17.10 openjdk and oracle jdk 8 and 9 the trustAnchors parameter must be non-empty

Question

I've just installed 17.10 in a fresh VM. Trying to set up a development environment, when I run gradle or ./gradlew I get the following error:

* What went wrong:
Error resolving plugin [id: 'com.github.johnrengelman.shadow', version: '2.0.0']
> Could not GET 'https://plugins.gradle.org/api/gradle/4.0/plugin/use/com.github.johnrengelman.shadow/2.0.0'.
   > java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

This is irrespective of gradle version, java version (both openjdk and oracle 8 and 9 have the fault) and shadowjar version. This leads me to the conclusion that it is Ubuntu related rather than gradle/openjdk/oracle related.

I've tried updating the CA certificates, both sudo update-ca-certificates -f and sudo apt install ca-certificates-java --reinstall, neither of which solves the problem. I even reverted to the tried and tested turn it off and on again technique with no affect.

What's the problem and how do I fix it?

Answer 1

I reinstalled everything using apt-get and that didn't solve the problem.

The solution that I found to work: Go to Oracle and download the tar.gz version of jdk-8. Then copy the cacerts file from that into /etc/ssl/certs/java/cacerts

Answer 2

I ran into this issue as well when trying to set up scala build tool (sbt) on my fresh 17.10 installation.

My solution was to purge:

sudo apt purge openjdk-9-jdk openjdk-8-jdk java-common

(Just purging and reinstalling the jdk was not enough, I still had a java command after that. Only by purging java-common that also went away and then reinstallation worked. I assume it relates to the ca-certificates-java* package, that gets purged by java-common.)

Afterwards, I reinstalled java again (I opted only for openjdk-9):

sudo apt install openjdk-9-jdk

This triggered: Running hooks in /etc/ca-certificates/update.d... and added a lot of cert files. Now my sbt built was succesful:

$ sbt
Getting org.scala-sbt sbt 1.1.0  (this may take some time)...
downloading https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.1.0/sbt-1.1.0.jar ...
    [SUCCESSFUL ] org.scala-sbt#sbt;1.1.0!sbt.jar (657ms)
downloading https://repo1.maven.org/maven2/org/scala-sbt/main_2.12/1.1.0/main_2.12-1.1.0.jar
...  

Answer 3

I have reinstalled everything from scratch again and this problem has disappeared. All I did differently was install openjdk-8-jdk prior to installing openjdk-9-jdk.

It works. Are there any weird dependency issues?

Answer 4

I copied a /etc/ssl/certs/java/cacerts file from a backup of an older installation. If you have something like that it's probably the easiest option. Just make sure to backup the original cacerts file in case you run into trouble with other applications.

Answer 5

Oracle changed the format of the cacerts file (from JKS to PKCS12).

The default included JDK in Ubuntu already uses the PKCS12 algorithm; but, you are probably using an older JDK that is not able to read it.

I converted my keystore file to JKS using the keytool. That's why the workaround to copy an older one works for other people, and why your accepted answer works as well.