'the trustAnchors parameter must be non-empty' error 11-jdk

[JPOverclock]

Affected image tags: 11-jdk-slim, 11-jdk

Issue
Ran across this while attempting to package a spring-boot application using the Maven wrapper (mvnw package). This results in the following stacktrace when trying to retrieve the parent POM:

Exception in thread "main" javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
        at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1314)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:408)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
        at org.apache.maven.wrapper.DefaultDownloader.downloadInternal(DefaultDownloader.java:73)
        at org.apache.maven.wrapper.DefaultDownloader.download(DefaultDownloader.java:60)
        at org.apache.maven.wrapper.Installer.createDist(Installer.java:64)
        at org.apache.maven.wrapper.WrapperExecutor.execute(WrapperExecutor.java:121)
        at org.apache.maven.wrapper.MavenWrapperMain.main(MavenWrapperMain.java:55)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89)
        at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
        at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:308)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:188)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:626)
        at java.base/sun.security.ssl.CertificateStatus$CertificateStatusConsumer.consume(CertificateStatus.java:292)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
        ... 10 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:86)
        ... 25 more

Looks like an issue with the CA certificate store, similar to #145. Could also be related to the changes introduced in #259.

[almothafar]

Wow I was about to open the same ticket, yes I confirm that and wasted 4 hours trying to figure out the issue, I did get the previous version using this:
https://github.com/docker-library/repo-info/commits/master/repos/openjdk/remote/11.md
so I used the latest change from 21 days ago:
docker-library/repo-info@88142ba#diff-ddaaa92a4237756eb9f1b9dd7af15fc7

And that worked, the latest version got some critical changes seems and pushed without proper testing, I have 2 images:

Using the latest is not working:

FROM openjdk:11

ENV SBT_VERSION 1.2.7

RUN apt-get update
RUN apt-get install -y curl
RUN update-ca-certificates -f

# Install sbt
RUN \
  curl -L -o sbt-$SBT_VERSION.deb https://dl.bintray.com/sbt/debian/sbt-$SBT_VERSION.deb && \
  dpkg -i sbt-$SBT_VERSION.deb && \
  rm sbt-$SBT_VERSION.deb && \
  apt-get update && \
  apt-get install sbt

WORKDIR /src

RUN sbt clean update compile

ENTRYPOINT ["sbt"]

The error:

Step 1/9 : FROM openjdk:11
 ---> d600c7527b2b
Step 2/9 : ENV SBT_VERSION 1.2.7
 ---> Using cache
 ---> ded7e49ef27c
Step 3/9 : RUN apt-get update
 ---> Using cache
 ---> b244580db975
Step 4/9 : RUN apt-get install -y curl
 ---> Using cache
 ---> 962d71cff386
Step 5/9 : RUN update-ca-certificates -f
 ---> Using cache
 ---> ec1d928cb5a2
Step 6/9 : RUN   curl -L -o sbt-$SBT_VERSION.deb https://dl.bintray.com/sbt/debian/sbt-$SBT_VERSION.deb &&   dpkg -i sbt-$SBT_VERSION.deb &&   rm sbt-$SBT_VERSION.deb &&   apt-get update &&   apt-get install sbt
 ---> Using cache
 ---> 20bfdb614b7f
Step 7/9 : WORKDIR /src
 ---> Using cache
 ---> 14e5b4657933
Step 8/9 : RUN sbt clean update compile
 ---> Running in 4bb0ef241de8
Copying runtime jar.
Getting org.scala-sbt sbt 1.2.7  (this may take some time)...

:: problems summary ::
:::: WARNINGS
                module not found: org.scala-sbt#sbt;1.2.7

        ==== local: tried

          /root/.ivy2/local/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          /root/.ivy2/local/org.scala-sbt/sbt/1.2.7/jars/sbt.jar

        ==== local-preloaded-ivy: tried

          file:////root/.sbt/preloaded/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

        ==== local-preloaded: tried

          file:////root/.sbt/preloaded/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          file:////root/.sbt/preloaded/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        ==== Maven Central: tried

          https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        ==== sbt-maven-releases: tried

          https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        ==== sbt-maven-snapshots: tried

          https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        ==== typesafe-ivy-releases: tried

          https://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

        ==== sbt-ivy-snapshots: tried

          https://repo.scala-sbt.org/scalasbt/ivy-snapshots/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

                ::::::::::::::::::::::::::::::::::::::::::::::

                ::          UNRESOLVED DEPENDENCIES         ::

                ::::::::::::::::::::::::::::::::::::::::::::::

                :: org.scala-sbt#sbt;1.2.7: not found

                ::::::::::::::::::::::::::::::::::::::::::::::


:::: ERRORS
        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/ivy-snapshots/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml


:: USE VERBOSE OR DEBUG MESSAGE LEVEL FOR MORE DETAILS
unresolved dependency: org.scala-sbt#sbt;1.2.7: not found
Error during sbt execution: Error retrieving required libraries
  (see /root/.sbt/boot/update.log for complete log)
Error: Could not retrieve sbt 1.2.7
The command '/bin/sh -c sbt clean update compile' returned a non-zero code: 1

But using old hash from 21 days ago worked for me:

FROM openjdk@sha256:3f5ab4e7e07884bc17a635b0730b9a62e3066015241a00516b83592255c788bc

ENV SBT_VERSION 1.2.7

RUN apt-get update
RUN apt-get install -y curl
RUN update-ca-certificates -f

# Install sbt
RUN \
  curl -L -o sbt-$SBT_VERSION.deb https://dl.bintray.com/sbt/debian/sbt-$SBT_VERSION.deb && \
  dpkg -i sbt-$SBT_VERSION.deb && \
  rm sbt-$SBT_VERSION.deb && \
  apt-get update && \
  apt-get install sbt

WORKDIR /src

RUN sbt clean update compile

ENTRYPOINT ["sbt"]

[almothafar]

And yes tried many times to update-ca-certificates deleted all images in my system and start over and over nothing worked, I even went back to sbt 1.2.6 what was working before I pull the latest version and got the same issue.

[almothafar]

This commit I think to blame: c3023e4#diff-c338262eaf0fd203322a06702be174e0

Funny the commit saying "stable":

Update 11 images to use stretch-backports; yay stable

[solatis]

Can confirm, running into the same issue.

[MarcosEich]

We are also having this problem.

[moleksyuk]

Same problem for us.

[jneis]

Same here.

[MarcosEich]

http://bit.ly/2Ar73Lp

[petercable]

Another workaround is to move back to the sid-tagged image (openjdk:11-slim-sid, for example, confirmed working for me)

[xenoterracide]

This breaks downstream usage of gradle, dependency fetching doesn't work.

[tianon]

Funny the commit saying "stable":

The "stable" word in that commit message is referring to Debian Stretch (which is currently "Debian Stable"). The older images were based on "Debian Unstable", which is definitely not a great base for images.

... pushed without proper testing ...

We do have some tests, but none of them cover usage of CA certificates so this one slipped. Sorry for the trouble.

If we can come up with a very simple way to reproduce the issue with minimal code, I'd love to add a new integration test to help us prevent this in the future.

[tianon]

I've managed to reproduce with something as simple as new URL("https://google.com").openStream();. 👍