Sfdwhf

Mortgage adviser recommends a longer term than necessary combined with overpayments

Store Dynamic-accessible hidden metadata in a cell

My body leaves; my core can stay

Is there a writing software that you can sort scenes like slides in PowerPoint?

Is this wall load bearing? Blueprints and photos attached

Could an empire control the whole planet with today's comunication methods?

What happens to a Warlock's expended Spell Slots when they gain a Level?

Example of compact Riemannian manifold with only one geodesic.

Identify 80s or 90s comics with ripped creatures (not dwarves)

Can the DM override racial traits?

Sub-subscripts in strings cause different spacings than subscripts

Would an alien lifeform be able to achieve space travel if lacking in vision?

Windows 10: How to Lock (not sleep) laptop on lid close?

Did the new image of black hole confirm the general theory of relativity?

How to determine omitted units in a publication

What force causes entropy to increase?

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

Word for: a synonym with a positive connotation?

should truth entail possible truth

Are there continuous functions who are the same in an interval but differ in at least one other point?

Match Roman Numerals

Why can't wing-mounted spoilers be used to steepen approaches?

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

US Healthcare consultation for visitors

Switch from openjdk-8-jre to openjdk-11-jre - trust anchor not found

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

1

1

Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:

davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.

I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12 and davmail.ssl.keystoreFile=/etc/davmail/certs.p12. By the way, this package contains the Let's Encrypt Authority X3 certificate as well as my own certificate and private key.

Any ideas?

upgrade openjdk ssl 18.04

share|improve this question

asked Apr 28 '18 at 21:31

Apollo13Apollo13

83

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a java proc you can set -Djavax.net.ssl.trustStorePassword=changeit. But I'd like to know how to allow an empty password like with jdk8.
  
  – codefinger
  May 16 '18 at 13:41
  

  
  
  
  

add a comment | 

1

1

Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:

davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.

I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12 and davmail.ssl.keystoreFile=/etc/davmail/certs.p12. By the way, this package contains the Let's Encrypt Authority X3 certificate as well as my own certificate and private key.

Any ideas?

upgrade openjdk ssl 18.04

share|improve this question

asked Apr 28 '18 at 21:31

Apollo13Apollo13

83

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you use the passworfd "changeit" you should be able to list the certs in the bundle. For a java proc you can set -Djavax.net.ssl.trustStorePassword=changeit. But I'd like to know how to allow an empty password like with jdk8.
  
  – codefinger
  May 16 '18 at 13:41
  

  
  
  
  

add a comment | 

Today I tried to upgrade my server running a DAVmail gateway. On my previous installation I used openjdk-8-jre-headless without any problem. Now that I upgraded to 18.04 and installed openjdk-11-jre-headless I get the following error:

davmail.exception.DavMailException: Exchange login exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

If I downgrade to openjdk-8-jre-headless again (and purge version 11) the error is gone.

I use "Let's encrypt" to create the necessary certificate - could that be a problem? E.g. that the new ISRG certificate is included, but the DST one is not present anymore? I checked /usr/share/ca-certificates and found both CA certificates but I don't know if the contents of the Java key store are the same and if this keystore is even used because I provide a PKCS12 file via davmail.ssl.keystoreType=PKCS12 and davmail.ssl.keystoreFile=/etc/davmail/certs.p12. By the way, this package contains the Let's Encrypt Authority X3 certificate as well as my own certificate and private key.

Any ideas?

upgrade openjdk ssl 18.04

share|improve this question

asked Apr 28 '18 at 21:31

Apollo13Apollo13

83

share|improve this question

asked Apr 28 '18 at 21:31

Apollo13Apollo13

83

share|improve this question

asked Apr 28 '18 at 21:31

Apollo13Apollo13

83

asked Apr 28 '18 at 21:31

Apollo13Apollo13

83

asked Apr 28 '18 at 21:31

Apollo13Apollo13

83

2 Answers
2

active

oldest

votes

0

Looks like you are affected for BUG 1739631

The workaround from the BUG that worked for me was:

1. edit /etc/java-9-openjdk/security/java.security file. Find the line
   that says keystore.type = pkcs12 and change that to jks




2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts




3. run update-ca-certificates -f

share|improve this answer

answered May 29 '18 at 13:23

angelcerveraangelcervera

450416

add a comment | 

0

Run these commands with sudo permissions

set -ex; 

keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 

mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 

/var/lib/dpkg/info/ca-certificates-java.postinst configure; 

share|improve this answer

answered 46 mins ago

madhukar bsmadhukar bs

1

New contributor

madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1029428%2fswitch-from-openjdk-8-jre-to-openjdk-11-jre-trust-anchor-not-found%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Looks like you are affected for BUG 1739631

The workaround from the BUG that worked for me was:

1. edit /etc/java-9-openjdk/security/java.security file. Find the line
   that says keystore.type = pkcs12 and change that to jks




2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts




3. run update-ca-certificates -f

share|improve this answer

answered May 29 '18 at 13:23

angelcerveraangelcervera

450416

add a comment | 

0

Looks like you are affected for BUG 1739631

The workaround from the BUG that worked for me was:

1. edit /etc/java-9-openjdk/security/java.security file. Find the line
   that says keystore.type = pkcs12 and change that to jks




2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts




3. run update-ca-certificates -f

share|improve this answer

answered May 29 '18 at 13:23

angelcerveraangelcervera

450416

add a comment | 

Looks like you are affected for BUG 1739631

The workaround from the BUG that worked for me was:

1. edit /etc/java-9-openjdk/security/java.security file. Find the line
   that says keystore.type = pkcs12 and change that to jks




2. remove /etc/ssl/certs/java/cacerts file: rm /etc/ssl/certs/java/cacerts




3. run update-ca-certificates -f

share|improve this answer

answered May 29 '18 at 13:23

angelcerveraangelcervera

450416

share|improve this answer

answered May 29 '18 at 13:23

angelcerveraangelcervera

450416

answered May 29 '18 at 13:23

angelcerveraangelcervera

450416

answered May 29 '18 at 13:23

angelcerveraangelcervera

450416

0

Run these commands with sudo permissions

set -ex; 

keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 

mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 

/var/lib/dpkg/info/ca-certificates-java.postinst configure; 

share|improve this answer

answered 46 mins ago

madhukar bsmadhukar bs

1

New contributor

madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

Run these commands with sudo permissions

set -ex; 

keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 

mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 

/var/lib/dpkg/info/ca-certificates-java.postinst configure; 

share|improve this answer

answered 46 mins ago

madhukar bsmadhukar bs

1

New contributor

madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Run these commands with sudo permissions

set -ex; 

keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 

mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 

/var/lib/dpkg/info/ca-certificates-java.postinst configure; 

share|improve this answer

answered 46 mins ago

madhukar bsmadhukar bs

1

New contributor

madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

set -ex; 

keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /etc/ssl/certs/java/cacerts.jks -deststoretype JKS -srcstorepass changeit -deststorepass changeit -noprompt; 

mv /etc/ssl/certs/java/cacerts.jks /etc/ssl/certs/java/cacerts; 

/var/lib/dpkg/info/ca-certificates-java.postinst configure; 

share|improve this answer

answered 46 mins ago

madhukar bsmadhukar bs

1

New contributor

madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 46 mins ago

madhukar bsmadhukar bs

1

New contributor

madhukar bs is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 46 mins ago

madhukar bsmadhukar bs

1