Spring Boot 1.4.1 SSL trustAnchors exception

Question

I am running Spring Boot microservices inside Docker containers (docker-compose) for testing, recently tried to upgrade from Spring Boot 1.4.0 to 1.4.1 (tried 1.4.2. also) but the services fail on start up with an

InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty exception.

I have not experienced any issues running Spring Boot 1.4.0. The Dockerfile I use for one of the services is provided below (some sensitive values have been replaced, tried 1.4.2 with the same result.

The same behaviour happens when I run the service on the command line, with all the environment variables and Java params listed in the Dockerfile below.

Here is an extract from the log:

2016-11-10 08:10:06.645 ERROR [sbsa-account-om-service,,,] 1 --- [           main] o.apache.catalina.core.StandardService   : Failed to start connector [Connector[HTTP/1.1-8762]]

org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8762]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:233) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:178) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:544) [spring-context-4.3.3.RELEASE.jar!/:4.3.3.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:371) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1186) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1175) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at com.sbg.om.services.SbsaAccountOmServiceApplication.main(SbsaAccountOmServiceApplication.java:24) [classes!/:0.0.1-SNAPSHOT]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_11]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_11]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_11]
    at java.lang.reflect.Method.invoke(Method.java:483) ~[na:1.8.0_11]
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:50) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:58) [app.jar:0.0.1-SNAPSHOT]
Caused by: org.apache.catalina.LifecycleException: service.getName(): "Tomcat";  Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:976) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 21 common frames omitted
Caused by: java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:874) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:590) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:969) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 22 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[na:1.8.0_11]
    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[na:1.8.0_11]
    at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[na:1.8.0_11]
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:341) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:273) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 27 common frames omitted

2016-11-10 08:10:06.691  INFO [sbsa-account-om-service,,,] 1 --- [           main] o.apache.catalina.core.StandardService   : Stopping service Tomcat

Dockerfile:

FROM webdizz/centos-java8
VOLUME /tmp
ADD <app name>.jar app.jar

ADD smoke-test.trust.jks /smoke-test.trust.jks

# Environment vars for SSL keystore + truststore
ENV security_x509_orgUnit=<org unit>
ENV server_ssl_enabled="true"
ENV security_sessions="stateless"
ENV security_headers_hsts="all"
ENV server_ssl_ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
ENV server_ssl_protocol="TLS"
ENV server_ssl_keyStore="/smoke-test.trust.jks"
ENV server_ssl_keyStorePassword=<password>
ENV server_ssl_keyStoreType="JKS"
ENV server_ssl_keyAlias=<alias>
ENV server_ssl_keyPassword=<password>
ENV ribbon_ReadTimeout="60000"
ENV ribbon_IsSecure="true"
ENV ribbon_IsHostnameValidationRequired="true"
ENV ribbon_KeyStore="/smoke-test.trust.jks"
ENV ribbon_KeyStorePassword=<password>
ENV security_requireSsl="true"
ENV server_ssl_trustStore="/smoke-test.trust.jks"
ENV server_ssl_trustStorePassword=<password>
ENV server_ssl_trustStoreType="JKS"
ENV server_ssl_clientAuth="need"
ENV ribbon_TrustStore="/smoke-test.trust.jks"
ENV ribbon_TrustStorePassword=<password>
ENV ribbon_IsClientAuthRequired="true"
ENV PCI_CIPHER_KEY=<key>
ENV liquibase_contexts=<context>

# run actual Java app
RUN sh -c 'touch /app.jar'
EXPOSE 8762
EXPOSE 9997
ENTRYPOINT ["java",  \
            "-Djavax.net.ssl.trustStore=/smoke-test.trust.jks", \
            "-Djavax.net.ssl.trustStorePassword=<password>", \
            "-Djavax.net.ssl.trustStoreType=JKS", \
                "-Djavax.net.debug=ssl", \
            "-Dspring.profiles.active=testing", \
            "-Dom.security.enabled=true", \
            "-Dmanagement.security.enabled=true", \
            "-Dom.security.x509.subjectPrincipalRegex=OU=(.*?)(?:,|$)", \
            "-Dom.security.x509.roleConfiguration[0].roleNames[0]=<roleName>", \
            "-Dom.security.x509.roleConfiguration[0].searchValues[0]=<value>", \
            "-Dom.security.orderedPathRestrictions[0].pattern='/**'", \
            "-Dom.security.orderedPathRestrictions[0].roles=<role>", \          
            "-Dom.security.orderedPathRestrictions[0].csrfDisabled=true", \         
            "-Xdebug", \
            "-agentlib:jdwp=transport=dt_socket,address=9997,server=y,suspend=n", \
            "-Dserver.port=8762", \
            "-Deureka.instance.non-secure-port=0", \
            "-Deureka.instance.secure-port=8762", \
            "-Deureka.instance.hostname=<name>", \
            "-Deureka.instance.nonSecurePortEnabled=false", \
            "-Deureka.instance.securePortEnabled=true", \
            "-Deureka.client.serviceUrl.defaultZone=<URL>", \
            "-Dspring.application.name=sbsa-account-om-service", \
            "-Deureka.instance.secureVirtualHostName=<name>", \
            "-Djava.security.egd=file:/dev/./urandom", \
            "-jar", \
            "/app.jar"]

Edit: this is not the same issue as mentioned in trustAnchors question as my problem is related to going from Spring Boot version 1.4.0 to 1.4.1, the only change being the Boot version, all other configs which worked under Spring Boot 1.4.0 have been left the same.

Answer 1

Turns out that as of Spring Boot 1.4.1 the underlying Tomcat version got bumped up to 8.5.6 and it now does not accept any other certificate types other than

Entry type: trustedCertEntry

I was using self signed certs that were of type:

Entry type: PrivateKeyEntry

After re-generating the certs everything started working fine.