Comment 3 for bug 1743139

I'm not sure that changing the trust store password, or setting javax.net.ssl.trustStorePassword by default, is the right way to fix this. Oracle's JRE contains a keystore with the same password ("changeit") but doesn't require this property to be set.

I noticed that /etc/ssl/certs/java/cacerts in 18.04 is a PKCS12 keystore, whereas the keystore bundled with Oracle's JRE (as well as the cacerts in 17.10) is a JKS keystore:

sam@sam-desktop:~$ keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: PKCS12
sam@sam-desktop:~$ keytool -list -keystore jre-10.0.1/lib/security/cacerts -storepass changeit | grep 'Keystore type:'
Keystore type: JKS

If I convert my cacerts file, then things start to work again:

sam@sam-desktop:~$ sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.old
...
sam@sam-desktop:~$ sudo keytool -importkeystore -destkeystore /etc/ssl/certs/java/cacerts -deststoretype jks -deststorepass changeit -srckeystore /etc/ssl/certs/java/cacerts.old -srcstoretype pkcs12 -srcstorepass changeit
...
sam@sam-desktop:~$ java HttpsTester
Response code: 200
It worked!

Not sure why a PKCS12 keystore needs a password but a JKS one doesn't, but maybe whatever is generating /etc/ssl/certs/java/cacerts just needs to be changed to generate JKS keystores again?