What to Do When You Encounter the Error: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Nihal Reddy Chinna Choudhary
2023-01-22 11:08

Relevant version: This information pertains to Artifactory version 6.x

This error typically occurs when you're trying to connect Artifactory to a remote endpoint using the HTTPS protocol. And the issue will only arise if you're trying to connect to an SSL-enabled application or an application that's running behind an SSL-enabled reverse proxy or load balancer. Such failures will return the following error message:

java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

 

You can run the following command to see if the SSL certs used by Xray or any other remote endpoint are self-signed or if a given certificate has been signed by a known certificate authority:

openssl s_client -showcerts -connect myxray.com:443

If any of your certs are self-signed, you'll need to follow the instructions in the remainder of this article to import your needed, self-signed certs into your Java trusted keystore (cacerts). Should you notice that an SSL cert is signed by a known certificate authority (e.g., GlobalSign, GoDaddy, DigiCert, Symantec, etc.), but you're still seeing the error message above, then it may be that your Artifactory instance is pointing to an invalid truststore.

You can check this by looking for the following java option "-Djavax.net.ssl.trustStore=/home/path/to/cacerts"

in the default file under $ARTIFACTORY_HOME/etc/ folder for a service installation of Artifactory. If this option is set in the default file, then it means that Artifactory will not rely on the default java truststore under $JAVA_HOME/lib/security/cacerts and will use the "cacerts" location given in the java option. If the "cacerts" file provided in the java option is invalid, then this would cause the error when connecting to a HTTPS endpoint.

If your Artifactory instance is a standalone zip installation, then your Java options are specified in the artifactory.default file in the $ARTIFACTORY_HOME/bin/ folder. Check this file to see if your Java option has been configured to point to a custom cacerts location. Here is a link that shows where are the java options set for Artifactory based on the installation type: 

https://www.jfrog.com/confluence/display/RTF/Installing+on+Linux+Solaris+or+Mac+OS#InstallingonLinuxSolarisorMacOS-SettingJavaMemoryParameters

If this is the case, then remove the Java option from your config file or point it to the location where you have a valid cacerts file. Then, restart Artifactory. Removing this java option -Djavax.net.ssl.trustStore will force Artifactory to pick the default java truststore under $JAVA_HOME/lib/security/cacerts.