java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

I have been able to replicate this bug. It becomes apparent when attempting to run Minecraft.jar, the official Minecraft Java client under OpenJDK 9 on a fresh install of Ubuntu Mate 18.04 Beta 2. https://i.imgur.com/HRzRl8J.png

I was able to find a solution though it isn't a proper fix. Purge all related packages and install the older openjdk-8-jre first, then an newer version on top of it. It looks like the default packages are not installing the certificates properly.

See https://askubuntu.com/questions/971059/17-10-openjdk-and-oracle-jdk-8-and-9-the-trustanchors-parameter-must-be-non-empt under amb85. Ubuntu MATE 18.04 includes a ppa in the Software Boutique which installs Minecraft, but it runs into the same issue as using Minecraft.jar from Mojang's website.

Status changed to 'Confirmed' because the bug affects multiple users.

I'm not sure that changing the trust store password, or setting javax.net.ssl.trustStorePassword by default, is the right way to fix this. Oracle's JRE contains a keystore with the same password ("changeit") but doesn't require this property to be set.

I noticed that /etc/ssl/certs/java/cacerts in 18.04 is a PKCS12 keystore, whereas the keystore bundled with Oracle's JRE (as well as the cacerts in 17.10) is a JKS keystore:

sam@sam-desktop:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: PKCS12
sam@sam-desktop:~$ keytool -list -keystore jre-10.0.1/lib/security/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: JKS

If I convert my cacerts file, then things start to work again:

sam@sam-desktop:~$ sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old
...
sam@sam-desktop:~$ sudo keytool -importkeystore -destkeystore /etc/ssl/certs/java/cacerts -deststoretype jks -deststorepass changeit -srckeystore /etc/ssl/certs/java/cacerts.old -srcstoretype pkcs12 -srcstorepass changeit
...
sam@sam-desktop:~$ java HttpsTester
Response code: 200
It worked!

Not sure why a PKCS12 keystore needs a password but a JKS one doesn't, but maybe whatever is generating /etc/ssl/certs/java/cacerts just needs to be changed to generate JKS keystores again?

This looks like it's been fixed in debian with https://launchpad.net/debian/+source/ca-certificates-java/20180413:

  * Always generate a JKS keystore instead of using the default format
    (Closes: #894979)

This issue still exists in 18.04 and affects almost everyone i know using ubuntu 18.04.

The scripts of whatever package should only generate jks keystore instead of pkcs12.

Sam Uong's recommendation of switching the PKCS12 keystore type to JKS fixes the InvalidAlgorithmParameterException.

I experienced this bug while using both openjdk-1.8-jdk and default-jdk package installs on Ubuntu 18.04. For those that might similarly discover this bug when attempting to run their gradle builds, you need to:

1. Follow Sam Uong's post above
2. Kill all gradle processes
3. Re-run your gradle build scripts

I figure this small bit of text may be indexed and help others that narrow their search on gradle.

Status changed to 'Confirmed' because the bug affects multiple users.