New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSLException - trustAnchors parameter must be non-empty #548

Closed
mobileAgent opened this Issue Oct 29, 2015 · 4 comments

Comments

Projects
None yet
2 participants
@mobileAgent

mobileAgent commented Oct 29, 2015

Occurred on several EC2 instances with java openjdk version "1.8.0_65" and aws-sdk-java-1.10.27 all at the same time. Perhaps there was some key maintenance activity on S3 which triggered this exception. My code did not get control so that it could be caught, instead the processes appear to have hung in this stack.

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:128)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:749)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:505)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:317)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3595)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3548)
at com.amazonaws.services.s3.AmazonS3Client.listObjects(AmazonS3Client.java:647)
... my code here...

@shorea

This comment has been minimized.

Show comment
Hide comment
@shorea

shorea Oct 30, 2015

Contributor

This exception indicates that your trust store could not be found (or is maybe corrupted?). How often do you make HTTPS calls in your application, I would have expected you would see this more regularly if the trust store was truly misconfigured. Could any other piece of code be messing with your system properties, specifically for the trust store location?

Contributor

shorea commented Oct 30, 2015

This exception indicates that your trust store could not be found (or is maybe corrupted?). How often do you make HTTPS calls in your application, I would have expected you would see this more regularly if the trust store was truly misconfigured. Could any other piece of code be messing with your system properties, specifically for the trust store location?

@mobileAgent

This comment has been minimized.

Show comment
Hide comment
@mobileAgent

mobileAgent Nov 10, 2015

I don't understand how that could be the case. Our software makes calls to the S3 API using

        AWSCredentials credentials = new DefaultAWSCredentialsProviderChain().getCredentials();

and picking up the two environment variables needed for the AWS_SECRET_KEY and AWS_ACCESS_KEY. We don't have any kind of trust store that we configure or set up on our end.

To answer your question directly, we make these calls all the time (multiple times per minute)
across a range of jvms on multiple EC2 nodes and this execption path has never happened save this once. When it happened, it took hung all jvms across all all of our EC2 nodes nearly simultaneously.

mobileAgent commented Nov 10, 2015

I don't understand how that could be the case. Our software makes calls to the S3 API using

        AWSCredentials credentials = new DefaultAWSCredentialsProviderChain().getCredentials();

and picking up the two environment variables needed for the AWS_SECRET_KEY and AWS_ACCESS_KEY. We don't have any kind of trust store that we configure or set up on our end.

To answer your question directly, we make these calls all the time (multiple times per minute)
across a range of jvms on multiple EC2 nodes and this execption path has never happened save this once. When it happened, it took hung all jvms across all all of our EC2 nodes nearly simultaneously.

@shorea

This comment has been minimized.

Show comment
Hide comment
@shorea

shorea Nov 18, 2015

Contributor

If you're not explicitly configuring a trust store you should get JDK's default. Is it possible that a Java upgrade was occurring on your fleet during the outage and the trust store file became temporarily unavailable? Do you manually update Java on your instances or do you use a tool that manages that for you?

Contributor

shorea commented Nov 18, 2015

If you're not explicitly configuring a trust store you should get JDK's default. Is it possible that a Java upgrade was occurring on your fleet during the outage and the trust store file became temporarily unavailable? Do you manually update Java on your instances or do you use a tool that manages that for you?

@shorea shorea self-assigned this Nov 20, 2015

@shorea shorea added the waiting-reply label Dec 2, 2015

@shorea

This comment has been minimized.

Show comment
Hide comment
@shorea

shorea Dec 17, 2015

Contributor

Closing issue. Feel free to reopen if problem persists.

Contributor

shorea commented Dec 17, 2015

Closing issue. Feel free to reopen if problem persists.

@shorea shorea closed this Dec 17, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment