Switch from openjdk-8-jre to openjdk-11-jre - trust anchor not found The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Eclipse has multiple issues after JRE-6 (OpenJDK) upgradeHow do I install an openssl CRL file?Can't upgrade old Ubuntu, error processing package fontconfigBig problems with new ssl cert on aws mail serverUbuntu Landscape - Server certificate verification failedOpenJDK 7 jre requiredUbuntu 16.04, Apache, certbot, how to?Adding a certificate to UbuntuHow can I reinstall oracle-java-installer?CA root install issue on Ubuntu 16.04 LTS Server
Do I have Disadvantage attacking with an off-hand weapon?
How do spell lists change if the party levels up without taking a long rest?
Example of compact Riemannian manifold with only one geodesic.
Why not take a picture of a closer black hole?
Button changing its text & action. Good or terrible?
Intergalactic human space ship encounters another ship, character gets shunted off beyond known universe, reality starts collapsing
Why doesn't a hydraulic lever violate conservation of energy?
What can I do if neighbor is blocking my solar panels intentionally?
Does Parliament need to approve the new Brexit delay to 31 October 2019?
Student Loan from years ago pops up and is taking my salary
Why don't hard Brexiteers insist on a hard border to prevent illegal immigration after Brexit?
Identify 80s or 90s comics with ripped creatures (not dwarves)
Can the DM override racial traits?
Are spiders unable to hurt humans, especially very small spiders?
Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?
One-dimensional Japanese puzzle
How to support a colleague who finds meetings extremely tiring?
What is the padding with red substance inside of steak packaging?
Didn't get enough time to take a Coding Test - what to do now?
Is an up-to-date browser secure on an out-of-date OS?
Can a flute soloist sit?
My body leaves; my core can stay
How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?
What was the last x86 CPU that did not have the x87 floating-point unit built in?
Switch from openjdk-8-jre to openjdk-11-jre - trust anchor not found
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Eclipse has multiple issues after JRE-6 (OpenJDK) upgradeHow do I install an openssl CRL file?Can't upgrade old Ubuntu, error processing package fontconfigBig problems with new ssl cert on aws mail serverUbuntu Landscape - Server certificate verification failedOpenJDK 7 jre requiredUbuntu 16.04, Apache, certbot, how to?Adding a certificate to UbuntuHow can I reinstall oracle-java-installer?CA root install issue on Ubuntu 16.04 LTS Server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:
davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.
I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12
and davmail.ssl.keystoreFile=/etc/davmail/certs.p12
. By the way, this package contains the Let's Encrypt Authority X3
certificate as well as my own certificate and private key.
Any ideas?
upgrade openjdk ssl 18.04
add a comment |
Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:
davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.
I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12
and davmail.ssl.keystoreFile=/etc/davmail/certs.p12
. By the way, this package contains the Let's Encrypt Authority X3
certificate as well as my own certificate and private key.
Any ideas?
upgrade openjdk ssl 18.04
If you use the passworfd "changeit" you should be able to list the certs in the bundle. For ajava
proc you can set-Djavax.net.ssl.trustStorePassword=changeit
. But I'd like to know how to allow an empty password like with jdk8.
– codefinger
May 16 '18 at 13:41
add a comment |
Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:
davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.
I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12
and davmail.ssl.keystoreFile=/etc/davmail/certs.p12
. By the way, this package contains the Let's Encrypt Authority X3
certificate as well as my own certificate and private key.
Any ideas?
upgrade openjdk ssl 18.04
Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:
davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.
I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12
and davmail.ssl.keystoreFile=/etc/davmail/certs.p12
. By the way, this package contains the Let's Encrypt Authority X3
certificate as well as my own certificate and private key.
Any ideas?
upgrade openjdk ssl 18.04
upgrade openjdk ssl 18.04
asked Apr 28 '18 at 21:31
Apollo13Apollo13
83
83
If you use the passworfd "changeit" you should be able to list the certs in the bundle. For ajava
proc you can set-Djavax.net.ssl.trustStorePassword=changeit
. But I'd like to know how to allow an empty password like with jdk8.
