New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'the trustAnchors parameter must be non-empty' error 11-jdk #261

Closed
JPOverclock opened this Issue Dec 26, 2018 · 30 comments

Comments

Projects
None yet
@JPOverclock
Copy link

JPOverclock commented Dec 26, 2018

Affected image tags: 11-jdk-slim, 11-jdk

Issue
Ran across this while attempting to package a spring-boot application using the Maven wrapper (mvnw package). This results in the following stacktrace when trying to retrieve the parent POM:

Exception in thread "main" javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
        at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1314)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:408)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
        at org.apache.maven.wrapper.DefaultDownloader.downloadInternal(DefaultDownloader.java:73)
        at org.apache.maven.wrapper.DefaultDownloader.download(DefaultDownloader.java:60)
        at org.apache.maven.wrapper.Installer.createDist(Installer.java:64)
        at org.apache.maven.wrapper.WrapperExecutor.execute(WrapperExecutor.java:121)
        at org.apache.maven.wrapper.MavenWrapperMain.main(MavenWrapperMain.java:55)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89)
        at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
        at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:308)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:188)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:626)
        at java.base/sun.security.ssl.CertificateStatus$CertificateStatusConsumer.consume(CertificateStatus.java:292)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
        ... 10 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
        at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:86)
        ... 25 more

Looks like an issue with the CA certificate store, similar to #145. Could also be related to the changes introduced in #259.

@almothafar

This comment has been minimized.

Copy link

almothafar commented Dec 26, 2018

Wow I was about to open the same ticket, yes I confirm that and wasted 4 hours trying to figure out the issue, I did get the previous version using this:
https://github.com/docker-library/repo-info/commits/master/repos/openjdk/remote/11.md
so I used the latest change from 21 days ago:
docker-library/repo-info@88142ba#diff-ddaaa92a4237756eb9f1b9dd7af15fc7

And that worked, the latest version got some critical changes seems and pushed without proper testing, I have 2 images:

Using the latest is not working:

FROM openjdk:11

ENV SBT_VERSION 1.2.7

RUN apt-get update
RUN apt-get install -y curl
RUN update-ca-certificates -f

# Install sbt
RUN \
  curl -L -o sbt-$SBT_VERSION.deb https://dl.bintray.com/sbt/debian/sbt-$SBT_VERSION.deb && \
  dpkg -i sbt-$SBT_VERSION.deb && \
  rm sbt-$SBT_VERSION.deb && \
  apt-get update && \
  apt-get install sbt

WORKDIR /src

RUN sbt clean update compile

ENTRYPOINT ["sbt"]

The error:

Step 1/9 : FROM openjdk:11
 ---> d600c7527b2b
Step 2/9 : ENV SBT_VERSION 1.2.7
 ---> Using cache
 ---> ded7e49ef27c
Step 3/9 : RUN apt-get update
 ---> Using cache
 ---> b244580db975
Step 4/9 : RUN apt-get install -y curl
 ---> Using cache
 ---> 962d71cff386
Step 5/9 : RUN update-ca-certificates -f
 ---> Using cache
 ---> ec1d928cb5a2
Step 6/9 : RUN   curl -L -o sbt-$SBT_VERSION.deb https://dl.bintray.com/sbt/debian/sbt-$SBT_VERSION.deb &&   dpkg -i sbt-$SBT_VERSION.deb &&   rm sbt-$SBT_VERSION.deb &&   apt-get update &&   apt-get install sbt
 ---> Using cache
 ---> 20bfdb614b7f
Step 7/9 : WORKDIR /src
 ---> Using cache
 ---> 14e5b4657933
Step 8/9 : RUN sbt clean update compile
 ---> Running in 4bb0ef241de8
Copying runtime jar.
Getting org.scala-sbt sbt 1.2.7  (this may take some time)...

:: problems summary ::
:::: WARNINGS
                module not found: org.scala-sbt#sbt;1.2.7

        ==== local: tried

          /root/.ivy2/local/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          /root/.ivy2/local/org.scala-sbt/sbt/1.2.7/jars/sbt.jar

        ==== local-preloaded-ivy: tried

          file:////root/.sbt/preloaded/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

        ==== local-preloaded: tried

          file:////root/.sbt/preloaded/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          file:////root/.sbt/preloaded/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        ==== Maven Central: tried

          https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        ==== sbt-maven-releases: tried

          https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        ==== sbt-maven-snapshots: tried

          https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

          -- artifact org.scala-sbt#sbt;1.2.7!sbt.jar:

          https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        ==== typesafe-ivy-releases: tried

          https://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

        ==== sbt-ivy-snapshots: tried

          https://repo.scala-sbt.org/scalasbt/ivy-snapshots/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

                ::::::::::::::::::::::::::::::::::::::::::::::

