1

Is there a known difference or incompatibility of some sort between cacerts file (or cacerts file format) when used under Oracle JDK/JRE 8 vs. Open JDK/JRE 8?

I mean... it seems we have a cacerts file which works OK with:

(1) Oracle JRE 8 (CentOS release 6.8)
but does not work OK with
(2) Open JRE 8 (CentOS release 6.10).

The Java version on system (1) is

java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)

while on system (2) it is

openjdk version "1.8.0_232"
OpenJDK Runtime Environment (build 1.8.0_232-b09)
OpenJDK 64-Bit Server VM (build 25.232-b09, mixed mode)

The error we get is this one:

java.lang.RuntimeException: Unexpected error:
java.security.InvalidAlgorithmParameterException:
the trustAnchors parameter must be non-empty

Is that possible to be due to the JRE being different or am I completely off base and the issue is elsewhere?

I am not finding any good explanation on the web.

halfer
  • 19,824
  • 17
  • 99
  • 186
peter.petrov
  • 38,363
  • 16
  • 94
  • 159

1 Answers1

2

cacerts sees updates in minor version updates of java. There is no difference between oracleJRE8 and OpenJRE8. As a sidenote, JRE as a concept is obsolete, please transition away from them (if you(r company) wrote the software and are running it yourself, run it on a full JDK. If someone else did, advise them they are using an obsolete stack; they should be giving you the runtime instead of asking you to download and install one and keep it up to date).

A bunch of other stuff has been changed, such as the default format (instead of JKS, it's PKCS12), but that only affects what happens when you make new keystores without explicitly specifying which format it should be in (java could, and can, read either format, for all versions of java8) - so that doesn't sound relevant.

It boils down to: No, there is no difference. Whatever problem you have is most likely either related to your platform (for example, ubuntu has a bug where it borks up your cacerts. Long fixed, but maybe you're on that exact version, or you were when you ran apt and ended up with a broken cacerts). That or a million other reasons - no way to tell without more information.

rzwitserloot
  • 85,357
  • 5
  • 51
  • 72
  • Thanks a lot. Yeah, I don't have too much information too as of now. I will research some more myself too, and will post more info here. But you're saying there's no incompatibility generally... which is good. – peter.petrov Feb 24 '21 at 17:35
  • It's CentOS `CentOS release 6.10 (Final)` Could that be having the same issue as Ubuntu? Could you point me (a few links) to that known Ubuntu problem? – peter.petrov Feb 24 '21 at 17:36
  • Instructions on how to force ubuntu to re-apply: https://askubuntu.com/questions/1004745/java-cant-find-cacerts which probably isn't relevant to centos. Bug report: https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1396760 – rzwitserloot Feb 24 '21 at 17:44
  • OK, thank you, I will take a further look. The good news is that (as you say) there shouldn't be any incompatibilities in general. – peter.petrov Feb 25 '21 at 08:41