Red Hat Bugzilla – Bug 483483
Can't open SSL connection
Last modified: 2009-02-04 01:51:03 EST
Description of problem: Can't open SSL connection to server
Version-Release number of selected component (if applicable): 1.0.b12.el5.2
How reproducible: Every time
Steps to Reproduce:
1. Install java-1.6.0-openjdk package on CentOS 5.0
2. Run a Java program that tries to open an SSL connection, e.g. 'ec2-describe-images' tool provided with the Amazon EC2 Api Tools.
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error:
the trustAnchors parameter must be non-empty
SSL connection sucessfully opened to server.
After a bit of Googling around, this problem could be due to the fact that for EPEL (unlike Fedora) the Open JDK packages do not seem to depend on the 'ca-certificates' package, which (on Fedora) contains the root CA certificates for java, '/etc/pki/java/cacerts'.
This won't be fixed, since Red Hat ships java-1.6.0-openjdk package in RHEL-5.3, obsoleting this package in EPEL. Unfortunatelly they did not agree with EPEL on NVR, so you have to manually override the packages in repository configuration.
If you can't use the RHEL-5.3 packages, can fix this by getting the cacerts file from a working installation (/etc/pki/java/cacerts from Fedora's ca-certificates package, or /usr/lib/jvm/java-1.6.0-openjdk-220.127.116.11/jre/lib/security/cacerts from RHEL 5.3 OpenJDK package, or equivalent from Sun JRE) and place it in /usr/lib/jvm/java-1.6.0-openjdk-18.104.22.168/jre/lib/security/cacerts
I can confirm this works with EC2 tools.