27

I've just installed 17.10 in a fresh VM. Trying to set up a development environment, when I run gradle or ./gradlew I get the following error:

* What went wrong:
Error resolving plugin [id: 'com.github.johnrengelman.shadow', version: '2.0.0']
> Could not GET 'https://plugins.gradle.org/api/gradle/4.0/plugin/use/com.github.johnrengelman.shadow/2.0.0'.
   > java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

This is irrespective of gradle version, java version (both openjdk and oracle 8 and 9 have the fault) and shadowjar version. This leads me to the conclusion that it is Ubuntu related rather than gradle/openjdk/oracle related.

I've tried updating the CA certificates, both sudo update-ca-certificates -f and sudo apt install ca-certificates-java --reinstall, neither of which solves the problem. I even reverted to the tried and tested turn it off and on again technique with no affect.

What's the problem and how do I fix it?

junglie85
  • 469
  • 1
  • 4
  • 10
  • Having this same issue, and the uninstall/reinstall with `openjdk-8-jdk` did not work for me. Any idea how you got this working? I did run an `autoremove` before installing `openjdk-8-jdk` and then `openjdk-9-jdk`, but that's the only thing that could have been different from what you said. – Andy Nov 20 '17 at 03:48
  • same. I have tried all permutations of 8: jre, jdk and oracle versions. – 0atman Dec 04 '17 at 13:13

5 Answers5

26

I reinstalled everything using apt-get and that didn't solve the problem.

The solution that I found to work: Go to Oracle and download the tar.gz version of jdk-8. Then copy the cacerts file from that into /etc/ssl/certs/java/cacerts

Tyler Ruppert
  • 556
  • 5
  • 6
  • 2
    Weird issue this. Thanks for sharing your working solution. I ended up copying the cacerts file from my Ubuntu 16.04 with OpenJDK 8 installation to get this to work. Oddly, the `cacerts` installed with OpenJDK 9 on Ubuntu 17.10 doesn't seem to be empty (it's larger than the older one), it just doesn't work. – JeroenHoek Jan 24 '18 at 14:45
  • 3
    Instead of copy pasting old certs, you can also purge java-commons as well as the jdk, then reinstall a jdk. That way, the certs will be properly regenerated. – k0pernikus Feb 16 '18 at 10:41
  • 1
    That's the only solution that worked for me on Ubuntu 18.04 / OpenJDK 11 – zergussino May 01 '18 at 14:12
  • 1
    Reinstalling didn't work for me either on Ubuntu 18.04 / OpenJDK 11, so I downloaded the `jdk-10.0.1_linux-x64_bin.tar.gz`. You find the `cacerts` in `jdk-10.0.1/lib/security/cacerts` – iGEL May 15 '18 at 12:27
  • This works even if copying from a Windows JDK install, cleaning and reinstalling didnt work (with openjdk 8, 9 or 10), i am on WSL – FrankMonza Aug 31 '18 at 09:07
  • In my case I was using a build of OpenJDK pointed to in my PATH. So I had to copy the Oracle cacerts like this: `cp jdk1.8.0_172/jre/lib/security/cacerts jdk8u/build/linux-x86_64-normal-server-release/jdk/lib/security/cacerts` – Dave Griffiths Oct 26 '18 at 09:06
  • This worked for me; thank you. – DribblzAroundU82 Jun 25 '21 at 00:15
  • In my case I had downloaded a tar file from some strange place, trying to avoid the Oracle site. Using the Oracle site's version worked. – Sridhar Sarnobat Aug 23 '21 at 22:54
13

I ran into this issue as well when trying to set up scala build tool (sbt) on my fresh 17.10 installation.

My solution was to purge:

sudo apt purge openjdk-9-jdk openjdk-8-jdk java-common

(Just purging and reinstalling the jdk was not enough, I still had a java command after that. Only by purging java-common that also went away and then reinstallation worked. I assume it relates to the ca-certificates-java* package, that gets purged by java-common.)

Afterwards, I reinstalled java again (I opted only for openjdk-9):

sudo apt install openjdk-9-jdk

This triggered: Running hooks in /etc/ca-certificates/update.d... and added a lot of cert files. Now my sbt built was succesful:

$ sbt
Getting org.scala-sbt sbt 1.1.0  (this may take some time)...
downloading https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.1.0/sbt-1.1.0.jar ...
    [SUCCESSFUL ] org.scala-sbt#sbt;1.1.0!sbt.jar (657ms)
downloading https://repo1.maven.org/maven2/org/scala-sbt/main_2.12/1.1.0/main_2.12-1.1.0.jar
...
k0pernikus
  • 5,995
  • 11
  • 48
  • 78
  • Thanks for this - solved the problem for me. I had a cacerts file which was empty according to the keytool, and purging and re-installing as you suggested (jdk8 in my case) fixed it. – Brian Smith Apr 04 '18 at 18:14
  • This worked for me with Linux Mint 19 (which had openjdk-11 installed) and I wanted to use openjdk-8 – James Nov 21 '18 at 21:02
5

I have reinstalled everything from scratch again and this problem has disappeared. All I did differently was install openjdk-8-jdk prior to installing openjdk-9-jdk.

It works. Are there any weird dependency issues?

junglie85
  • 469
  • 1
  • 4
  • 10
  • It also worked for me, but I had to restart the system. Basically I performed an instlal of `openjdk-9-jdk`, then 8. I uninstalled both and redid it 8 - then - 9. I also always kept running `sudo update-ca-certificates -f`. It wasn't morning and today I started downloading Oracle JDK. Before it finished I discovered openjdk works and gradle pulls successfully. – foxx1337 Dec 03 '17 at 11:55
  • 2
    I also had to purge `java-common` . I assume the issue was a wrongly installed `ca-certificates-java`; that one gets removed as well with java commons and on reinsallation it creates a bunch of pem files. Installing openjdk-8 is not necessary. – k0pernikus Feb 16 '18 at 10:35
2

I copied a /etc/ssl/certs/java/cacerts file from a backup of an older installation. If you have something like that it's probably the easiest option. Just make sure to backup the original cacerts file in case you run into trouble with other applications.

smakks
  • 71
  • 3
2

Oracle changed the format of the cacerts file (from JKS to PKCS12).

The default included JDK in Ubuntu already uses the PKCS12 algorithm; but, you are probably using an older JDK that is not able to read it.

I converted my keystore file to JKS using the keytool. That's why the workaround to copy an older one works for other people, and why your accepted answer works as well.

Kevin Bowen
  • 19,395
  • 55
  • 76
  • 81
Nicolas Mommaerts
  • 183
  • 1
  • 1
  • 6