-
-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty #1
Comments
Hi mpkmtv, thank you, good to know that up till the last section everything worked out well for you. Regarding your issue, the stack trace is complaining that one or both of the trustAnchors parameters are empty. Basically what is means is:
Could you post your application.yml file of the client here? |
MY BAD!!!
THANK YOU !
David
…________________________________
From: Hakky54 <[email protected]>
Sent: Saturday, April 20, 2019 12:30 AM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
Hi mpkmtv,
The stack trace is complaining that one or both of the trustAnchor parameters are empty. Could you post your application.yml file of the client here?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6T7WYTTK2FR2PEKWMDPRLA7XANCNFSM4HHIGSTQ>.
|
I fixed the application.yml file for the client , but it still gives me the exception. I'm on Mac OSX . Not sure what i did wrong.
client application.yml :
spring:
main:
banner-mode: "off"
client:
ssl:
enabled: true
key-store: identity.jks
key-password: secret
key-store-password: secret
trust-store: truststore.jks
trust-store-password: secret
server application.yml :
spring:
banner:
location: classpath:banner.txt
server:
port: 8443
ssl:
enabled: true
key-store: classpath:identity.jks
key-password: secret
key-store-password: secret
trust-store: classpath:truststore.jks
trust-store-password: secret
client-auth: need
tomcat:
accesslog:
enabled: true
basedir: /tmp/tomcat
…________________________________
From: Hakky54 <[email protected]>
Sent: Saturday, April 20, 2019 9:28 PM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
Closed #1<#1>.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6SDU4BVFY7XRSSZNF3PRPUQLANCNFSM4HHIGSTQ>.
|
I copied your properties to the corresponding application.yml file of the server and client ond my machine and I am not getting an exception. Could you provide your stack-trace? |
Thank you so much for your help. I did it a few times from scratch following the GitHub instructions. The result is the same.
here is the exception:
....
org.springframework.boot.test.autoconfigure.restdocs.RestDocsTestExecutionListener@7ee8290b, org.springframework.boot.test.autoconfigure.web.client.MockRestServiceServerResetTestExecutionListener@1f59a598, org.springframework.boot.test.autoconfigure.web.servlet.MockMvcPrintOnlyOnFailureTestExecutionListener@1e178745, org.springframework.boot.test.autoconfigure.web.servlet.WebDriverTestExecutionListener@192c3f1e]
14:12:05.945 [main] DEBUG org.springframework.test.context.support.TestPropertySourceUtils - Adding inlined properties to environment: {spring.jmx.enabled=false, server.port=-1}
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.1.2.RELEASE)
2019-04-29 14:12:06.417 INFO 84979 --- [ main] n.a.client.stepdefs.HelloStepDefs : Starting HelloStepDefs on davids-MacBook-Pro-2.local with PID 84979 (started by wdavid in /Users/wdavid/GitHub/mtls/client)
2019-04-29 14:12:06.419 INFO 84979 --- [ main] n.a.client.stepdefs.HelloStepDefs : No active profile set, falling back to default profiles: default
2019-04-29 14:12:07.227 INFO 84979 --- [ main] n.a.client.stepdefs.HelloStepDefs : Started HelloStepDefs in 1.279 seconds (JVM running for 2.485)
Feature: Securing the connection between you and the world
@demo
Scenario: Saying hello to the Server # src/test/resources/features/Hello.feature:4
Given Server is alive # HelloStepDefs.serverIsAlive()
When I say hello # HelloStepDefs.iSayHello()
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1921)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1904)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1420)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at nl.altindag.client.stepdefs.HelloStepDefs.iSayHello(HelloStepDefs.java:28)
at ✽.I say hello(src/test/resources/features/Hello.feature:6)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:91)
