Summary
I am moving my configuration from a windows machine into an Amazon AWS EC2 instances which runs Linux.
The problem arises (in my case at least) when I try to use open a connection over SSL. It works fine on my windows machine, but when I deploy it to the linux machine (with sun’s jre installed) it fails with the exception:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
The question is: why is this failing on Linux and working on Windows?
Let’s find out!
My setup
A windows server on which it works okay
On my windows machine, it works well. But on my linux machine, it fails with the above exception.
An AWS EC2 Linux instance
The linux instance is built from an Amazon AMI. I have installed the java from Sun on it.
What I have tried?
Compare the truststores in Windows and Linux
The problem is that the default truststore of the JRE is empty for some reason (size of only 32 bytes, whereas it is 80kb on windows).
Copied the cacerts from windows to Linux
When I copied my jre/lib/security/cacerts file from windows to linux, it worked fine.
The solution
As I mentioned in a previous post about trustanchors, I needed in this case to update my cacerts.
I followed the steps on this post.
The idea is that the path inside my ubuntu server /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts was a broken link to /etc/ssl/certs/java/cacerts.
That lead me to this bug: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/983302 The README for ca-certificates-java eventually showed the actual fix:
update-ca-certificates -f
Then run this command:
apt-get install ca-certificates-java
But for my case, it didn’t work. It just marked it as manually installed.
Note: For those users who run
bazeland come across this error message, just remember to set your $JAVA_HOME to the correct location. I had a previous situation with CATALINA_HOME in the post about trustanchors parameters. Check the solution out.
