AmazonS3Client generates "Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"

[aditzel]

Every time we try performing an upload via the TransferManager, we see the following exception:

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76) at com.amazonaws.http.conn.$Proxy26.connect(Unknown Source) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72) at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:897) at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:738)

To avoid this, we are trying to set a custom SSL Socket factory that ignores all cert checking/verification:

AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey, secretKey); ClientConfiguration clientConfig = new ClientConfiguration(); SSLSocketFactory sf = acceptAllCertsSocketFactory(); sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); clientConfig.getApacheHttpClientConfig().setSslSocketFactory(sf); AmazonS3Client s3Client = new AmazonS3Client(awsCredentials, clientConfig);
And our socket factory class is as follows:

`public class AcceptAllCertsSocketFactory extends SSLSocketFactory {
SSLContext sslContext = SSLContext.getInstance("TLS");

public AcceptAllCertsSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
    super(truststore);

    TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

    sslContext.init(null, new TrustManager[]{tm}, null);
}

}
`
Is there a particular configuration we've missed?

[kiiadi]

What exception do you get when you're not specifying the custom SSLSocketFactory - as in just a vanilla connection like so:

AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey, secretKey);
AmazonS3Client s3Client = new AmazonS3Client(awsCredentials, clientConfig);

What version of the JRE are you running on?

[aditzel]

It still gives the same error. Debugging into the client it looks like the Apache Http client is using an internal pooled socket factory, instead of the one provided in the client.

Here's my environment:
java version "1.8.0_74" Java(TM) SE Runtime Environment (build 1.8.0_74-b02) Java HotSpot(TM) 64-Bit Server VM (build 25.74-b02, mixed mode)
Windows 10 x86_64 Version 1607 (OS Build 14393.0)

[kiiadi]

@aditzel thanks for the extra info - what version of the AWS SDK & Apache HTTP client are you using? I'm able to re-produce the problem when using your custom socket-factory code above. What KeyStore are you using? I did it with KeyStore.getInstance(KeyStore.getDefaultType())

However - when I do not specify a custom apacheClientConfig it works fine - this is using the latest version of the SDK (1.11.37). Can you send me the stack-trace when you do the following:

AmazonS3 client = new AmazonS3Client(new BasicAWSCredentials(accessKey, secretKey));
client.listBuckets().forEach(System.out::println);

[aditzel]

Hi @kiiadi, thanks for all the help. We put together some integration tests and got that working with your sample code and narrowed it down to environment specific tomcat configuration, resulting in using default keystores, instead of the ones with the certs we needed. Closing the issue.

[Sivaramz]

Hi @aditzel,

I'm receiving the same error posted by aditzel.
I hope all its due to javal 11 upgrade. It worked fine with java 8.

Tried with above stuff. It did't worked for me. Could you please help me out here.

Thanks,
Siva

[johnlinvc]

I got the same issue when using OpenJDK 8.
Solved it by installing ca-certificates-java package.

[menih]

Got the same issue. Exact root cause of upgrading Oracle JDK v1.8 to OpenJDK v11.