Question

2

Switch from openjdk-8-jre to openjdk-11-jre - trust anchor not found

rated 0 times [ 2] [ 0] / answers: 1 / hits: 4411 / 2 Years ago, mon, june 27, 2022, 7:14:01

Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:

davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.

I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12 and davmail.ssl.keystoreFile=/etc/davmail/certs.p12. By the way, this package contains the Let's Encrypt Authority X3 certificate as well as my own certificate and private key.

Any ideas?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

piscen

Add To Favorites

Follow

Total Points: 134

Total Questions: 117

Total Answers: 133

Location: Indonesia

Member since Wed, Jul 7, 2021

3 Years ago

answered 2 Years ago hirtieve · Accepted Answer

Looks like you are affected for BUG 1739631

The workaround from the BUG that worked for me was:

edit /etc/java-9-openjdk/security/java.security file. Find the line
that says keystore.type = pkcs12 and change that to jks

remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts

run update-ca-certificates -f