We do this in a headless client in a war deployment.
We used to run with APR (crt files) instead of the jks (java implementation). This does not matter, however on some servers it works, on others it doesn't.
To update the SSL certificate we replaced the jks file in Tomcat conf or in case of APR, the main .crt file.
In servoy-admin we see these errors:
- Code: Select all
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.servoy.extensions.plugins.http.HttpClient$1.connectSocket(HttpClient.java:105)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at com.servoy.extensions.plugins.http.BaseRequest.executeRequest(BaseRequest.java:212)
at com.servoy.extensions.plugins.http.BaseRequest.js_executeRequest(BaseRequest.java:138)
at com.servoy.extensions.plugins.http.BaseRequest.js_executeRequest(BaseRequest.java:124)
at sun.reflect.GeneratedMethodAccessor953.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:158)
at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:312)
at org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1774)
at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:837)
at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:158)
at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:406)
at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3204)
at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:156)
at com.servoy.j2db.scripting.ScriptEngine.executeFunction(ScriptEngine.java:665)
at com.servoy.j2db.plugins.ClientPluginAccessProvider$MethodExecutor.run(ClientPluginAccessProvider.java:564)
at com.servoy.j2db.server.headlessclient.SessionClient.invokeAndWait(SessionClient.java:931)
at com.servoy.j2db.plugins.ClientPluginAccessProvider$1.run(ClientPluginAccessProvider.java:478)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(Unknown Source)
at sun.security.validator.Validator.getInstance(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.getValidator(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at org.apache.http.conn.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:190)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
... 32 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(Unknown Source)
at java.security.cert.PKIXParameters.<init>(Unknown Source)
at java.security.cert.PKIXBuilderParameters.<init>(Unknown Source)
... 46 more
Now this looks like a problem with Java or its cacerts but really all that changed is our certificate. War deployment and solution is the same. Java versions is 8u161 on all systems. I tried removing and updating it to 8u171 but no luck.
A webservice call from the client on the server itself (using RDP) works fine, just not in headless clients.
Does anyone have a clue what can cause this issue?