Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty #1

Closed
mpkmtv opened this issue Apr 19, 2019 · 33 comments

Comments

@mpkmtv
Copy link

mpkmtv commented Apr 19, 2019

Thank you. Everything worked fine until "Two way TLS based on trusting the Certificate Authority" That did not work and resulted in the error shown below. I tried various JDKs and other suggestions from the internet. Nothing worked.

@demo
Scenario: Saying hello to the Server # src/test/resources/features/Hello.feature:4
Given Server is alive # HelloStepDefs.serverIsAlive()
When I say hello # HelloStepDefs.iSayHello()
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)

@Hakky54
Copy link
Owner

Hakky54 commented Apr 20, 2019

Hi mpkmtv,

thank you, good to know that up till the last section everything worked out well for you.

Regarding your issue, the stack trace is complaining that one or both of the trustAnchors parameters are empty. Basically what is means is:

  • The truststore is empty
  • The password of the truststore is empty
  • The truststore is not found, or
  • The truststore couldn't be opened (due to access permissions for example).

Could you post your application.yml file of the client here?

@mpkmtv
Copy link
Author

mpkmtv commented Apr 21, 2019 via email

@Hakky54 Hakky54 closed this as completed Apr 21, 2019
@mpkmtv
Copy link
Author

mpkmtv commented Apr 29, 2019 via email

@Hakky54
Copy link
Owner

Hakky54 commented Apr 30, 2019

I copied your properties to the corresponding application.yml file of the server and client ond my machine and I am not getting an exception. Could you provide your stack-trace?

@mpkmtv
Copy link
Author

mpkmtv commented Apr 30, 2019 via email

@Hakky54
Copy link
Owner

Hakky54 commented Apr 30, 2019

It looks like an issue with the truststore within the client project. This specific exception could mean:
The truststore is:

  • empty,
  • not found, or
  • couldn't be opened

The valid location for the truststore.jks and identity.jks are:

  • mutuals-tls/client/src/test/resources/identity.jks
  • mutuals-tls/client/src/test/resources/truststore.jks

Could you check the above options? If it is still not resolved, let's do a remote session so I can assist you instantly through a video call.

@Hakky54 Hakky54 reopened this Apr 30, 2019
@mpkmtv
Copy link
Author

mpkmtv commented Apr 30, 2019 via email

@mpkmtv
Copy link
Author

mpkmtv commented Apr 30, 2019 via email

@Hakky54
Copy link
Owner

Hakky54 commented Apr 30, 2019

This exception will be thrown if the certificate is untrusted by one of the sides. So it means that the certificate of the server is not in the truststore of the client or the other way around, so it could be that the certificate of the client is not in the truststore of the server. Could you reimport the certificate of the client into the truststore of the server and also reimport the certificate of the server into the truststore of the client and recompile and start the test again?

@mpkmtv
Copy link
Author

mpkmtv commented Apr 30, 2019 via email

@mpkmtv
Copy link
Author

mpkmtv commented Apr 30, 2019 via email

@Hakky54
Copy link
Owner

Hakky54 commented Apr 30, 2019

Having the same root-ca certificate in both of the trust stores are fine.

The import message from your last comment doesn't look ok. It should have given you the following message: Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Could you please try again exactly all the steps from chapter Creating a Certificate Authority including the openssl commands.
Somehow exporting your identity certificate and signing it with the root-ca has not happend.

@mpkmtv
Copy link
Author

mpkmtv commented Apr 30, 2019 via email

@Hakky54
Copy link
Owner

Hakky54 commented May 1, 2019

Sure, add me at Discord and let's continue over there. My username is Hakky54#8471

@mpkmtv
Copy link
Author

mpkmtv commented May 1, 2019 via email

@Hakky54
Copy link
Owner

Hakky54 commented May 5, 2019

David and I did a remote video session and retried the steps described in the Readme and it worked with the first try. Looking at the exception what David had previously it could mean that the certificate was not trusted because it wasn't signed properly or wasn't trusted.

@sameer-dighe
Copy link

sameer-dighe commented Nov 26, 2021

Hey @Hakky54 , did you solve above issue with @mpkmtv ? I am also getting same issue and struggling with same.

@Hakky54
Copy link
Owner

Hakky54 commented Nov 26, 2021

Yes we resolved the issue. We could not find the root cause but we started from scratch with the tutorial and followed everything step by step. So my assumption was that he missed a step in the tutorial back then. Can you try to run the script test-all-scenarios.sh file and share your results here?

@sameer-dighe
Copy link

I checked your repo but you mentioned that Java 11 is must and I am on jdk 8 and I can't upgrade it.

@sameer-dighe
Copy link

Yes we resolved the issue. We could not find the root cause but we started from scratch with the tutorial and followed everything step by step. So my assumption was that he missed a step in the tutorial back then. Can you try to run the script test-all-scenarios.sh file and share your results here?

do you have some time for video call?

@Hakky54
Copy link
Owner

Hakky54 commented Nov 26, 2021

I am not available today and tomorrow, but from Sunday onwards I am available everyday for a call. Let's continue the chat on Gitter and discuss the next steps https://gitter.im/hakky54/mutual-tls-ssl

@sameer-dighe
Copy link

so finally I & @Hakky54 resolved the issue and it was something to do with classpath and truststore wasn't getting initialised properly. it got resolved after using the absolute path for store. more to it there were some other small problems but those got resolved in less time that the first one.

@chetnajoshi889
Copy link

Hi @sameer-dighe , I'm also getting same error like Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Could you please help me to resolve this error?

@Hakky54
Copy link
Owner

Hakky54 commented Jul 14, 2022

  • The truststore is empty
  • The password of the truststore is empty
  • The truststore is not found, or
  • The truststore couldn't be opened (due to access permissions for example).

Hi @chetnajoshi889 your issue might be related to one of the options quoted above. Or your truststore does not contain the trusted certificates

@rajatzeal
Copy link

Hi @Hakky54 ,
I am also facing the same issue, tried all sorts of corrections but no luck.
Please assist me in solving this, have an urgent delivery to make and I am stuck on this point since past two days.

@Hakky54
Copy link
Owner

Hakky54 commented Nov 15, 2022

Hi @rajatzeal
Can you maybe share some code snippets, than I will be able to understand how you setup your client with ssl.

@rajatzeal
Copy link

3F718C57-91AC-463A-958D-076FB2256262

this is the basic setup for initialising Google chrome and it’s settings

@rajatzeal
Copy link

I can share my screen if you are available for a call, I’m really stuck with the issue and would appreciate your help

@Hakky54 Hakky54 pinned this issue Nov 15, 2022
@Hakky54
Copy link
Owner

Hakky54 commented Nov 15, 2022

I can understand your setup is not working. The ssl configuration of Selenium with the ChromeDriver is just not working with only the ChromeOptions. I would suggest to have a look at this stackoverflow answer here: https://stackoverflow.com/a/56170148/6777695

In the example above all https requests are getting intercepted and being executed alongside with ayour custom sslcontext.

The author has made his code snippet available here at GitHub: https://github.com/patricsteiner/seleniumSslProxy
I am fully booked today and tomorrow unfortunatelly , so I don't have time... But looking at the code snippet on that GitHub page I think you will get it working. Please give it a try and I still can try to assist you if you share your progress over here.

@rajatzeal
Copy link

Ok , will try to check with these solutions.
Meanwhile please try if you could take out time today, just a quick call would do

@Hakky54
Copy link
Owner

Hakky54 commented Nov 15, 2022

I will be available at 13:00 CEST till 14:00 CEST, so we can have a look at it. Let's use Teamviewer. You can share your teamviewer id and password on the private Gitter chat with me directly

@Hakky54
Copy link
Owner

Hakky54 commented Nov 15, 2022

We did a short call with @rajatzeal and it seems like his HttpClient was not trusting the certificate of the server. It is the same point which I mentioned here: #1 (comment)

He needs to export the server certificate, create a SSLContext and configure his HttpClient so the client will trust the server.

@Hakky54
Copy link
Owner

Hakky54 commented Sep 13, 2023

I noticed that a-lot of developers are facing this exception or similar ones. If anyone has still trouble resolving these kind of issues feel free to ping me, I am able to provide support. My mail address is [email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants