Switch from openjdk-8-jre to openjdk-11-jre - trust anchor not found The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Eclipse has multiple issues after JRE-6 (OpenJDK) upgradeHow do I install an openssl CRL file?Can't upgrade old Ubuntu, error processing package fontconfigBig problems with new ssl cert on aws mail serverUbuntu Landscape - Server certificate verification failedOpenJDK 7 jre requiredUbuntu 16.04, Apache, certbot, how to?Adding a certificate to UbuntuHow can I reinstall oracle-java-installer?CA root install issue on Ubuntu 16.04 LTS Server

Do I have Disadvantage attacking with an off-hand weapon?

How do spell lists change if the party levels up without taking a long rest?

Example of compact Riemannian manifold with only one geodesic.

Why not take a picture of a closer black hole?

Button changing its text & action. Good or terrible?

Intergalactic human space ship encounters another ship, character gets shunted off beyond known universe, reality starts collapsing

Why doesn't a hydraulic lever violate conservation of energy?

What can I do if neighbor is blocking my solar panels intentionally?

Does Parliament need to approve the new Brexit delay to 31 October 2019?

Student Loan from years ago pops up and is taking my salary

Why don't hard Brexiteers insist on a hard border to prevent illegal immigration after Brexit?

Identify 80s or 90s comics with ripped creatures (not dwarves)

Can the DM override racial traits?

Are spiders unable to hurt humans, especially very small spiders?

Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?

One-dimensional Japanese puzzle

How to support a colleague who finds meetings extremely tiring?

What is the padding with red substance inside of steak packaging?

Didn't get enough time to take a Coding Test - what to do now?

Is an up-to-date browser secure on an out-of-date OS?

Can a flute soloist sit?

My body leaves; my core can stay

How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?

What was the last x86 CPU that did not have the x87 floating-point unit built in?



Switch from openjdk-8-jre to openjdk-11-jre - trust anchor not found



The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Eclipse has multiple issues after JRE-6 (OpenJDK) upgradeHow do I install an openssl CRL file?Can't upgrade old Ubuntu, error processing package fontconfigBig problems with new ssl cert on aws mail serverUbuntu Landscape - Server certificate verification failedOpenJDK 7 jre requiredUbuntu 16.04, Apache, certbot, how to?Adding a certificate to UbuntuHow can I reinstall oracle-java-installer?CA root install issue on Ubuntu 16.04 LTS Server



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:



davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty



If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.



I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12 and davmail.ssl.keystoreFile=/etc/davmail/certs.p12. By the way, this package contains the Let's Encrypt Authority X3 certificate as well as my own certificate and private key.



Any ideas?






upgrade openjdk ssl 18.04







share|improve this question






















  • If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a java proc you can set -Djavax.net.ssl.trustStorePassword=changeit. But I'd like to know how to allow an empty password like with jdk8.

    – codefinger
    May 16 '18 at 13:41

















1















Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:



davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty



If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.



I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12 and davmail.ssl.keystoreFile=/etc/davmail/certs.p12. By the way, this package contains the Let's Encrypt Authority X3 certificate as well as my own certificate and private key.



Any ideas?






upgrade openjdk ssl 18.04







share|improve this question






















  • If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a java proc you can set -Djavax.net.ssl.trustStorePassword=changeit. But I'd like to know how to allow an empty password like with jdk8.

    – codefinger
    May 16 '18 at 13:41













1












1








1


1






Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:



davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty



If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.



I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12 and davmail.ssl.keystoreFile=/etc/davmail/certs.p12. By the way, this package contains the Let's Encrypt Authority X3 certificate as well as my own certificate and private key.



Any ideas?






upgrade openjdk ssl 18.04







share|improve this question














Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:



davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty



If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.



I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12 and davmail.ssl.keystoreFile=/etc/davmail/certs.p12. By the way, this package contains the Let's Encrypt Authority X3 certificate as well as my own certificate and private key.



Any ideas?






upgrade openjdk ssl 18.04




upgrade openjdk ssl 18.04






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Apr 28 '18 at 21:31









Apollo13Apollo13

83




83












  • If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a java proc you can set -Djavax.net.ssl.trustStorePassword=changeit. But I'd like to know how to allow an empty password like with jdk8.

    – codefinger
    May 16 '18 at 13:41

















  • If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a java proc you can set -Djavax.net.ssl.trustStorePassword=changeit. But I'd like to know how to allow an empty password like with jdk8.

    – codefinger
    May 16 '18 at 13:41
















If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a java proc you can set -Djavax.net.ssl.trustStorePassword=changeit. But I'd like to know how to allow an empty password like with jdk8.

– codefinger
May 16 '18 at 13:41





If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a java proc you can set -Djavax.net.ssl.trustStorePassword=changeit. But I'd like to know how to allow an empty password like with jdk8.

– codefinger
May 16 '18 at 13:41










2 Answers
2






active

oldest

votes


















0














Looks like you are affected for BUG 1739631



The workaround from the BUG that worked for me was:



  1. edit /etc/java-9-openjdk/security/java.security file. Find the line
    that says keystore.type = pkcs12 and change that to jks


  2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts


  3. run update-ca-certificates -f






share|improve this answer






























    0














    Run these commands with sudo permissions



    set -ex; 
    keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 
    mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 
    /var/lib/dpkg/info/ca-certificates-java.postinst configure;




    share








    New contributor




    madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.




















      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "89"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1029428%2fswitch-from-openjdk-8-jre-to-openjdk-11-jre-trust-anchor-not-found%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      Looks like you are affected for BUG 1739631



      The workaround from the BUG that worked for me was:



      1. edit /etc/java-9-openjdk/security/java.security file. Find the line
        that says keystore.type = pkcs12 and change that to jks


      2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts


      3. run update-ca-certificates -f






      share|improve this answer



























        0














        Looks like you are affected for BUG 1739631



        The workaround from the BUG that worked for me was:



        1. edit /etc/java-9-openjdk/security/java.security file. Find the line
          that says keystore.type = pkcs12 and change that to jks


        2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts


        3. run update-ca-certificates -f






        share|improve this answer

























          0












          0








          0







          Looks like you are affected for BUG 1739631



          The workaround from the BUG that worked for me was:



          1. edit /etc/java-9-openjdk/security/java.security file. Find the line
            that says keystore.type = pkcs12 and change that to jks


          2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts


          3. run update-ca-certificates -f






          share|improve this answer













          Looks like you are affected for BUG 1739631



          The workaround from the BUG that worked for me was:



          1. edit /etc/java-9-openjdk/security/java.security file. Find the line
            that says keystore.type = pkcs12 and change that to jks


          2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts


          3. run update-ca-certificates -f







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 29 '18 at 13:23









          angelcerveraangelcervera

          450416




          450416























              0














              Run these commands with sudo permissions



              set -ex; 
              keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 
              mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 
              /var/lib/dpkg/info/ca-certificates-java.postinst configure;




              share








              New contributor




              madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.
























                0














                Run these commands with sudo permissions



                set -ex; 
                keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 
                mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 
                /var/lib/dpkg/info/ca-certificates-java.postinst configure;




                share








                New contributor




                madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






















                  0












                  0








                  0







                  Run these commands with sudo permissions



                  set -ex; 
                  keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 
                  mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 
                  /var/lib/dpkg/info/ca-certificates-java.postinst configure;




                  share








                  New contributor




                  madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.










                  Run these commands with sudo permissions



                  set -ex; 
                  keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 
                  mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 
                  /var/lib/dpkg/info/ca-certificates-java.postinst configure;





                  share








                  New contributor




                  madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.








                  share


                  share






                  New contributor




                  madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 9 mins ago









                  madhukar bsmadhukar bs

                  1




                  1




                  New contributor




                  madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1029428%2fswitch-from-openjdk-8-jre-to-openjdk-11-jre-trust-anchor-not-found%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Möglingen Índice Localización Historia Demografía Referencias Enlaces externos Menú de navegación48°53′18″N 9°07′45″E / 48.888333333333, 9.129166666666748°53′18″N 9°07′45″E / 48.888333333333, 9.1291666666667Sitio web oficial Mapa de Möglingen«Gemeinden in Deutschland nach Fläche, Bevölkerung und Postleitzahl am 30.09.2016»Möglingen

