Why do we see the following error “java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty” ?

Summary

This issue will only occur in cases where you are trying to connect to an application that is running behind a reverse proxy or a Load balancer that has SSL enabled or if the application itself has SSL enabled.

Details

 

This issue will only occur in cases where you are trying to connect to an application that is running behind a reverse proxy or a Load balancer that has SSL enabled or if the application itself has SSL enabled. Usually this error happens in cases where you are trying to connect Artifactory to a remote endpoint using the HTTPS protocol.

 

java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Resolution

 

You can run the following command to see f the SSL certs used by Xray or any other remote endpoint are self signed or a certificate signed by a know Certificate Authority. If you notice that the certs are self signed, then you have to follow this article to import the self signed certs to the java trusted keystore: 

How to resolve “unable to find valid certification path to requested target” error ?

 

openssl s_client -showcerts -connect myxray.com:443

 

If you notice that the SSL cert is signed by a known Certificate Authority like GoDaddy, Digicert, Symantec, Globalsign etc. But still you are seeing the error "Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty", then it could be that your Artifactory is configured to point to an invalid truststore. 

 

You can check this by looking for the following java option "-Djavax.net.ssl.trustStore=/home/path/to/cacerts"

in the "default" file under $ARTIFACTORY_HOME/etc/ folder for a service installation of Artifactory. If this option is set in the "default" file, then it means that Artifactory will not rely on the default java truststore under $JAVA_HOME/lib/security/cacerts and will use the "cacerts" location given in the java option. If the "cacerts" file provided in the java option is invalid, then this would cause the error when connecting to a HTTPS endpoint.

 

If your Artifactory is a standalone zip installation, then the java options are specified in "artifactory.default" file under $ARTIFACTORY_HOME/bin/ folder. Please check this file and see if the java option is set to point to a custom "cacerts" location. Here is a link that shows where are the java options set for Artifactory based on the installation type: 

https://www.jfrog.com/confluence/display/RTF/Installing+on+Linux+Solaris+or+Mac+OS#InstallingonLinuxSolarisorMacOS-SettingJavaMemoryParameters

 

If this is the case, then please remove the java option from the config file or point it to the right location where you have a valid "cacerts" file and restart Artifactory. Removing this java option -Djavax.net.ssl.trustStore will force Artifactory to pick the default java truststore under $JAVA_HOME/lib/security/cacerts.