– codefinger
May 16 '18 at 13:41
add a comment |
If you use the passworfd "changeit" you should be able to list the certs in the bundle. For ajava
proc you can set-Djavax.net.ssl.trustStorePassword=changeit
. But I'd like to know how to allow an empty password like with jdk8.
– codefinger
May 16 '18 at 13:41
If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a
java
proc you can set -Djavax.net.ssl.trustStorePassword=changeit
. But I'd like to know how to allow an empty password like with jdk8.– codefinger
May 16 '18 at 13:41
If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a
java
proc you can set -Djavax.net.ssl.trustStorePassword=changeit
. But I'd like to know how to allow an empty password like with jdk8.– codefinger
May 16 '18 at 13:41
add a comment |
2 Answers
2
active
oldest
votes
Looks like you are affected for BUG 1739631
The workaround from the BUG that worked for me was:
edit /etc/java-9-openjdk/security/java.security file. Find the line
that says keystore.type = pkcs12 and change that to jksremove /etc/ssl/certs/java/cacerts file:
rm /etc/ssl/certs/java/cacerts
run
update-ca-certificates -f
add a comment |
Run these commands with sudo permissions
set -ex;
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt;
mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts;
/var/lib/dpkg/info/ca-certificates-java.postinst configure;
New contributor
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1029428%2fswitch-from-openjdk-8-jre-to-openjdk-11-jre-trust-anchor-not-found%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Looks like you are affected for BUG 1739631
The workaround from the BUG that worked for me was:
edit /etc/java-9-openjdk/security/java.security file. Find the line
that says keystore.type = pkcs12 and change that to jksremove /etc/ssl/certs/java/cacerts file:
rm /etc/ssl/certs/java/cacerts
run
update-ca-certificates -f
add a comment |
Looks like you are affected for BUG 1739631
The workaround from the BUG that worked for me was:
edit /etc/java-9-openjdk/security/java.security file. Find the line
that says keystore.type = pkcs12 and change that to jksremove /etc/ssl/certs/java/cacerts file:
rm /etc/ssl/certs/java/cacerts
run
update-ca-certificates -f
add a comment |
Looks like you are affected for BUG 1739631
The workaround from the BUG that worked for me was:
edit /etc/java-9-openjdk/security/java.security file. Find the line
that says keystore.type = pkcs12 and change that to jksremove /etc/ssl/certs/java/cacerts file:
rm /etc/ssl/certs/java/cacerts
run
update-ca-certificates -f
Looks like you are affected for BUG 1739631
The workaround from the BUG that worked for me was:
edit /etc/java-9-openjdk/security/java.security file. Find the line
that says keystore.type = pkcs12 and change that to jksremove /etc/ssl/certs/java/cacerts file:
rm /etc/ssl/certs/java/cacerts
run
update-ca-certificates -f
answered May 29 '18 at 13:23
angelcerveraangelcervera
450416
450416
add a comment |
add a comment |
Run these commands with sudo permissions
set -ex;
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt;
mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts;
/var/lib/dpkg/info/ca-certificates-java.postinst configure;
New contributor
add a comment |
Run these commands with sudo permissions
set -ex;
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt;
mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts;
/var/lib/dpkg/info/ca-certificates-java.postinst configure;
New contributor
add a comment |
Run these commands with sudo permissions
set -ex;
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt;
mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts;
/var/lib/dpkg/info/ca-certificates-java.postinst configure;
New contributor
Run these commands with sudo permissions
set -ex;
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt;
mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts;
/var/lib/dpkg/info/ca-certificates-java.postinst configure;
New contributor
New contributor
answered 9 mins ago
madhukar bsmadhukar bs
1
1
New contributor
New contributor
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1029428%2fswitch-from-openjdk-8-jre-to-openjdk-11-jre-trust-anchor-not-found%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a
java
proc you can set-Djavax.net.ssl.trustStorePassword=changeit
. But I'd like to know how to allow an empty password like with jdk8.– codefinger
May 16 '18 at 13:41