                      Image
                      Localidades de Baden-Wurtemberg municipioalemándistrito de LuisburgoBaden-WurtembergLuisburgoCasa de WurtembergGuerra de los Treinta AñosGuerra de los Nueve Años Möglingen Municipio Iglesia gótica de San Pancracio. Escudo Möglingen Localización de Möglingen en Alemania Ubicación de Möglingen Coordenadas 48°53′18″N 9°07′45″E  /  48.888333333333, 9.1291666666667 Coordenadas: 48°53′18″N 9°07′45″E  /  48.888333333333, 9.1291666666667 Entidad Municipio  • País   Alemania  • Estado Baden-Wurtemberg  • Distrito Luisburgo Superficie    • Total 9,93 km², 9,95 km² y 9,93 km² Altitud    • Media 297 m s. n. m. Población (2014)    • Total 10 983 hab.  • Densidad Expresión errónea: carácter de puntuación « » desconocido, hab/km² Huso horario UTC+01:00 y UTC+02:00 Código postal 71696 Prefijo telefónico 07141 Matrícula LB Número oficial de comunidad 08118051 Sitio web oficial [editar datos en Wikidata] Möglingen es un municipio alemán perteneciente al distrito de Luisburgo de Baden-Wurtember
                      Read more

                      Virtualbox - Configuration error: Querying “UUID” failed (VERR_CFGM_VALUE_NOT_FOUND)“VERR_SUPLIB_WORLD_WRITABLE” error when trying to installing OS in virtualboxVirtual Box Kernel errorFailed to open a seesion for the virtual machineFailed to open a session for the virtual machineUbuntu 14.04 LTS Virtualbox errorcan't use VM VirtualBoxusing virtualboxI can't run Linux-64 Bit on VirtualBoxUnable to insert the virtual optical disk (VBoxguestaddition) in virtual machine for ubuntu server in win 10VirtuaBox in Ubuntu 18.04 Issues with Win10.ISO Installation

                      Image
                      Fear of getting stuck on one programming language / technology that is not used in my country Do the primes contain an infinite almost arithmetic progression? Biological Blimps: Propulsion Are Captain Marvel's powers affected by Thanos' actions in Infinity War Why does AES have exactly 10 rounds for a 128-bit key, 12 for 192 bits and 14 for a 256-bit key size? Can a College of Swords bard use a Blade Flourish option on an opportunity attack provoked by their own Dissonant Whispers spell? Can disgust be a key component of horror? Can I say "fingers" when referring to toes? What is Cash Advance APR? Why Shazam when there is already Superman? What does "Scientists rise up against statistical significance" mean? (Comment in Nature) What does chmod -u do? What should you do when eye contact makes your subordinate uncomfortable? Issue while creating Apex class using API How much character growth crosses the line into breaking the charac
                      Read more

                      Antonio De Lisio Carrera Referencias Menú de navegación«Caracas: evolución relacional multipleja»«Cuando los gobiernos subestiman a las localidades: L a Iniciativa para la Integración de la Infraestructura Regional Suramericana (IIRSA) en la frontera Colombo-Venezolana»«Maestría en Planificación Integral del Ambiente»«La Metrópoli Caraqueña: Expansión Simplificadora o Articulación Diversificante»«La Metrópoli Caraqueña: Expansión Simplificadora o Articulación Diversificante»«Conózcanos»«Caracas: evolución relacional multipleja»«La Metrópoli Caraqueña: Expansión Simplificadora o Articulación Diversificante»

                      Profesores de VenezuelaNacidos en 1956Geógrafos de Venezuela PlanificaciónEcologíaAmbientedesarrollo sustentableUniversidad Central de VenezuelaUniversidad Central de VenezuelaAsamblea Nacional de VenezuelaUniversidad Central de VenezuelaUniversidad de París VIIUniversidad Central de Venezuela Antonio De Lisio (nacido en 1956), es un geógrafo y profesor universitario italiano/venezolano. Se destaca como investigador en las áreas de Planificación,Ecología, Ambiente y desarrollo sustentable. [ 1 ] ​ Fue director del Centro de Estudios Integrales del Ambiente (CENAMB) de la Universidad Central de Venezuela (1992-2009). [ 2 ] ​ Carrera De Lisio es profesor titular de la Facultad de Arquitectura y Urbanismo y del CENAMB de la Universidad Central de Venezuela. Impartiendo las cátedras de “Teoría de la Arquitectura” en la Escuela Arquitectura Carlos Raúl Villanueva, y a nivel de postgrado “Perspectiva Ambiental del Desarrollo” en la maestría de Planificación Integral del Ambiente. [ 3 ] ​
                      Read more