Missing CA certificates in jdk8u181-b13 #676
Comments
sxa
added
the
bug
|
Which platform were you seeing this on @detouched? |
|
Pretty much all for "OpenJDK 8 with Hotspot" option, just double checked these all: I also tried following Docker images where I initially faced this issue: I then compared |
|
I am getting following exception as well and have found out that its an issue with the certs coming in the jdk build. I am attaching an image below showing the number of certificates in Adopt jdk8u172-b11, jdk8u181-b13 and Oracle jdk 1.8.0_172 respectively for the Mac distribution.
|
|
My team is attempting to move to AdoptOpenJDK and just encountered a related error. The issue was encountered running on MacOS. This looks like a major bug.
|
|
After some digging, I have found that the certificate which is popular and missing in jdk8u181-b13 is "Starfield Services Root Certificate Authority" root cert, now acquired by Amazon. Oracle JDK 8 and jdk8u172-b11 bundles this certificate in cacert. Various amazon trust root CAs are listed here: https://www.amazontrust.com/repository/ It has also been added to Oracle Open JDK 11 recently. See this: https://bugs.openjdk.java.net/browse/JDK-8198891 |
|
As a workaround People can install the cert from Amazon Trust Repository. Following command might help with verifying whether a "Starfield Services Root Certificate Authority" cert is present or not: And use the below command to install the above cert in cacert: |
|
@johnoliver - Interesting, looks like we may need to backport certs from latest 11 |
|
Now that PR #688 is merged, what's the release flow look like? When/How does it end up in Docker images or release tar.gz? |
|
The nightly builds should now produce a version with the new cacerts. The next release 8u192 should also pick up these changes (hopefully next week) |
|
The latest available for Ubuntu14.04 is still Unfortunately, the command provided by @Ganeshgautam doesn't work, probably just minor syntax errors. |
|
@nitinsurana YThe version available by launchpad is not by AdoptOpenJDK, you'll have to manually download from our site. |
|
@karianna wrote:
I ran into this very same issue today on Mac OS but for AdoptOpenJDK 11 build 11.0.5+10 (HotSpot VM) and was astonished when I read this thread and your comment that the issue should have been fixed for jdk8 by backporting certs from jdk11. Indeed, my tests with AdoptOpenJDK 8 were successfull. But JDK 11 throws an Exception: I tried a Do you have any clue why this still happens for JDK 11? |
|
@tofi86 I dont have a Mac to test, but www.google.com is working for me with 11.0.5+10 on linux, and using the same cacert store. If you can recreate the issue, can you give us the output of: On that machine. |
Sure thing: |
|
Then in the next step I tried to reproduce with an SSCCE: import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
public class UrlConnectionTest {
public static void main(String[] args) throws MalformedURLException {
URL url = new URL("https://www.google.com");
try {
HttpURLConnection urlConnect = (HttpURLConnection) url.openConnection();
urlConnect.setReadTimeout(10000);
urlConnect.setRequestMethod("HEAD");
System.out.println(urlConnect.getResponseCode());
} catch (IOException e) {
e.printStackTrace();
}
}
}While it failed in my program code at While digging deeper, it turned out a colleague once set this at program start: in order to avoid If I add this before the I tried removing the However, can you explain why the SSCCE with |
|
@johnoliver not urgent but re-opening this as there seems to be an open question on this. Feel free to shift to the support repo if we deem it to be an isolated case. |
|
Hi there! This is from a Raspberry Pi with OpenJDK11: ✨ What I find particularly surprising is that the results do not change even when another cacert-file is used. The Raspbian java is still happily validating the domains based on the cacert-file from AdoptOpenJDK. The AdoptOpenJDK java is also consistent even when handed the Raspbian provided cacert-file: I got similar results when testing jdk8u232-b09-jre on the same platform (armv7l). Refs arduino/Arduino#9719 |
|
Sorry the previous message was not meant to be sent here, I sent it by mistake, my apologies. Anyway, I hope it helps to narrow down the issue. |
Argh, I deleted it by accident, can you link to the original message? |
|
Problems with ARMv7 have been fixed some time ago. AdoptOpenJDK 15 contains a new cacerts keystore containing the same set of certificates as Firefox (and most of the Linux distributions). The October updates for 8 and 11 will get the same keystore. If new problems appear or old ones persist, please open a new issue. |
The jdk8u181-b13 update lost roughly half of
cacertsentries: it has only 80 entries while jdk8u172-b11 has 157.This causes SSL errors like this (tried with some domains of Google and Amazon):
I tried Docker images as well as downloadable tar.gz – they both have the same version of truncated
cacertsfile.The text was updated successfully, but these errors were encountered: