Missing certificates

[JannikEmmerich]

When I try to access any https location, I get the following error message because certificates are missing.
I have tried several https URLs.

Used image: arm32v7/adoptopenjdk:14-jdk-hotspot

Exception in thread "main" javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:167)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1462)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1370)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:437)
        at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
        at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:171)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1595)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1523)
        at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
        at org.gradle.wrapper.Download.downloadInternal(Download.java:83)
        at org.gradle.wrapper.Download.download(Download.java:66)
        at org.gradle.wrapper.Install$1.call(Install.java:68)
        at org.gradle.wrapper.Install$1.call(Install.java:48)
        at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
        at org.gradle.wrapper.Install.createDist(Install.java:48)
        at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107)
        at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:63)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
        ... 23 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
        at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
        ... 28 more
Caused by: java.security.SignatureException: Signature does not match.
        at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:454)
        at java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
        at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
        ... 33 more

[JannikEmmerich]

I also tried to import the ca certificates and used the keystore of my x64 computer where this error does not occur, but still does not work with the same error message.

[grzesuav]

@JannikEmmerich could you add example host which was not working ? Along with simple java class to replicate behavior ?

[JannikEmmerich]

@grzesuav https://github.com/JannikEmmerich/adoptopenjdk-gradle-test just run docker build . on arm32v7.
When gradle tries to download the daemon, the signature check fails.

[aahlenst]

We have serious problems with SSL on ARM32 across the board: adoptium/adoptium-support#33

Missing root certificates usually cause different exceptions: adoptium/adoptium-support#13 (should be fixed with next month's update).

[aahlenst]

ARMv7 problems have been fixed and rolled out with the July updates. 15 gets a new list of CA certificates matching Firefox. The same list will be included in 8 and 11 in the October releases.