at sun.security.validator.Validator.getInstance(Validator.java:181)
at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at nl.altindag.client.stepdefs.HelloStepDefs.iSayHello(HelloStepDefs.java:28)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at cucumber.runtime.Utils$1.call(Utils.java:26)
at cucumber.runtime.Timeout.timeout(Timeout.java:16)
at cucumber.runtime.Utils.invoke(Utils.java:20)
at cucumber.runtime.java.JavaStepDefinition.execute(JavaStepDefinition.java:48)
at cucumber.runner.PickleStepDefinitionMatch.runStep(PickleStepDefinitionMatch.java:50)
at cucumber.runner.TestStep.executeStep(TestStep.java:63)
at cucumber.runner.TestStep.run(TestStep.java:49)
at cucumber.runner.PickleStepTestStep.run(PickleStepTestStep.java:43)
at cucumber.runner.TestCase.run(TestCase.java:44)
at cucumber.runner.Runner.runPickle(Runner.java:40)
at cucumber.runtime.junit.PickleRunners$NoStepDescriptions.run(PickleRunners.java:146)
at cucumber.runtime.junit.FeatureRunner.runChild(FeatureRunner.java:68)
at cucumber.runtime.junit.FeatureRunner.runChild(FeatureRunner.java:23)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at cucumber.runtime.junit.FeatureRunner.run(FeatureRunner.java:73)
at cucumber.api.junit.Cucumber.runChild(Cucumber.java:124)
at cucumber.api.junit.Cucumber.runChild(Cucumber.java:65)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at cucumber.api.junit.Cucumber$1.evaluate(Cucumber.java:133)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:365)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:273)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:159)
at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345)
at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89)
... 68 more
Then I expect to receive status code 200 # HelloStepDefs.iExpectToReceiveStatusCode(int)
And I expect to receive Hello message # HelloStepDefs.iExpectToReceiveMessage(String)
Failed scenarios:
src/test/resources/features/Hello.feature:4 # Saying hello to the Server
1 Scenarios (1 failed)
4 Steps (1 failed, 2 skipped, 1 passed)
0m2.389s
…________________________________
From: Hakky54 <[email protected]>
Sent: Tuesday, April 30, 2019 12:30 PM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
I copied your properties to the corresponding application.yml file of the server and client ond my machine and I am not getting an exception. Could you provide your stack-trace?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6SCZIXRQ3LHXKD7Y7TPTCM6ZANCNFSM4HHIGSTQ>.
|
It looks like an issue with the truststore within the client project. This specific exception could mean:
The valid location for the truststore.jks and identity.jks are:
Could you check the above options? If it is still not resolved, let's do a remote session so I can assist you instantly through a video call. |
Here they are:
~/GitHub/mtls$ ls -l client/src/test/resources/
total 64
drwxr-xr-x 11 wdavid staff 352B Apr 19 13:06 ./
drwxr-xr-x 4 wdavid staff 128B Apr 19 12:52 ../
…-rw-r--r-- 1 wdavid staff 86B Apr 19 13:19 application.yml
-rw-r--r-- 1 wdavid staff 1.8K Apr 19 13:03 client-private.key
-rw-r--r-- 1 wdavid staff 1.1K Apr 19 13:01 client-signed.cer
-rw-r--r-- 1 wdavid staff 2.4K Apr 19 13:03 client-signed.p12
-rw-r--r-- 1 wdavid staff 1.0K Apr 19 12:57 client.csr
-rw-r--r-- 1 wdavid staff 2.5K Apr 19 13:03 client.p12
drwxr-xr-x 3 wdavid staff 96B Apr 19 12:52 features/
-rw-r--r-- 1 wdavid staff 2.4K Apr 19 13:03 identity.jks
-rw-r--r-- 1 wdavid staff 901B Apr 19 13:06 truststore.jks
~
[cid:6f4fdbf9-ee19-4cf2-82ea-fa4970f5baba]
[cid:6142a971-afc7-45ab-8918-2a8a991b1712]
________________________________
From: Hakky54 <[email protected]>
Sent: Tuesday, April 30, 2019 2:05 PM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
Reopened #1<#1>.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6VWCQ5KYVQJZ6RJZU3PTCYDPANCNFSM4HHIGSTQ>.
|
I cleaned some changes I made and recompiled the code .
