ablog

不器用で落着きのない技術者のメモ

Java アプリから S3 にアクセス時に必要な証明書がない場合に発生する例外

発生する例外

  • 証明書ファイルが存在しない、もしくは存在するが中身が空の場合
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  • 証明書ファイルが存在するがS3にアクセスするのに必要な証明書が存在しない場合
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

再現手順

  • 最初にキーストアのバックアップをとっておく。
$ cd /etc/pki/ca-trust/extracted/java
$ sudo cp -p cacerts cacerts.org
必要な証明書がないケース
  • S3 のオブジェクトにブラウザでアクセスし証明書を確認する。

f:id:yohei-a:20190610023848p:plain

  • キーストアから baltimorecybertrustroot の証明書を削除する。
$ sudo keytool -delete -noprompt -alias baltimorecybertrustroot -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
  • S3 のバケットをリスト表示する Java プログラムを実行すると、"unable to find valid certification path to requested target" と怒られる。
$ ./run_example.sh ListBuckets
## Running ListBuckets...
## arguments ...
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Amazon S3 Examples 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- exec-maven-plugin:1.6.0:java (default-cli) @ s3examples ---
[WARNING]
com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException (AmazonHttpClient.java:1175)

(中略)

    at java.lang.Thread.run (Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException (Alerts.java:192)

(中略)

    at java.lang.Thread.run (Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild (PKIXValidator.java:397)

(中略)

    at java.lang.Thread.run (Thread.java:748)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
キーストアから全ての証明書を削除したケース
$ keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit|perl -F, -lane '/^Certificate/ or print $F[0]' > alias_list.txt
  • alias_list.txt の先頭の以下の行を削除する。
Keystore type: jks
Keystore provider: SUN

Your keystore contains 132 entries
  • キーストアからキーを削除する。
$ cat alias_list.txt|while read LINE
do
	sudo keytool -delete -noprompt -alias ${LINE} -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
done
  • 全てのキーが削除されている。
$ keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
Keystore type: jks
Keystore provider: SUN

Your keystore contains 0 entries ★
  • "java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty" で失敗するようになる。
$ ./run_example.sh ListBuckets
## Running ListBuckets...
## arguments ...
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Amazon S3 Examples 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- exec-maven-plugin:1.6.0:java (default-cli) @ s3examples ---
[WARNING]
com.amazonaws.SdkClientException: Unable to execute HTTP request: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException (AmazonHttpClient.java:1175)
(中略)
    at java.lang.Thread.run (Thread.java:748)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.ssl.Alerts.getSSLException (Alerts.java:208)
(中略)
    at java.lang.Thread.run (Thread.java:748)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.validator.PKIXValidator.<init> (PKIXValidator.java:91)
(中略)
    at java.lang.Thread.run (Thread.java:748)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors (PKIXParameters.java:200)
キーストアファイルを削除したケース
  • キーストアを削除する。
$ sudo rm cacerts
  • "java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty" で失敗する。
$ ./run_example.sh ListBuckets
## Running ListBuckets...
## arguments ...
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building Amazon S3 Examples 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- exec-maven-plugin:1.6.0:java (default-cli) @ s3examples ---
[WARNING]
com.amazonaws.SdkClientException: Unable to execute HTTP request: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException (AmazonHttpClient.java:1175)
(中略)
    at java.lang.Thread.run (Thread.java:748)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.ssl.Alerts.getSSLException (Alerts.java:208)
(中略)
    at java.lang.Thread.run (Thread.java:748)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.validator.PKIXValidator.<init> (PKIXValidator.java:91)
(中略)
    at java.lang.Thread.run (Thread.java:748)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors (PKIXParameters.java:200)

環境

$ cat /etc/system-release
Amazon Linux release 2 (Karoo)
$ uname -r
4.14.114-105.126.amzn2.x86_64
  • OpenJDK
$ java -version
openjdk version "1.8.0_201"
OpenJDK Runtime Environment (build 1.8.0_201-b09)
OpenJDK 64-Bit Server VM (build 25.201-b09, mixed mode)