NetBSD Problem Report #55758
From www@netbsd.org Tue Oct 27 19:31:17 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id B89C81A9239
for <gnats-bugs@gnats.NetBSD.org>; Tue, 27 Oct 2020 19:31:17 +0000 (UTC)
Message-Id: <20201027193116.3B03B1A923A@mollari.NetBSD.org>
Date: Tue, 27 Oct 2020 19:31:16 +0000 (UTC)
From: ts1000@rad2know.net
Reply-To: ts1000@rad2know.net
To: gnats-bugs@NetBSD.org
Subject: OpenJDK11 does not work after installation
X-Send-Pr-Version: www-1.0
>Number: 55758
>Category: pkg
>Synopsis: OpenJDK11 does not work after installation
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Oct 27 19:35:00 +0000 2020
>Last-Modified: Mon Jul 19 02:00:02 +0000 2021
>Originator: ts1000
>Release: NetBSD 91 amd64. OpenJdk build 11.0.8-internal+0-adhoc.pkgsrc.openjdk-jdk11u-jdk-11.0.8-10-1
>Organization:
>Environment:
NetBSD nbsd1 9.1 NetBSD 9.1 (GENERIC) #0: Sun Oct 18 19:24:30 UTC 2020 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
---
nbsd1$ java --version
openjdk 11.0.8-internal 2020-07-14
OpenJDK Runtime Environment (build 11.0.8-internal+0-adhoc.pkgsrc.openjdk-jdk11u-jdk-11.0.8-10-1)
OpenJDK 64-Bit Server VM (build 11.0.8-internal+0-adhoc.pkgsrc.openjdk-jdk11u-jdk-11.0.8-10-1, mixed mode)
nbsd1$
>Description:
I have mentioned this problem on netbsd-users mailing list
https://mail-index.netbsd.org/netbsd-users/2020/10/25/msg025957.html
Any java code that relies on https will cause this error. Because OpenJDK distribution does not include (or does not correctly point to) certificates
In my specific case I am just running gradlew (a wrapper to build a Gradle-based project)
$ gradlew
Downloading https://services.gradle.org/distributions/gradle-6.5.1-all.zip
Exception in thread "main" javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1576)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:453)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
at org.gradle.wrapper.Download.downloadInternal(Download.java:67)
at org.gradle.wrapper.Download.download(Download.java:52)
at org.gradle.wrapper.Install$1.call(Install.java:62)
at org.gradle.wrapper.Install$1.call(Install.java:48)
at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
at org.gradle.wrapper.Install.createDist(Install.java:48)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107)
at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:62)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
... 14 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)
... 30 more
>How-To-Repeat:
pkgin install openjdk11
then run any java project (maven or gradle based) that requires a download of external packages
>Fix:
>Audit-Trail:
From: ts1000 <ts1000@rad2know.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/55758: OpenJDK11 does not work after installation
Date: Fri, 30 Oct 2020 02:18:33 +0000
--
I had found a cacerts file in the openjdk directory and seems to contain
entries (see below)
but it is not clear what I need to do so that gradle and anything else
thats trying to use https in openJDK11 would work
---
nbsd1# pwd
/usr/pkg/java/openjdk11/lib/security
nbsd1# keytool -list -keystore cacerts -storepass changeit | more
Warning: use -cacerts option to access cacerts keystore
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 146 entries
mozilla-rootcert-0, Oct 30, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256):
EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
mozilla-rootcert-1, Oct 30, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256):
CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E
mozilla-rootcert-10, Oct 30, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256):
A0:23:4F:3B:C8:52:7C:A5:62:8E:EC:81:AD:5D:69:89:5D:A5:68:0D:C9:1D:1C:B8:47:7F:33:F8:78:B9:5B:0B
mozilla-rootcert-100, Oct 30, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256):
17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
mozilla-rootcert-101, Oct 30, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256):
3C:4F:B0:B9:5A:B8:B3:00:32:F4:32:B8:6F:53:5F:E1:72:C1:85:D0:FD:39:86:58:37:CF:36:18:7F:A6:F4:28
mozilla-rootcert-102, Oct 30, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256):
4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A
mozilla-rootcert-103, Oct 30, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256):
5D:56:49:9B:E4:D2:E0:8B:CF:CA:D0:8A:3E:38:72:3D:50:50:3B:DE:70:69:48:E4:2F:55:60:30:19:E5:28:AE
mozilla-rootcert-104, Oct 30, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256):
30:D0:89:5A:9A:44:8A:26:20:91:63:55:22:D1:F5:20:10:B5:86:7A:CA:E1:2C:78:EF:95:8F:D4:F4:38:9F:2F
--More--(byte 1565)
From: ts1000 <ts1000@rad2know.net>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/55758: OpenJDK11 does not work after installation
Date: Sun, 01 Nov 2020 16:26:49 -0500
I found a workaround:
-- script start --
# ts1000: workaround to fix cacert store for OpenJDK 11 on NetBSD 9.1
# this workaround just reimports existing certificates in
$JAVA_HOME/lib/security/cacerts
# into a JKS format store, and then just replaces the cacerts with the
JKS version
# must be done as root
# also assuming keytool is in the $PATH
# that is: we have export JAVA_HOME=/usr/pkg/java/openjdk11
# and export PATH=${PATH}:${JAVA_HOME}/bin
cd /usr/pkg/java/openjdk11/lib/security
keytool -importkeystore -srckeystore
/usr/pkg/java/openjdk11/lib/security/cacerts -destkeystore
/usr/pkg/java/openjdkmv cacerts cacerts.org
ln -s cacerts.jks cacerts
-- script end --
Similar problem was with Docker. So picked up a solution from there
https://github.com/docker-library/openjdk/pull/263/files
From: David Holland <dholland-pbugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/55758: OpenJDK11 does not work after installation
Date: Mon, 19 Jul 2021 01:57:55 +0000
On Tue, Oct 27, 2020 at 07:35:00PM +0000, ts1000@rad2know.net wrote:
> Any java code that relies on https will cause this error. Because
> OpenJDK distribution does not include (or does not correctly point
> to) certificates
In general the proper solution is the security/mozilla-rootcerts
package, and openjdk should probably be fixed to depend on and point
at those.
--
David A. Holland
dholland@netbsd.org
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.