                ::          UNRESOLVED DEPENDENCIES         ::

                ::::::::::::::::::::::::::::::::::::::::::::::

                :: org.scala-sbt#sbt;1.2.7: not found

                ::::::::::::::::::::::::::::::::::::::::::::::


:::: ERRORS
        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/maven-releases/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.pom

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/maven-snapshots/org/scala-sbt/sbt/1.2.7/sbt-1.2.7.jar

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.typesafe.com/typesafe/ivy-releases/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml

        Server access Error: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty url=https://repo.scala-sbt.org/scalasbt/ivy-snapshots/org.scala-sbt/sbt/1.2.7/ivys/ivy.xml


:: USE VERBOSE OR DEBUG MESSAGE LEVEL FOR MORE DETAILS
unresolved dependency: org.scala-sbt#sbt;1.2.7: not found
Error during sbt execution: Error retrieving required libraries
  (see /root/.sbt/boot/update.log for complete log)
Error: Could not retrieve sbt 1.2.7
The command '/bin/sh -c sbt clean update compile' returned a non-zero code: 1

But using old hash from 21 days ago worked for me:

FROM openjdk@sha256:3f5ab4e7e07884bc17a635b0730b9a62e3066015241a00516b83592255c788bc

ENV SBT_VERSION 1.2.7

RUN apt-get update
RUN apt-get install -y curl
RUN update-ca-certificates -f

# Install sbt
RUN \
  curl -L -o sbt-$SBT_VERSION.deb https://dl.bintray.com/sbt/debian/sbt-$SBT_VERSION.deb && \
  dpkg -i sbt-$SBT_VERSION.deb && \
  rm sbt-$SBT_VERSION.deb && \
  apt-get update && \
  apt-get install sbt

WORKDIR /src

RUN sbt clean update compile

ENTRYPOINT ["sbt"]

@almothafar

This comment has been minimized.

Copy link

almothafar commented Dec 26, 2018

And yes tried many times to update-ca-certificates deleted all images in my system and start over and over nothing worked, I even went back to sbt 1.2.6 what was working before I pull the latest version and got the same issue.

@almothafar

This comment has been minimized.

Copy link

almothafar commented Dec 26, 2018

This commit I think to blame: c3023e4#diff-c338262eaf0fd203322a06702be174e0

Funny the commit saying "stable":

Update 11 images to use stretch-backports; yay stable

almothafar referenced this issue Dec 26, 2018

Update 11 images to use stretch-backports; yay stable
Also drop old ca-certificates-java fix
@solatis

This comment was marked as spam.

Copy link

solatis commented Dec 26, 2018

Can confirm, running into the same issue.

@MarcosEich

This comment was marked as spam.

Copy link

MarcosEich commented Dec 26, 2018

We are also having this problem.

@moleksyuk

This comment was marked as spam.

Copy link

moleksyuk commented Dec 26, 2018

Same problem for us.

@jneis

This comment was marked as spam.

Copy link

jneis commented Dec 26, 2018

Same here.

@wglambert wglambert added the Issue label Dec 26, 2018

@MarcosEich

This comment was marked as spam.

Copy link

MarcosEich commented Dec 26, 2018

@petercable

This comment has been minimized.

Copy link

petercable commented Dec 26, 2018

Another workaround is to move back to the sid-tagged image (openjdk:11-slim-sid, for example, confirmed working for me)

@xenoterracide

This comment has been minimized.

Copy link

xenoterracide commented Dec 26, 2018

This breaks downstream usage of gradle, dependency fetching doesn't work.

@tianon

This comment has been minimized.

Copy link
Member

tianon commented Dec 26, 2018

Funny the commit saying "stable":

The "stable" word in that commit message is referring to Debian Stretch (which is currently "Debian Stable"). The older images were based on "Debian Unstable", which is definitely not a great base for images.

... pushed without proper testing ...

We do have some tests, but none of them cover usage of CA certificates so this one slipped. Sorry for the trouble.

If we can come up with a very simple way to reproduce the issue with minimal code, I'd love to add a new integration test to help us prevent this in the future.

@tianon

This comment has been minimized.

Copy link
Member

tianon commented Dec 26, 2018

I've managed to reproduce with something as simple as new URL("https://google.com").openStream();. 👍

@tianon

This comment has been minimized.

Copy link
Member

tianon commented Dec 26, 2018

Confirmed, we're running into https://bugs.debian.org/914424, will apply the workaround in a new PR shortly.

@yosifkit

This comment has been minimized.

Copy link
Member

yosifkit commented Dec 26, 2018

Looks to also be basically identical to https://bugs.debian.org/894979

@tianon

This comment has been minimized.

Copy link
Member

tianon commented Dec 27, 2018

Alright, new test is merged in docker-library/official-images#5232, workaround is open at #263.

