian / Ubuntu do.
#
# Before applying, run your application with the Java command line parameter
#  java -Djavax.net.ssl.trustStorePassword=changeit ...
# to verify that this workaround is relevant to your particular issue.
#
# The parameter by itself can be used as a workaround, as well.

# 0. First make yourself root with 'sudo bash'.

# 1. Save an empty JKS file with the default 'changeit' password for Java cacerts.
#    Use 'printf' instead of 'echo' for Dockerfile RUN compatibility.
/usr/bin/printf '\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92' > /etc/ssl/certs/java/cacerts

# 2. Re-add all the CA certs into the previously empty file.
/var/lib/dpkg/info/ca-certificates-java.postinst configure

Status (2018-08-07), the bug has been fixed in Ubuntu Bionic LTS 18.04.1 and Ubuntu Cosmic 18.10.

🗹 Ubuntu 1770553: [SRU] backport ca-certificates-java from cosmic (20180413ubuntu1)

🗹 Ubuntu 1769013: Please merge ca-certificates-java 20180413 (main) from Debian unstable (main)

🗹 Ubuntu 1739631: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

🗹 docker-library 145: 9-jdk image has SSL issues

🗹 Debian 894979: ca-certificates-java: does not work with OpenJDK 9, applications fail with InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

🗹 JDK-8044445 : JEP 229: Create PKCS12 Keystores by Default

🖺 JEP 229: Create PKCS12 Keystores by Default

If the issue continues after this workaround, you might want to make sure that you're actually running the Java distribution you just fixed. 

$ which java
/usr/bin/java

You can set the Java alternatives to 'auto' with: 

$ sudo update-java-alternatives -a
update-alternatives: error: no alternatives for mozilla-javaplugin.so

You can double-check the Java version you're executing: 

$ java --version
openjdk 10.0.1 2018-04-17
OpenJDK Runtime Environment (build 10.0.1+10-Ubuntu-3ubuntu1)
OpenJDK 64-Bit Server VM (build 10.0.1+10-Ubuntu-3ubuntu1, mixed mode)

There are alternative workarounds as well, but those have their own side effects which will require extra future maintenance, for no payoff whatsoever.

The next-best workaround is to add the row 

javax.net.ssl.trustStorePassword=changeit

to the files 

/etc/java-9-openjdk/management/management.properties
/etc/java-11-openjdk/management/management.properties

whichever exists.

The third least problematic workaround is to change the value of 

keystore.type=pkcs12

to 

keystore.type=jks

in the files 

/etc/java-9-openjdk/security/java.security
/etc/java-11-openjdk/security/java.security

whichever exists, and then remove the cacerts file and regenerate it in the manner described on the last row of the workaround script at the top of the post.

Ubuntu 18 users, read this! this will save many hours of your life! Thank you!
This answer helped me to fix same error with maven on Ubuntu 18.04. I had to change owner of /etc/ssl/certs/java/cacerts file from root to myself to be able write to it. Then I switched it back.
I ran sudo rm /etc/ssl/certs/java/cacerts and then sudo update-ca-certificates -f and this fixed my issue in kubuntu 18.04.
@jsn , thanks for the solutions , works on linux mint 19 as well which is based on ubuntu 18.04
@jsn's solution also worked for Debian Stretch + openjdk8
A
Archimedes Trajano

This fixed the problem for me on Ubuntu: 

sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure

(found here: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1396760)

ca-certificates-java is not a dependency in the Oracle JDK/JRE so this must be explicitly installed.

Thanks, this fixed the issue for me when I ran into it on Ubuntu 15.04.
Worked on Raspbian on Raspberry Pi
Ran into this issue with Debian jesse stable backports with OpenJDK8 and this fixed the issue. Was using this while building Docker images. :)
Doesn't work on Ubuntu MATE 18.04, sadly. I will try reinstalling Java.
@codefx - I've done what you suggest and it doesn't work - on Ubuntu 18.x with Java 10 (default).
m
muttonUp

On Ubuntu 18.04 the root cause is a conflict between openjdk-11-jdk (which is default) and other packages depending on it. It has already been fixed in Debian and will be included in Ubuntu shortly. Meanwhile the simplest workaround is to demote your java to version 8. Other solutions employing ca-certificates-java are much more complicated.

First remove conflicting packages: 

sudo apt-get remove --purge openjdk* java-common default-jdk
sudo apt-get autoremove --purge

Check whether you successfully removed all related packages by: 

sudo update-alternatives --config java

The system shall prompt you there is no Java available to config, otherwise this workaround fails.

Then reinstall required packages: 

sudo apt-get install openjdk-8-jdk
This description is factually incorrect, and only fixes the problem in the same sense as reinstalling Windows might fix an issue. There is no need to remove all Java packages. If you want to go this way, you only need to install the openjdk-8-jdk package, remove the /etc/ssl/certs/java/cacerts file, and run sudo update-ca-certificates -f which is the roundabout way of switching from a pkcs12 formatted cacerts file to a jks formatted one, as described elsewhere in this thread.
@MikaelGueck While the logic seems to be on your side, I'm here to assure you I previously did exactly what's described in your comment and in the most other voted answers, and in 18.04 this is the only answer which worked. I think your downvote should turn into an upvote, or at least vanish, since it's highly undeserved.
@AndreaLigios, you can read through the scripts yourself, they are pretty short. They have a hardcoded set of JAVA_HOME paths from 8 to 10, they try those one at a time, they call the Debian CA file generator which you can also read through, which uses the existing file format, because the JDK keyfile handler code, which you can read through, has a compatibility fallback mode. If your computer runs this simple software differently, you might have other problems with it. Did you modify your java alternatives, and call some other JVM, because then removing might have reset the alternatives?
@MikaelGueck yes, in one of the previous tries I've modified my java alternatives, so it probably was that. I'm the first who likes to dig into source code and find how stuff works, but this today was not my goal, it was just one among 5-6 different unexpected obstacles I had in the way to my real goal. This answer allowed me to solve the problem in less than 2 minutes! How much time should I have put to look into scripts and find a better solution? And for what, to save some megabytes? This is drastic, but works (and no matter what the problem is), so a big thank to OP for those busy as hell
I have been looking for a solution for 2 days, and your answer solved my issue, thanks. I just move to Kubuntu 18.04, this worked on it.
Y
Yuri

EJP basically answered the question (and I realize this has an accepted answer), but I just dealt with this edge-case gotcha and wanted to immortalize my solution.

I had the InvalidAlgorithmParameterException error on a hosted Jira server that I had previously set up for SSL-only access. The issue was that I had set up my keystore in the PKCS#12 format, but my truststore was in the JKS format.

In my case, I had edited my server.xml file to specify the keystoreType to PKCS, but I did not specify the truststoreType, so it defaults to whatever the keystoreType is. Specifying the truststoreType explicitly as JKS solved it for me.

well, I help you immortalizing solution to your edge-case gotcha. that's where it gets interesting.
This was exactly my problem. I was using Spring Boot 1.4.2.RELEASE, and had a hardware keystore and software truststore. I specified the provider and type for the keystore, but not the truststore. As a result, the wrong provider and type were used by the truststore. Specifying those (SUN and JKS) solved the issue.
how exactly did you do this? (windows here)
Run into this with my Android grandle today, i almost understand what you say but you don't say how to solve it. Non helpable answer
in my case I had a trusttore generated by jdk 14 keytool, defaults to pkcs format, trying to connect to kafka cluster that is using a jks keystore. I amend how I created the truststore to use switch -storetype jks and it resolved it
P
Peter Mortensen

I ran into this solution from blog post Fixing the trustAnchors problem when running OpenJDK 7 on OS X:

Fixing the trustAnchors problem when running OpenJDK 7 on OS X. If you're running OpenJDK 7 on OS X and have seen this exception: 

Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors
    parameter must be non-empty

There's a simple fix. Just link in the same cacerts file that Apple’s JDK 1.6 uses: 

cd $(/usr/libexec/java_home -v 1.7)/jre/lib/security
ln -fsh /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts

You need to do this for every OpenJDK version you have installed. Just change -v 1.7 to the version you want to fix. Run /usr/libexec/java_home -V to see all the JREs and JDKs you have installed.

Perhaps the OpenJDK guys could add this to their install scripts.

My "ln" command (on OSX 10.6.8) doesn't have an "h" option; what is it meant to do?
Ah, I had two "ln" commands, one in /usr/bin (the default) and one in /bin; the latter had an "h" option and worked.
I fixed my broken 1.6 installation linking to cacerts from the system 1.8 installation with this ln technique. Thanks!
For future readers: it seems that you also need the other 3 files that are in the security folder (blacklisted.certs, local_policy.jar, and US_export_policy.jar) for Java to be happy.
@Peter Kriens, why linked to cacerts under jre directory?
P
Peter Mortensen

In Ubuntu 12.10 (Quantal Quetzal) or later, the certificates are held in the ca-certificates-java package. Using -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts will pick them up regardless of what JDK you're using.

I found I needed to run update-ca-certificates -f manually, to populate the cacerts file
@Portablejim Thanks. Your comment solved the first issue I hit building Apache Spark on Ubuntu 15.04beta.
Thanks you @Portablejim, your comment worked for me on Ubuntu 15.04.
Thanks. This is fixed my problem with PhpStrom + patched JDK. I wrote this key into "phpstorm64.vmoptions" file.
Not working for me in ubuntu 18.04 and JDK is 1.8.0_62
P
Peter Mortensen

I ran into this exact problem on OS X, using JDK 1.7, after upgrading to OS X v10.9 (Mavericks). The fix that worked for me was to simply reinstall the Apple version of Java, available at http://support.apple.com/kb/DL1572.

I encountered this with Java 6 used by Grails on OSX. I also had Java 7 from Oracle installed and also upgraded to Mavericks. Re-installing Java 6 from Apple website also fixed the issue for me.
Ran into this when installing open jdk 6 onto an ubuntu cloud box. Nice to see a familiar face, BTW
P
Peter Mortensen

I ran 

sudo update-ca-certificates -f

to create a certificate file, and then: 

sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure

I was back in business, thanks guys. It is a pity it's not included in the installation, but I got there in the end.

When I run sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure** I get sudo: /var/lib/dpkg/info/ca-certificates-java.postinst: command not found
Just sudo update-ca-certificates -f is enough on Debian jessie with openjdk-8-jre-headless from jessie-backports, as long as ca-certificates-java is installed. I think order of installation matters (JRE after ca-certificates-java may cause this, as the latter doesn’t have any triggers for the backported Java 8).
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure without stars **
update-ca-certificates -f is the thing that fixed it. I didn't need the 2nd command
r
razvanone

The error tells that the system cannot find the truststore in the path provided with the parameter javax.net.ssl.trustStore.

Under Windows I copied the cacerts file from jre/lib/security into the Eclipse install directory (same place as the eclipse.ini file) and added the following settings in eclipse.ini: 

-Djavax.net.ssl.trustStore=cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.trustStoreType=JKS

I had some troubles with the path to the cacerts (the %java_home% environment variable is somehow overwritten), so I used this trivial solution.

The idea is to provide a valid path to the truststore file - ideally it would be to use a relative one. You may also use an absolute path.

To make sure the store type is JKS, you would run the following command: 

keytool -list -keystore cacerts

Keystore type: JKS
Keystore provider: SUN

Note: because certificates have expiration dates, or can become invalid for other reasons, do check from time to time if the certificates in cacerts are still valid. You would usually find the valid versions of the certificates in the latest builds of jdk.

This is the only answer that actually worked. Thanks @razvanone
I managed to hit one small "gotcha": The three lines in the eclipse.ini file must be on actual three separate lines. I initially put all of them on one line and eclipse did not pick that up.
I managed to fix this error that occurred even though all there JVM args were set. When inspected the path to the cacerts.jks was not correct in my eclipse.ini file. So even wrong jks path can generate this error. Fixing to correct jks path solved the error
P
Peter Mortensen

Removing the ca-certificates-java package and installing it again worked for me (Ubuntu MATE 17.10 (Artful Aardvark)). 

sudo dpkg --purge --force-depends ca-certificates-java

sudo apt-get install ca-certificates-java

Thank you, jdstrand: Comment 1 for bug 983302, Re: ca-certificates-java fails to install Java cacerts on Oneiric Ocelot.

Y
Yuri

Some OpenJDK vendors releases caused this by having an empty cacerts file distributed with the binary. The bug is explained here: https://github.com/AdoptOpenJDK/openjdk-build/issues/555

You can copy to adoptOpenJdk8\jre\lib\security\cacerts the file from an old instalation like c:\Program Files\Java\jdk1.8.0_192\jre\lib\security\cacerts.

The AdoptOpenJDK buggy version is https://github.com/AdoptOpenJDK/openjdk8-releases/releases/download/jdk8u172-b11/OpenJDK8_x64_Win_jdk8u172-b11.zip

I think this was the case for me as well. In AdoptOpenJDK 202 this bug is present, and in 222 it works. So update your jdk if possible.
Thanks. You truly saved my day.
m
muttonUp

For me it was caused by the lack of a trustedCertEntry in the truststore.

To test, use: 

keytool -list -keystore keystore.jks

It gives me: 

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

cert-alias, 31-Jul-2017, PrivateKeyEntry

Even though my PrivateKeyEntry contains a CA it needed to be imported separately: 

keytool -import -alias root-ca1 -file rootca.crt -keystore keystore.jks

It imports the certificate, and then re-running keytool -list -keystore keystore.jks now gives: 

Your keystore contains 2 entries

cert-alias, 31-Jul-2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): <fingerprint>

root-ca1, 04-Aug-2017, trustedCertEntry,
Certificate fingerprint (SHA1): <fingerprint>

Now it has a trustedCertEntry, and Tomcat will start successfully.

NB check baeldung tutorial with a useful Makefile as shortcut to creating keystore & truststore (spring-security-x509 project) baeldung.com/x-509-authentication-in-spring-security
P
Peter Mortensen

I've had lot of security issues after upgrading to OS X v10.9 (Mavericks):

SSL problem with Amazon AWS

Peer not authenticated with Maven and Eclipse

trustAnchors parameter must be non-empty

I applied this Java update and it fixed all my issues: http://support.apple.com/kb/DL1572?viewlocale=en_US

Ugh. Java 6 is many years past its end of public support, and is surely riddled with security holes. Apple makes it available for download so that older software that cannot be run with Java 7/8 can continue to execute, but it should not be used for making SSL connections to services on the public internet, such as 1. AWS, 2. Maven Central, 3. anything else.
P
Peter Mortensen

I expected things like this, being that I use an alternate JVM in my Talend Open Studio (support at the moment exists only until JDK 1.7). I use 8 for security purposes... anyway

Update your certificate store: sudo update-ca-certificates -f

then

add a new value in your initialization parameters sudo gedit $(path to your architecture specific ini i.e. TOS_DI...ini) Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts

For me, the second entry worked. I think, depending on the version of Talend Open Studio/TEnt + JVM, it has a different parameter name, but it looks for the same keystore file.

Where did you get the property javax.net.ssl.trustAnchors from? It isn't mentioned in the JSSE documentation.
d
dmatej

If you experience this on Ubuntu with JDK9 and Maven, you can add this JVM option - first check if the path exists: 

-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts

If the file is missing, try to install the ca-certificates-java as someone noted: 

sudo apt install ca-certificates-java
If you use docker then you may also try "maven:3-jdk-9-slim" image instead of "maven:3-jdk-9"
Thanks, this worked for me for openjdk-8-jdk in ubuntu 18.04
P
Peter Mortensen

I had this error message on Java 9.0.1 on Linux. It was due to a known bug of the JDK, where the cacerts file is empty in the .tar.gz binary package (downloaded from http://jdk.java.net/9/).

See the "known issues" paragraph of JDK 9.0.1 Release Notes, saying "TLS does not work by default on OpenJDK 9".

On Debian/Ubuntu (and probably other derivaties), a simple workaround is to replace the cacerts file with the one from the "ca-certificates-java" package: 

sudo apt install ca-certificates-java
cp /etc/ssl/certs/java/cacerts /path/to/jdk-9.0.1/lib/security/cacerts

On Red Hat Linux/CentOS, you can do the same from the "ca-certificates" package: 

sudo yum install ca-certificates
cp /etc/pki/java/cacerts /path/to/jdk-9.0.1/lib/security/cacerts
P
Peter Mortensen

In my case the JKS file used in the client application was corrupted. I created a new one and imported the destination server SSL certificates in it. Then I used the new JKS file in the client application as a trust store, like: 

