Error - trustAnchors parameter must be non-empty

java

ssl-connections

trust-store

java-configuration

byAnton Shumikhin·Sep 15, 2024

To resolve the "trustAnchors parameter must be non-empty" error, ensure your Java trust store is configured correctly:

System.setProperty("javax.net.ssl.trustStore", "/path/to/truststore");
System.setProperty("javax.net.ssl.trustStorePassword", "password");

Substitute "/path/to/truststore" with the actual path of your trust store and "password" with the password of the trust store. Note that this is specifically setting the JVM to trust certificates present in the given trust store.

Trust anchors explained

Defining trustAnchors

trustAnchors, in essence, are root certificates that Java employs to validate a server's SSL certification chain. To establish a secure connection, these root certificates must exist in the trust store.

The core purpose of a trust store

A trust store holds paramount significance in SSL/TLS connections as it carries the certificates trusted by your Java environment. In the absence of a trust store, your application will disapprove of all server connections, resulting in the error discussed.

Potential origins of an empty trust store

The following scenarios might end up with an empty trust store:

Misconfigurations during email setup in Jenkins/Hudson
Incorrect setup of your JDK or email server
System issues causing a loss of CA certificates in operating systems like Ubuntu LTS 18.04.1 and Cosmic 18.10

Fine-tuning and troubleshooting steps

Syncing Java version compatibility

Perform a compatibility check between the certificates in your trust store and your Java version using java --version.

Adjusting keystore type in Java config

In your java.security file, make sure the keystore type is JKS. Use this command to set a default password for the keystore (don't forget to replace 'changeit' with your password):

printf "changeit\nchangeit\n" | keytool -genkey -keyalg RSA -alias self_signed -keystore truststore.jks

Updating certificates on Ubuntu

Perform an update or fresh install of the ca-certificates-java package on an Ubuntu system:

sudo apt-get install ca-certificates-java

This integrates the latest certificates that Java uses within your system.

Adjusting Java distribution

Oracle JDK users should ensure the JDK and its dependencies are correctly installed. Use sudo update-java-alternatives -a to update alternative versions of Java on your system.

Resolving SSL exceptions

NOTE: You might encounter InvalidAlgorithmParameterException when needed certificates are missing from the store.

Perform a reinstallation of conflicting packages or CA-certificates:

sudo apt-get --reinstall install ca-certificates

To avoid conflicts with openjdk-11-jdk, consider downgrading to Java 8 or tweaking your server settings.

Server settings adjustment

Specify the truststoreType as JKS in your server.xml file for server configuration:

<Connector port="443" ... truststoreType="JKS" truststoreFile="path_to_truststore" truststorePass="password"/>

This ensures harmonization between the configuration in your server and that in the Java environment.

explain-codes / Java / Error - trustAnchors parameter must be non-empty

Linked

"pkix path building failed" and "unable to find valid certification path to requested target"



Received fatal alert: handshake_failure through SSLHandshakeException



Accept server's self-signed SSL certificate in Java client



Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?



Problems using Maven and SSL behind proxy



How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?



Java SecurityException: signer information does not match



Trust anchors explained Fine-tuning and troubleshooting steps