@qlaall

This comment was marked as spam.

Copy link

qlaall commented Dec 27, 2018

Same problem for us.

@carlossg

This comment has been minimized.

Copy link

carlossg commented Dec 27, 2018

@tianon @yosifkit is it possible to get the sha of the previous image that had a specific tag in the hub? would like to know what was the sha of the last good maven:3.6.0-jdk-11 image

@almothafar

This comment has been minimized.

Copy link

almothafar commented Dec 27, 2018

@carlossg it is docker pull maven@sha256:eaf3e683397276d4a1b198ed0c14d8e4ee4732ce8117dc120f55491ebc570f4f

You can see the history of changes from
https://github.com/docker-library/repo-info/tree/master/repos

Then see what you want, if maven then:
https://github.com/docker-library/repo-info/tree/master/repos/maven

Then "remote"
https://github.com/docker-library/repo-info/tree/master/repos/maven/remote

Then see what the exact tag you want + ".md":
https://github.com/docker-library/repo-info/blob/master/repos/maven/remote/3.6.0-jdk-11.md

Then check the history of changes:
docker-library/repo-info@71d8089#diff-cf0598a44c7a5812abe472e73c1f96b5

I hope thats helps.

@almothafar

This comment has been minimized.

Copy link

almothafar commented Dec 27, 2018

@tianon well, I thought stable was a general word for the whole, and no need to sorry, issues happens, but by saying no proper testing I mean you need to improve your current one to avoid issues like that and I think you found one, also I provided the full image that I use I thought it might be helpful for testing later.

Thanks for your efforts.

@gmanolache

This comment has been minimized.

Copy link

gmanolache commented Dec 27, 2018

Yeah so this broke our production because of the certificate issues.
Uploading to Amazon S3 via the aws-sdk was failing due to HTTPS.

Also, gradle build tools got broken because they use this as a base image.
Applying plugins would fail because they get downloaded from github HTTPS.

@hugohenley

This comment has been minimized.

Copy link

hugohenley commented Dec 27, 2018

It broke everything here because of the ca-certificate issue. You guys pushed the "fix" with the same tag.

@xenoterracide

This comment has been minimized.

Copy link

xenoterracide commented Dec 27, 2018

when can we expect a fix to hit dockerhub?

@tianon

This comment has been minimized.

Copy link
Member

tianon commented Dec 27, 2018

Should be building as soon as docker-library/official-images#5237 merges.

@livenson

This comment has been minimized.

Copy link

livenson commented Dec 27, 2018

I'm getting the same error with openjdk:8 image as well.

@tianon

This comment has been minimized.

Copy link
Member

tianon commented Dec 27, 2018

I'm not able to reproduce a failure with openjdk:8 -- have you pulled the most recent build?

@livenson

This comment has been minimized.

Copy link

livenson commented Dec 27, 2018

@tianon , yes, latest from docker.io/library/openjdk. I do have a complicated app, to the error is potentially is a false positive, will investigate more.

@livenson

This comment has been minimized.

Copy link

livenson commented Dec 27, 2018

Confirming, error on my side, openjdk:8 is fine, sorry for that.

@yodur2potassium

This comment has been minimized.

Copy link

yodur2potassium commented Dec 28, 2018

@tianon , thanks for the quick fix!

@sjhameenakshi

This comment has been minimized.

Copy link

sjhameenakshi commented Dec 28, 2018

Facing below issue while using openjdk:11.0.1-jdk-slim :
Non-resolvable parent POM for org.springframework:base-java-app:0.1.0:
Could not transfer artifact org.springframework.boot:spring-boot-starter-parent:pom:2.1.1.RELEASE
from/to spring-milestones (https://repo.spring.io/milestone):
Unexpected error: java.security.InvalidAlgorithmParameterException:
the trustAnchors parameter must be non-empty and 'parent.relativePath' points at wrong local POM

Can you suggest over this .

@yosifkit

This comment has been minimized.

Copy link
Member

yosifkit commented Dec 28, 2018

@sjhameenakshi, did you ensure to docker pull openjdk:11.0.1-jdk-slim again so that you get the new build with the fix?

$ docker pull openjdk:11.0.1-jdk-slim
11.0.1-jdk-slim: Pulling from library/openjdk
a5a6f2f73cd8: Pull complete 
38f6dd39b858: Pull complete 
6d96dc2d8d59: Pull complete 
a906637ab910: Pull complete 
121e1b9b6643: Pull complete 
27ab1399b606: Pull complete 
Digest: sha256:6e3440993d8c3c9fd7a81bf87ee67bf79b2d8c5b719858a45e7f96b0105567e2
Status: Downloaded newer image for openjdk:11.0.1-jdk-slim
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment