openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #12807
[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file
While it may be so that OpenJDK ships with empty certificates file, this
is not sufficient to explain the issue, or consistent with the bug
report I made. Quoting from the original bug report: "I discovered that
the JDK's lib/security/cacerts is a symlink to
/etc/ssl/certs/java/cacerts, which is provided by ca-certificates-java
package".
This symlink exists, and it is the one used by JDK. The issue was that
JDK9 is unable to read the contents of PKCS12-formatted keystore file,
but is able to read its old JKS keystore file. In both cases, the files
do contain certificates.
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1739631
Title:
Fresh install with JDK 9 can't use the generated PKCS12 cacerts
keystore file
Status in ca-certificates-java package in Ubuntu:
Confirmed
Bug description:
I ran into a problem after doing approximately the following on an
install of Ubuntu 17.10:
sudo apt-get install openjdk-9-jdk maven ca-certificates-java
Running "mvn package" on my own project threw this error without
downloading anything:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
It seems that all TLS connections fail due to missing trust anchors in
Java 9!
After some investigation, I discovered that the JDK's
lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts,
which is provided by ca-certificates-java package. This file appeared
to be a PKCS12 file with password "changeit" protecting it. I was able
to list its contents using both keytool -list -cacerts and openssl
pkcs12 -in cacerts with that password, confirming that the file
actually did hold the certificates. Regardless, Java 9 was not able to
use the contents of this file for whatever reason.
To workaround the issue, I downgraded to openjdk-8-jdk, did rm
/etc/ssl/certs/java/cacerts, then did update-ca-certificates -f, then
upgraded back to openjdk-9-jdk. The old Java 8 -generated JKS file
with empty string as password was usable in the Java 9, permitting mvn
and other things to make TLS connections again.
The problem can be reintroduced by having java 9 installed and doing
rm /etc/ssl/certs/java/cacerts and then update-ca-certificates -f.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: ca-certificates-java 20170930
ProcVersionSignature: Ubuntu 4.13.0-21.24-generic 4.13.13
Uname: Linux 4.13.0-21-generic x86_64
ApportVersion: 2.20.8-0ubuntu5
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Thu Dec 21 17:36:05 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-12-21 (0 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018)
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=fi_FI.UTF-8
SHELL=/bin/bash
SourcePackage: ca-certificates-java
UpgradeStatus: Upgraded to bionic on 2017-12-21 (0 days ago)
modified.conffile..etc.default.cacerts: [inaccessible: [Errno 13] Lupa evätty: '/etc/default/cacerts']
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions
References