Error regarding SSL connection

Question

Error regarding SSL connection

MGlolenstine opened this issue 5 years ago · 11 comments

Upon opening a built application, I get greeted with app closing and spewing out this error.

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1903)
at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1886)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1402)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
at fxlauncher.FXManifest.load(FXManifest.java:198)
at fxlauncher.AbstractLauncher.syncManifest(AbstractLauncher.java:223)
at fxlauncher.AbstractLauncher.updateManifest(AbstractLauncher.java:92)
at fxlauncher.Launcher.lambda$start$0(Launcher.java:140)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.(PKIXValidator.java:91)
at sun.security.validator.Validator.getInstance(Validator.java:181)
at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
... 11 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.(PKIXParameters.java:120)
at java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:104)
at sun.security.validator.PKIXValidator.(PKIXValidator.java:89)
... 23 more

It would appear that the launcher can't handle updating via SSL.

It's probably just a mistake in the configuration. How would I fix that error?

App launches fine via java, but not via native launcher.

Answer 1 · 2019-05-13T17:26:35.000Z

The launcher uses HttpUrlConnection which handles SSL just fine, but if you’re using a self signed cert you would have to supply a valid verification chain, see the docs for HttpUrlConnection.

Answer 2 · 2019-05-13T17:39:17.000Z

I am using a self-signed cert, but is there a way to supply it with the launcher, because it seems like the keystore part requires it to be stored on user's computer and be accessed via terminal argument.

Answer 3 · 2019-05-13T18:00:43.000Z

You could load it into the users trust store or provide a custom trust store, but it's just not worth it. SSL certs are cheap or even free these days. Save yourself a ton of hassle and get a real one :)

Answer 4 · 2019-05-13T18:01:27.000Z

Ok, fair point 👍. I'll do that then, keep up the good work!

Answer 5 · 2019-05-13T18:09:52.000Z

I just had an idea though. If you use native installers you have full control of the supplied JVM along with the trust store, so you can basically just import the self signed cert with keytool into the JVM that will be built into the installer, and you should be good to go even with a self signed cert!

Answer 6 · 2019-05-13T18:15:34.000Z

How do I specify the JVM that's going to be integrated into the native launcher?

Answer 7 · 2019-05-13T18:37:47.000Z

See the docs for javapackager. Basically it will use the one you have in your path or point to with JAVA_HOME

Answer 8 · 2019-05-13T18:41:50.000Z

Ooooh, that's helpful to know... Thanks! <3

Answer 9 · 2019-05-13T19:06:41.000Z

Did exactly what you said, installed certs using keytool and now it works. On multiple machines! Thanks

Answer 10 · 2019-05-13T21:12:59.000Z

Great, thanks for reporting back!

Answer 11 · 2019-05-13T21:16:01.000Z

Well... Thanks for fast and good support :)