You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Beard, Shawn M." <SB...@wrberkley.com.INVALID> on 2020/06/26 15:36:37 UTC
SSL error
We are running tomcat-7.0.52(old I know) and java 1.7.0_80. When the app makes calls to an external webservice. It keeps throwing this error:
javax.net.ssl.SSLException : javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
I have this in the java options and have confirmed the proper CA certs for this webservice is in the truststore. Any ideas?
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks -Djavax.net.ssl.trustStorePassword=######## -Djavax.net.ssl.trustStoreType=jks
Shawn Beard • Sr. Systems Engineer
Middleware Engineering
[cid:image75dd5a.PNG@4f1b1b38.44a2aecd]
3840 109th Street Urbandale, IA 50322
Phone: +1-515-564-2528
Email: SBeard@wrberkley.com
Website: berkleytechnologyservices.com<https://www.berkleytechnologyservices.com/>
Technology Leadership Unleashing Business Potential
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
RE: SSL error [EXTERNAL]
Posted by "Beard, Shawn M." <SB...@wrberkley.com.INVALID>.
I was able to resolve this. I used keytool to create a new keystore/trust store, then imported the previous truststore that had all the CA certs in it. That seemed to work. So even though the previous truststore had the certs in it and was not empty, it must have had some kind of linking problem maybe?
Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528
-----Original Message-----
From: John.E.Gregg@wellsfargo.com.INVALID <Jo...@wellsfargo.com.INVALID>
Sent: Friday, June 26, 2020 1:32 PM
To: users@tomcat.apache.org
Subject: RE: SSL error [EXTERNAL]
** CAUTION: External message
Shawn,
-----Original Message-----
From: Beard, Shawn M. <SB...@wrberkley.com.INVALID>
Sent: Friday, June 26, 2020 11:57 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: RE: SSL error [EXTERNAL]
The code is calling a new webservice. It has godaddy as its ca signer. It was getting the error before I added those java options. Those java options were my attempt to resolve it. Ive also tried adding the godaddy ca certs to java's cacert file without those java options. Same result.
Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528
-----Original Message-----
From: calder <ca...@gmail.com>
Sent: Friday, June 26, 2020 11:45 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: SSL error [EXTERNAL]
** CAUTION: External message
In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. <SB...@wrberkley.com.invalid>
wrote:
> We are running tomcat-7.0.52(old I know) and java 1.7.0_80.
>
yea, BOTH are very old.
When the app makes calls to an external webservice. It keeps throwing this
> error:
>
> javax.net.ssl.SSLException : javax.net.ssl.SSLException:
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
[1]
> I have this in the java options and have confirmed the proper CA certs
> for this webservice is in the truststore. Any ideas?
>
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks
> -Djavax.net.ssl.trustStorePassword=########
> -Djavax.net.ssl.trustStoreType=jks
>
Did this runtime EVER work?
If yes, "what" changed?
[1]
https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
�B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB � �[ X ܚX K��K[XZ[ �\ \ ][ X ܚX P�� X ] \�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[ �\ \ Z�[���� X ] \�X �K ܙ B
That error message comes from PKIXParameters.setTrustAnchors(). I was able to reproduce the problem with an empty trust store. I also tried a trust store with the wrong certs but got a different error.
With -Djavax.net.debug=ssl, you should see output like this:
trustStore is: /path/to/trust.jks
trustStore type is: jks
trustStore provider is:
the last modified time is: Fri Jun 26 13:27:52 CDT 2020 Reload the trust store Reload trust certs Reloaded 1 trust certs adding as trusted cert:
Followed by a list of certs found in the store.
Is that what's happening in your case?
John
Т ХF V 7V'67& &R �R � â W6W'2 V 7V'67& &T F 6�B ���6 R &pФf "��FF F � �6 � G2 �R � â W6W'2ֆV � F 6�B ���6 R &pР
RE: SSL error [EXTERNAL]
Posted by Jo...@wellsfargo.com.INVALID.
Shawn,
-----Original Message-----
From: Beard, Shawn M. <SB...@wrberkley.com.INVALID>
Sent: Friday, June 26, 2020 11:57 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: RE: SSL error [EXTERNAL]
The code is calling a new webservice. It has godaddy as its ca signer. It was getting the error before I added those java options. Those java options were my attempt to resolve it. Ive also tried adding the godaddy ca certs to java's cacert file without those java options. Same result.
Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528
-----Original Message-----
From: calder <ca...@gmail.com>
Sent: Friday, June 26, 2020 11:45 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: SSL error [EXTERNAL]
** CAUTION: External message
In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. <SB...@wrberkley.com.invalid>
wrote:
> We are running tomcat-7.0.52(old I know) and java 1.7.0_80.
>
yea, BOTH are very old.
When the app makes calls to an external webservice. It keeps throwing this
> error:
>
> javax.net.ssl.SSLException : javax.net.ssl.SSLException:
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
[1]
> I have this in the java options and have confirmed the proper CA certs
> for this webservice is in the truststore. Any ideas?
>
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks
> -Djavax.net.ssl.trustStorePassword=########
> -Djavax.net.ssl.trustStoreType=jks
>
Did this runtime EVER work?
If yes, "what" changed?
[1]
https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
�B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB � �[ X ܚX K��K[XZ[
�\ \ ][ X ܚX P�� X ]
\�X �K ܙ B ܈�Y��]�[ۘ[�� [X[ � ��K[XZ[
�\ \ Z�[���� X ]
\�X �K ܙ B
That error message comes from PKIXParameters.setTrustAnchors(). I was able to reproduce the problem with an empty trust store. I also tried a trust store with the wrong certs but got a different error.
With -Djavax.net.debug=ssl, you should see output like this:
trustStore is: /path/to/trust.jks
trustStore type is: jks
trustStore provider is:
the last modified time is: Fri Jun 26 13:27:52 CDT 2020
Reload the trust store
Reload trust certs
Reloaded 1 trust certs
adding as trusted cert:
Followed by a list of certs found in the store.
Is that what's happening in your case?
John
RE: SSL error [EXTERNAL]
Posted by "Beard, Shawn M." <SB...@wrberkley.com.INVALID>.
The code is calling a new webservice. It has godaddy as its ca signer. It was getting the error before I added those java options. Those java options were my attempt to resolve it. Ive also tried adding the godaddy ca certs to java's cacert file without those java options. Same result.
Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528
-----Original Message-----
From: calder <ca...@gmail.com>
Sent: Friday, June 26, 2020 11:45 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: SSL error [EXTERNAL]
** CAUTION: External message
In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. <SB...@wrberkley.com.invalid>
wrote:
> We are running tomcat-7.0.52(old I know) and java 1.7.0_80.
>
yea, BOTH are very old.
When the app makes calls to an external webservice. It keeps throwing this
> error:
>
> javax.net.ssl.SSLException : javax.net.ssl.SSLException:
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
[1]
> I have this in the java options and have confirmed the proper CA certs
> for this webservice is in the truststore. Any ideas?
>
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks
> -Djavax.net.ssl.trustStorePassword=########
> -Djavax.net.ssl.trustStoreType=jks
>
Did this runtime EVER work?
If yes, "what" changed?
[1]
https://urldefense.com/v3/__https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty__;!!Li8W9_Um1Taa!uk48yx6ZQNHjmcqPmjBlJDFCcCWu6HMZu3OI_Yau1oJ4CBGoaFzI0pfKTaIrqOGk$
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
Re: SSL error
Posted by calder <ca...@gmail.com>.
In Fri, Jun 26, 2020, 10:37 Beard, Shawn M. <SB...@wrberkley.com.invalid>
wrote:
> We are running tomcat-7.0.52(old I know) and java 1.7.0_80.
>
yea, BOTH are very old.
When the app makes calls to an external webservice. It keeps throwing this
> error:
>
> javax.net.ssl.SSLException : javax.net.ssl.SSLException:
> java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
>
[1]
> I have this in the java options and have confirmed the proper CA certs for
> this webservice is in the truststore. Any ideas?
>
-Djavax.net.ssl.trustStore=/path/to/truststore/tomcatTrustStore.jks
> -Djavax.net.ssl.trustStorePassword=########
> -Djavax.net.ssl.trustStoreType=jks
>
Did this runtime EVER work?
If yes, "what" changed?
[1]
https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty