openjdk team mailing list archive

Thread
Date

[Bug 1739631] Re: Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Brian Murray <brian@xxxxxxxxxx>
Date: Tue, 19 Jun 2018 16:58:57 -0000
Reply-to: Bug 1739631 <1739631@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ca-certificates-java (Ubuntu Bionic)
    Milestone: None => ubuntu-18.04.1

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/1739631

Title:
  Fresh install with JDK 9 can't use the generated PKCS12 cacerts
  keystore file

Status in ca-certificates-java package in Ubuntu:
  Fix Released
Status in ca-certificates-java source package in Bionic:
  Triaged
Status in ca-certificates-java package in Debian:
  Fix Released

Bug description:
  I ran into a problem after doing approximately the following on an
  install of Ubuntu 17.10:

  sudo apt-get install openjdk-9-jdk maven ca-certificates-java

  Running "mvn package" on my own project threw this error without
  downloading anything:

  java.security.InvalidAlgorithmParameterException: the trustAnchors
  parameter must be non-empty

  It seems that all TLS connections fail due to missing trust anchors in
  Java 9!

  After some investigation, I discovered that the JDK's
  lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts,
  which is provided by ca-certificates-java package. This file appeared
  to be a PKCS12 file with password "changeit" protecting it. I was able
  to list its contents using both keytool -list -cacerts and openssl
  pkcs12 -in cacerts with that password, confirming that the file
  actually did hold the certificates. Regardless, Java 9 was not able to
  use the contents of this file for whatever reason.

  To workaround the issue, I downgraded to openjdk-8-jdk, did rm
  /etc/ssl/certs/java/cacerts, then did update-ca-certificates -f, then
  upgraded back to openjdk-9-jdk. The old Java 8 -generated JKS file
  with empty string as password was usable in the Java 9, permitting mvn
  and other things to make TLS connections again.

  The problem can be reintroduced by having java 9 installed and doing
  rm /etc/ssl/certs/java/cacerts and then update-ca-certificates -f.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: ca-certificates-java 20170930
  ProcVersionSignature: Ubuntu 4.13.0-21.24-generic 4.13.13
  Uname: Linux 4.13.0-21-generic x86_64
  ApportVersion: 2.20.8-0ubuntu5
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Dec 21 17:36:05 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-12-21 (0 days ago)
  InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018)
  PackageArchitecture: all
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=fi_FI.UTF-8
   SHELL=/bin/bash
  SourcePackage: ca-certificates-java
  UpgradeStatus: Upgraded to bionic on 2017-12-21 (0 days ago)
  modified.conffile..etc.default.cacerts: [inaccessible: [Errno 13] Lupa evätty: '/etc/default/cacerts']

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1739631/+subscriptions

References

[Bug 1739631] [NEW] Fresh install with JDK 9 can't use the generated PKCS12 cacerts keystore file
From: Antti S. Lankila, 2017-12-21