AcmeCA feature with revocation enabled can fail to initialize on certain OS and JDK combinations

[kristip17]

Describe the bug
When running with a hybrid JDK8 for MacOS and with the AcmeCA feature enabled and certification revocation checking enabled, the SSL/TLS endpoint can fail to complete initialization and will not be available for traffic.

The following NullPointerException is logged in the FFDC, indicating the failure in the initialization flow.

Exception = java.lang.NullPointerException
Source = com.ibm.ws.security.acme.internal.AcmeProviderImpl
probeid = 921
Stack Dump = java.lang.NullPointerException
at sun.security.provider.certpath.CertPathHelper.setDateAndTime(CertPathHelper.java:71)
at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:525)
at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:464)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:393)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:336)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:225)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:304)
at com.ibm.ws.security.acme.internal.CertificateRevocationChecker.isRevoked(CertificateRevocationChecker.java:371)
at com.ibm.ws.security.acme.internal.AcmeProviderImpl.isRevoked(AcmeProviderImpl.java:681)
at com.ibm.ws.security.acme.internal.AcmeProviderImpl.isCertificateRequired(AcmeProviderImpl.java:398)
at com.ibm.ws.security.acme.internal.AcmeProviderImpl.checkAndRetrieveCertificate(AcmeProviderImpl.java:419)
at com.ibm.ws.security.acme.internal.AcmeProviderImpl.checkAndInstallCertificate(AcmeProviderImpl.java:194)
at com.ibm.ws.security.acme.internal.AcmeProviderImpl.updateDefaultSSLCertificate(AcmeProviderImpl.java:899)
at com.ibm.ws.crypto.certificate.creator.acme.AcmeSSLCertificateCreator.updateDefaultSSLCertificate(AcmeSSLCertificateCreator.java:55)
at com.ibm.ws.ssl.config.WSKeyStore$1.run(WSKeyStore.java:889)
at com.ibm.ws.ssl.config.WSKeyStore$1.run(WSKeyStore.java:829)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.ws.ssl.config.WSKeyStore.obtainKeyStore(WSKeyStore.java:829)
at com.ibm.ws.ssl.config.WSKeyStore.do_getKeyStore(WSKeyStore.java:789)
at com.ibm.ws.ssl.config.WSKeyStore.getKeyStore(WSKeyStore.java:1063)
at com.ibm.ws.ssl.config.WSKeyStore.getKeyStore(WSKeyStore.java:1037)
at com.ibm.ws.ssl.config.WSKeyStore.initializeKeyStore(WSKeyStore.java:1182)
at com.ibm.ws.ssl.config.WSKeyStore.<init>(WSKeyStore.java:345)
at com.ibm.ws.ssl.internal.KeystoreConfig.updateKeystoreConfig(KeystoreConfig.java:95)
at com.ibm.ws.ssl.internal.KeystoreConfigurationFactory.updated(KeystoreConfigurationFactory.java:114)
at com.ibm.ws.config.admin.internal.ManagedServiceFactoryTracker$2.run(ManagedServiceFactoryTracker.java:269)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at com.ibm.ws.config.admin.internal.UpdateQueue$Queue.run(UpdateQueue.java:68)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:1

Steps to Reproduce

1. Run on MacOS with a Hybrid JDK8
2. Add and configure the acmeCA feature
3. Enable and configure the acmeRevocationChecker attribute.
4. Start the Liberty server.

Expected behavior
The acmeCA revocation check should complete successfully and the SSL/TLS endpoint should complete initialization and be available for traffic.

Diagnostic information:

• OpenLiberty Version: [e.g. 20.0.0.10 - 23.0.0.03]
• Affected feature(s): [acmeCA-2.0]
• Java Version: [Java(TM) 2 Runtime Environment, Standard Edition (1.8.0_351-b10 20_Oct_2022_06_19 Mac OS X x64(SR7 FP20))]
• server.xml configuration (WITHOUT sensitive information like passwords)

<featureManager>
  <feature>acmeCA-2.0</feature>
  <feature>appSecurity-3.0</feature>
 </featureManager>
<acmeCA directoryURI="ACME_DIR_URI" >
   <accountContact>mailto:pacman@mail.com</accountContact>
<acmeRevocationChecker enabled="true" ocspResponderUrl="http://URI_HOST:40424"/>
<acmeTransportConfig trustStore="${server.config.dir}/resources/security/cacerts.p12" trustStorePassword="*****"/>
     <domain>domain1.com</domain>
</acmeCA>

[mbroz2]

@kristip17 please update the description of this release bug using the bug report template"