Now I'm more confused . I got different exception .
sorry for this ...
14:43:11.239 [main] DEBUG org.springframework.test.context.support.TestPropertySourceUtils - Adding inlined properties to environment: {spring.jmx.enabled=false, server.port=-1}
2019-04-30 14:43:11.702 INFO 98094 --- [ main] n.a.client.stepdefs.HelloStepDefs : Starting HelloStepDefs on davids-MacBook-Pro-2.local with PID 98094 (started by wdavid in /Users/wdavid/GitHub/mtls/client)
2019-04-30 14:43:11.704 INFO 98094 --- [ main] n.a.client.stepdefs.HelloStepDefs : No active profile set, falling back to default profiles: default
2019-04-30 14:43:12.806 INFO 98094 --- [ main] n.a.client.stepdefs.HelloStepDefs : Started HelloStepDefs in 1.564 seconds (JVM running for 2.643)
Feature: Securing the connection between you and the world
@demo
Scenario: Saying hello to the Server # src/test/resources/features/Hello.feature:4
Given Server is alive # HelloStepDefs.serverIsAlive()
When I say hello # HelloStepDefs.iSayHello()
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at nl.altindag.client.stepdefs.HelloStepDefs.iSayHello(HelloStepDefs.java:28)
at ✽.I say hello(src/test/resources/features/Hello.feature:6)
Then I expect to receive status code 200 # HelloStepDefs.iExpectToReceiveStatusCode(int)
And I expect to receive Hello message # HelloStepDefs.iExpectToReceiveMessage(String)
Failed scenarios:
src/test/resources/features/Hello.feature:4 # Saying hello to the Server
1 Scenarios (1 failed)
4 Steps (1 failed, 2 skipped, 1 passed)
0m2.225s
…________________________________
From: David Wallman <[email protected]>
Sent: Tuesday, April 30, 2019 2:24 PM
To: Hakky54/mutual-tls
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
Here they are:
~/GitHub/mtls$ ls -l client/src/test/resources/
total 64
drwxr-xr-x 11 wdavid staff 352B Apr 19 13:06 ./
drwxr-xr-x 4 wdavid staff 128B Apr 19 12:52 ../
-rw-r--r-- 1 wdavid staff 86B Apr 19 13:19 application.yml
-rw-r--r-- 1 wdavid staff 1.8K Apr 19 13:03 client-private.key
-rw-r--r-- 1 wdavid staff 1.1K Apr 19 13:01 client-signed.cer
-rw-r--r-- 1 wdavid staff 2.4K Apr 19 13:03 client-signed.p12
-rw-r--r-- 1 wdavid staff 1.0K Apr 19 12:57 client.csr
-rw-r--r-- 1 wdavid staff 2.5K Apr 19 13:03 client.p12
drwxr-xr-x 3 wdavid staff 96B Apr 19 12:52 features/
-rw-r--r-- 1 wdavid staff 2.4K Apr 19 13:03 identity.jks
-rw-r--r-- 1 wdavid staff 901B Apr 19 13:06 truststore.jks
~
[cid:6f4fdbf9-ee19-4cf2-82ea-fa4970f5baba]
[cid:6142a971-afc7-45ab-8918-2a8a991b1712]
________________________________
From: Hakky54 <[email protected]>
Sent: Tuesday, April 30, 2019 2:05 PM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
Reopened #1<#1>.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6VWCQ5KYVQJZ6RJZU3PTCYDPANCNFSM4HHIGSTQ>.
|
This exception will be thrown if the certificate is untrusted by one of the sides. So it means that the certificate of the server is not in the truststore of the client or the other way around, so it could be that the certificate of the client is not in the truststore of the server. Could you reimport the certificate of the client into the truststore of the server and also reimport the certificate of the server into the truststore of the client and recompile and start the test again? |
Wait,
I have THE SAME ca-root certificate in the server and the client truststores:
[cid:e94f3828-cb29-4cac-820f-5294641613e3]
…________________________________
From: Hakky54 <[email protected]>
Sent: Tuesday, April 30, 2019 3:07 PM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
This exception will be thrown if the certificate is untrusted by one of the sides. So it means that the certificate of the server is not in the truststore of the client or the other way around, so it could be that the certificate of the client is not in the truststore of the server. Could you reimport the certificate of the client into the truststore of the server and also reimport the certificate of the server into the truststore of the client and recompile and start the test again?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6XMHQNB4BATU27GOTLPTC7IRANCNFSM4HHIGSTQ>.
|
Could this be a problem?
~/GitHub/mtls$ keytool -importkeystore -srckeystore client/src/test/resources/identity.jks -destkeystore client/src/test/resources/client.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass secret -deststorepass secret
Importing keystore client/src/test/resources/identity.jks to client/src/test/resources/client.p12...
Import command completed: 0 entries successfully imported, 0 entries failed or cancelled
…________________________________
From: David Wallman <[email protected]>
Sent: Tuesday, April 30, 2019 3:46 PM
To: Hakky54/mutual-tls
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
Wait,
I have THE SAME ca-root certificate in the server and the client truststores:
[cid:e94f3828-cb29-4cac-820f-5294641613e3]
________________________________
From: Hakky54 <[email protected]>
Sent: Tuesday, April 30, 2019 3:07 PM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
This exception will be thrown if the certificate is untrusted by one of the sides. So it means that the certificate of the server is not in the truststore of the client or the other way around, so it could be that the certificate of the client is not in the truststore of the server. Could you reimport the certificate of the client into the truststore of the server and also reimport the certificate of the server into the truststore of the client and recompile and start the test again?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6XMHQNB4BATU27GOTLPTC7IRANCNFSM4HHIGSTQ>.
|
Having the same root-ca certificate in both of the trust stores are fine. The import message from your last comment doesn't look ok. It should have given you the following message: Could you please try again exactly all the steps from chapter |
I did everything from scratch and still getting the exception. Can we do a session with shared desktop?
It might be very helpful
16:21:17.931 [main] DEBUG org.springframework.test.context.support.TestPropertySourceUtils - Adding inlined properties to environment: {spring.jmx.enabled=false, server.port=-1}
2019-04-30 16:21:18.399 INFO 366 --- [ main] n.a.client.stepdefs.HelloStepDefs : Starting HelloStepDefs on davids-MacBook-Pro-2.local with PID 366 (started by wdavid in /Users/wdavid/GitHub/mtls/client)
2019-04-30 16:21:18.400 INFO 366 --- [ main] n.a.client.stepdefs.HelloStepDefs : No active profile set, falling back to default profiles: default
2019-04-30 16:21:19.463 INFO 366 --- [ main] n.a.client.stepdefs.HelloStepDefs : Started HelloStepDefs in 1.529 seconds (JVM running for 2.606)
Feature: Securing the connection between you and the world
@demo
Scenario: Saying hello to the Server # src/test/resources/features/Hello.feature:4
Given Server is alive # HelloStepDefs.serverIsAlive()
When I say hello # HelloStepDefs.iSayHello()
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at nl.altindag.client.stepdefs.HelloStepDefs.iSayHello(HelloStepDefs.java:28)
at ✽.I say hello(src/test/resources/features/Hello.feature:6)
Then I expect to receive status code 200 # HelloStepDefs.iExpectToReceiveStatusCode(int)
And I expect to receive Hello message # HelloStepDefs.iExpectToReceiveMessage(String)
Failed scenarios:
src/test/resources/features/Hello.feature:4 # Saying hello to the Server
1 Scenarios (1 failed)
4 Steps (1
…________________________________
From: Hakky54 <[email protected]>
Sent: Tuesday, April 30, 2019 3:59 PM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
Yes, that part doesn't look ok. It should have give you the following message: Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Could you please try again exactly all the steps from chapter Creating a Certificate Authority
Somehow exporting your identity certificate and signing it with the root-ca has not happend.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6SHND7PQ4XG5OKSCILPTDFNRANCNFSM4HHIGSTQ>.
