Maven Error: (repeated) java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Question

Have to ask again. Someone thought it was a duplicate question and already answered and removed it from the list.

I'm using maven (mvn) batch command with windows (not m2e with eclipse) to run clean install or resolve dependencies. Sometimes, when pom.xml was changed, it is necessary to download artifacts from our nexus server. This used to work for long time for me.

But now the connection to the nexus server (https, the server uses a company owned certificate) fails with "java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty" I know, I changed the Java release. But I'm pretty sure I maintained the cacerts keystore the same way I did with the previous releases. (at leased I compared the fingerprints in both of the cacerts; they are the same).

When running the command "mvn -s -Djavax.net.debug=all -Djava.net.ssl.trustStore="C:/Programme/Java/jre1.8.0_102/lib/security/cacerts" -Djavax.net.ssl.trustStorePassword=changeit dependency:resolve", the ssl-trace says:

keyStore is :    
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: No File Available, using empty keystore.
trustStore type is : jks
trustStore provider is : 
init truststore

Even if specifying the path and the password of the keystore in the command, the answer in the ssl trace is that it could not be found.

I've no idea what I might have changed to get to this trouble. I changed the Windows PATH-Statement, but this should not matter fro the previously described command. Any hint is appreciated

Answer 1

I had the same issue and it took me a day to solve it. This a java related issue as you may see in the error stack. Check in:

/etc/ssl/certs/java for the cacerts file.
1) If you don't have this file here that is the reason why your getting this error
2) If you do have this file here it means that this is probably not a valid cacerts file.

If you want you can update it with:
sudo apt-get install --reinstall ca-certificates
And if it works now, then perfect (in my case it did not work)

So to solve this:

1. Download from open-jdk8 (in my case) directly from oracle
2. Extract the tar.gz files
3. Find the new valid cacerts file under jre/lib/security
4. Copy this file to /etc/ssl/certs/java (removing the old one if that is your case)

Finally run the comand that caused you this error and hopefully its gone! Hope this helped.

Cheers

Answer 2

I manage manually my jdk and was getting this error with openjdk-8. I replaced the cacerts with the one of the openjdk-11 and it worked just fine. If you try this, make sure to backup your cacerts first.

Answer 3

Today I found the reason:

Way back in history I once had set the WINDOWS environment variable MAVEN_OPTS by "setx MAVEN_OPTS "-Djavax.net.ssl.trustStore....".

The path specified here does no longer exist.

It seems this setting supersedes even the request showed in my question. I consider this behaviour to be at least unexpected but anyway. When I fixed the environment variable (pointing to the new path; but I'm going to delete it anyway) the mvn-requests worked fine.