System.setProperty("javax.net.ssl.trustStore",path_to_your_cacerts_file);

Source: Java SSL and certificate keystore

I use the (KeyStore Explorer) tool to create the new JKS. You can download it from this link, KeyStore Explorer.

keystore-explorer did the work for me. You just have to create default keystore and examine and save the certificate file for the site/host.
For some unknown reason on windows OpenJDK11, OracleJDK 11 i had to do the same, did it on the parameters: "-Djavax.net.ssl.trustStore=%JAVA_HOME%\lib\security\cacerts"
P
Peter Mortensen

You may also encounter this error after upgrading to Spring Boot 1.4.1 (or newer) because it brings along Tomcat 8.5.5 as part of its dependencies.

The problem is due to the way that Tomcat deals with the trust store. If you happen to have specified your trust store location as the same as your keystore in the Spring Boot configuration, you'll likely get the trustAnchors parameter must be non-empty message when starting the application. 

server.ssl.key-store=classpath:server.jks
server.ssl.trust-store=classpath:server.jks

Simply remove the server.ssl.trust-store configuration unless you know that you need it, in which case consult the links below.

The following issues contain more details about the problem:

HTTPS Tomcat connector fails to start with 1.4.1 #7069

SSL-client-auth with self-signed cert stopped working #7406

Upgrade to Tomcat 8.5.5 #6703

This solution saved my life today, Thank you soo much.
J
JRichardsz

I'm a fan of portability, so I don't install java, just download the tar.gz and export some values in the path and everything works.

I fought with this issue and no solution (install or update operative systems certs) worked for me.

Error in my case was: empty cacerts inside my jdk.

I don't know why, but my jdk.tar.gz had an empty cacerts file

/../some_openjdk/jre/lib/security/cacerts size: 32 bytes

Downloaded from:

https://download.java.net/openjdk/jdk8u41/ri/openjdk-8u41-b04-linux-x64-14_jan_2020.tar.gz

https://download.java.net/java/GA/jdk9/9/binaries/openjdk-9_linux-x64_bin.tar.gz

Fix

After several attempts I found a correct jdk.tar.gz with a cacerts file with size 101 KB

I downloaded this open jdk from https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries

https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/releases/download/jdk8u262-b10/OpenJDK8U-jdk-jfr_x64_linux_8u262b10.tar.gz

I found this url in this Dockerfile :

https://github.com/docker-library/openjdk/blob/b5d14d9165fad693901c285d6e7bbc36d1cde41f/8/jdk/Dockerfile

for the same issue my cacert had 0 entries , so having the right cacerts resolved my issue
P
Peter Mortensen

I had this issue when trying to use Maven 3, after upgrading from Ubuntu 16.04 LTS (Xenial Xerus) to Ubuntu 18.04 LTS (Bionic Beaver).

Checking /usr/lib/jvm/java-8-oracle/jre/lib/security showed that my cacerts file was a symbolic link pointing to /etc/ssl/certs/java/cacerts.

I also had a file suspiciously named cacerts.original.

I renamed cacerts.original to cacerts, and that fixed the issue.

The cacerts.original file was in the jks format, and was generated with Ubuntu 16.04's Java 8, which used that format as its default. The cacerts file was in the pkcs12 format, generated by Ubuntu 18.04's Java 10, which uses this format as its default. As explained elsewhere in this thread, the new format requires you to pass the password to the executable. But as long as you either generate a new empty jks cacerts file or copy an old one, the next cacerts generation process will empty the existing file out, and refill it with the CA certificates from the file system.
P
Peter Mortensen

I also encountered this on OS X after updating OS X v10.9 (Mavericks), when the old Java 6 was being used and tried to access an HTTPS URL. The fix was the inverse of Peter Kriens; I needed to copy the cacerts from the 1.7 space to the location linked by the 1.6 version: 

(as root)
umask 022
mkdir -p /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security
cp $(/usr/libexec/java_home -v 1.7)/jre/lib/security/cacerts \
    /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security
The command here tries to copy a directory to a file; makes no sense at all.
I concur with the assessment of using a reverse solution. I found that jdk1.6 had a broken softlink /Library/Java/JavaVirtualMachines/1.6.0_33-b03-424.jdk/Contents/Home/lib/security/cacerts -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts. So I rm'ed the broken soft link, then copied over the cacerts from the jdk1.7 installation.
NOTE: when you are done you should be able to cat the cacerts file that you copied to validate the permissions.
Also, fixed the cp to go the right direction and added the umask for mkdir and cp.
Y
Yuri

I encountered this problem with the Android SDK sdkmanager. For me this solution worked:

Go to /usr/lib/jvm/java-8-oracle/jre/lib/security/ Replace cacert with cacert.original

The cacert file was a tiny one (22B). I have installed oracle-java8-installer from ppa:webupd8team/java (according to this manual: https://docs.nativescript.org/start/ns-setup-linux).

G
Gus Calca

Marquis of Lorne's answer is accurate, I'm adding some info for debugging purposes:

To debug this issue (I wrote about it with more details in here) and understand what truststore is being used (or trying to use) you can add the property javax.net.debug=all and then filter the logs about truststore. You can also play with the property javax.net.ssl.trustStore to specify a specific truststore. For example : 


    java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/Another/path/to/cacerts -jar test_get_https-0.0.1-SNAPSHOT-jar-with-dependencies.jar https://www.calca.com.py 2>&1| grep -i truststore
P
Peter Mortensen

On Red Hat Linux I got this issue resolved by importing the certificates to /etc/pki/java/cacerts.

P
Peter Mortensen 
System.setProperty("javax.net.ssl.trustStore", "C:\\Users\\user-id\\Desktop\\tomcat\\cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "passwd");

You have to add the above two lines to your code. It is not able to find the truststore.

If you don't, it will use the JRE truststore, and it will certainly be able to find that. The error is caused by incorrect values in these parameters, not their absence. The file named in your code only applies to your installation, not generally.
The proper way to set those properties are by passing them on the command line: java -Djavax.net.ssl.trustStore=/tmp/cacerts ... or if you want to set them globally for all programs run with a JDK, add the row to the JDK's management.properties file.
P
Peter Mortensen

For the record, none of the answers here worked for me. My Gradle build started failing mysteriously with this error, unable to fetch HEAD from Maven central for a particular POM file.

It turned out that I had JAVA_HOME set to my own personal build of OpenJDK, which I had built for debugging a javac issue. Setting it back to the JDK installed on my system fixed it.

... which caused the truststore not to be found, as per other answers.
Yeah, but knowing that the truststore can't be found is entirely unhelpful if you do can't figure out why it's not being found. There are many many possible ways it can go wrong, and it's frustating when none of them happen to be the particular way that it is failing for your own system.
They all 'happen' to be the same error: the truststore specified could not be opened or was empty. There are a million ways in which this situation could arise, and there isn't enough space on SO to enumerate them all.
M
Mike

On Ubuntu 18.04 I needed to use OpenJDK 1.7 for the maintenance of an old project. I downloaded the binary package. But when I executed my script on it I got the same error.

The solution was to remove the cacerts file of the downloaded JDK in the jre/lib/security folder and then to create it as symlink to the systems cacerts file in /etc/ssl/certs/java/:

sudo ln -s /etc/ssl/certs/java/cacerts /path/to/downloaded/java/jre/lib/security/cacerts

C
Christian Bartram

Slim chance this will help anyone but....for anyone running Java 8 from a Docker Image on a Raspberry Pi (using AMD CPU) I got the following Dockerfile to build and run successfully for me 

FROM hypriot/rpi-java
USER root

WORKDIR /usr/build/

RUN /usr/bin/printf '\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92' > /etc/ssl/certs/java/cacerts
RUN update-ca-certificates -f
RUN /var/lib/dpkg/info/ca-certificates-java.postinst configure

EXPOSE 8080

ARG JAR_FILE=target/app-0.0.1-SNAPSHOT.jar

ADD ${JAR_FILE} app.jar

ENTRYPOINT ["java", "-Djavax.net.ssl.trustStorePassword=changeit", "-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts", "-jar", "app.jar"]
P
Peter Mortensen

I faced this problem while running a particular suite of Android for testing on Ubuntu 14.04 (Trusty Tahr). Two things worked for me as suggested by shaheen: 

sudo update-ca-certificates -f

sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.