[SSL] the trustAnchors parameter must be non-empty

[smoell]

I have a dockerized that uses the AWS SDK for Java and needs SSL support, unfortunately, I get the following error:

Caused by: io.netty.handler.codec.DecoderException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)

Dockerfile

FROM oracle/graalvm-ce:1.0.0-rc14 AS build-aot

FROM debian:9-slim
LABEL maintainer="Sascha Möllering <[email protected]>"

ENV javax.net.ssl.trustStore /cacerts

RUN apt-get update && apt-get install -y curl
COPY target/reactive-vertx /usr/bin/reactive-vertx
COPY --from=build-aot /opt/graalvm-ce-1.0.0-rc14/jre/lib/amd64/libsunec.so /libsunec.so
COPY --from=build-aot /opt/graalvm-ce-1.0.0-rc14/jre/lib/security/cacerts /cacerts

#HEALTHCHECK --interval=5s --timeout=3s --retries=3 \
#  CMD curl -f http://localhost:8080/health/check || exit 1

EXPOSE 8080

CMD [ "/usr/bin/reactive-vertx" ]

Java code

static {
        java.security.Security.setProperty("networkaddress.cache.ttl", "60");
        String trustStoreLocation = getenv("javax.net.ssl.trustStore");

        if (null != trustStoreLocation) {
            LOGGER.info("Setting javax.net.ssl.trustStore to " + trustStoreLocation);
            System.setProperty("javax.net.ssl.trustStore", trustStoreLocation);
        }
    }

    public static void main (String ... args) {
        Vertx vertx = Vertx.vertx();
        vertx.deployVerticle(new BootStrapVerticle());
    }

[pmlopes]

For anyone stuck with SSL and certificate verification, it seems that the solution is to let the final binary know where both the trust and anchor cacert file lives. Add the following system properties to your application:

-Djavax.net.ssl.trustStore=graalvm/jre/lib/security/cacerts
-Djavax.net.ssl.trustAnchors=graalvm/jre/lib/security/cacerts 

Assuming your graal installation is on the current path graalvm.

[smoell]

That worked for me, thx!

[MichaelKueller]

Mister @smoell
I'm having the same issue, but with a different application. Funny to run into you while debugging. :)

[Lucifer-02]

I just uncheck "verify server certificate"