|
Sure, add me at Discord and let's continue over there. My username is Hakky54#8471 |
Thanks,
I created discord account , but i'm new to it. Here is the chat invitation : https://discord.gg/5DqB4E
David
…________________________________
From: Hakky54 <[email protected]>
Sent: Tuesday, April 30, 2019 11:36 PM
To: Hakky54/mutual-tls
Cc: mpkmtv; Author
Subject: Re: [Hakky54/mutual-tls] javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty (#1)
Sure, add me at discord and let's continue over there. My username is Hakky54#8471
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#1 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ACPHB6TNLQ72W72UNW57XKDPTE265ANCNFSM4HHIGSTQ>.
|
David and I did a remote video session and retried the steps described in the Readme and it worked with the first try. Looking at the exception what David had previously it could mean that the certificate was not trusted because it wasn't signed properly or wasn't trusted. |
Yes we resolved the issue. We could not find the root cause but we started from scratch with the tutorial and followed everything step by step. So my assumption was that he missed a step in the tutorial back then. Can you try to run the script test-all-scenarios.sh file and share your results here? |
I checked your repo but you mentioned that Java 11 is must and I am on jdk 8 and I can't upgrade it. |
do you have some time for video call? |
I am not available today and tomorrow, but from Sunday onwards I am available everyday for a call. Let's continue the chat on Gitter and discuss the next steps https://gitter.im/hakky54/mutual-tls-ssl |
so finally I & @Hakky54 resolved the issue and it was something to do with classpath and truststore wasn't getting initialised properly. it got resolved after using the absolute path for store. more to it there were some other small problems but those got resolved in less time that the first one. |
Hi @sameer-dighe , I'm also getting same error like Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty Could you please help me to resolve this error? |
Hi @chetnajoshi889 your issue might be related to one of the options quoted above. Or your truststore does not contain the trusted certificates |
Hi @Hakky54 , |
Hi @rajatzeal |
I can share my screen if you are available for a call, I’m really stuck with the issue and would appreciate your help |
I can understand your setup is not working. The ssl configuration of Selenium with the ChromeDriver is just not working with only the ChromeOptions. I would suggest to have a look at this stackoverflow answer here: https://stackoverflow.com/a/56170148/6777695 In the example above all https requests are getting intercepted and being executed alongside with ayour custom sslcontext. The author has made his code snippet available here at GitHub: https://github.com/patricsteiner/seleniumSslProxy |
Ok , will try to check with these solutions. |
I will be available at 13:00 CEST till 14:00 CEST, so we can have a look at it. Let's use Teamviewer. You can share your teamviewer id and password on the private Gitter chat with me directly |
We did a short call with @rajatzeal and it seems like his HttpClient was not trusting the certificate of the server. It is the same point which I mentioned here: #1 (comment) He needs to export the server certificate, create a SSLContext and configure his HttpClient so the client will trust the server. |
I noticed that a-lot of developers are facing this exception or similar ones. If anyone has still trouble resolving these kind of issues feel free to ping me, I am able to provide support. My mail address is [email protected] |
Thank you. Everything worked fine until "Two way TLS based on trusting the Certificate Authority" That did not work and resulted in the error shown below. I tried various JDKs and other suggestions from the internet. Nothing worked.
@demo
Scenario: Saying hello to the Server # src/test/resources/features/Hello.feature:4
Given Server is alive # HelloStepDefs.serverIsAlive()
When I say hello # HelloStepDefs.iSayHello()
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
The text was updated successfully, but these errors were encountered: