[
https://issues.apache.org/jira/browse/NIFI-9249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17420929#comment-17420929
]
David Handermann commented on NIFI-9249:
----------------------------------------
[~pvillard] does the {{cacerts}} file for Java 11 contain any custom
certificate entries? The date on the file suggests it has recently been
modified. The OpenJDK TrustStoreUtil.getTrustedCerts() hides exceptions when
reading the trust store, so there may be issues with entries in the file:
[https://github.com/openjdk/jdk/blob/6765f902505fbdd02f25b599f942437cd805cad1/src/java.base/share/classes/sun/security/validator/TrustStoreUtil.java#L53]
One test would be to copy the {{cacerts}} file from the Java 8 home directory
to Java 11 and see if that loads entries as expected.
> OIDC with Java 11 - the trustAnchors parameter must be non-empty
> ----------------------------------------------------------------
>
> Key: NIFI-9249
> URL: https://issues.apache.org/jira/browse/NIFI-9249
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.14.0
> Environment: openjdk version "11.0.6" 2020-01-14
> OpenJDK Runtime Environment (build 11.0.6+10-post-Debian-1bpo91)
> OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Debian-1bpo91, mixed mode,
> sharing)
> Reporter: Pierre Villard
> Priority: Major
> Attachments: nifi-bootstrap (1).log, nifi-bootstrap (2).log,
> nifi-bootstrap.log, stacktrace.txt
>
>
> With the exact same configuration, when switching from Java 8 to Java 11, I
> get the following error when using OIDC for authentication:
> {code:java}
> 2021-09-27 09:52:57,733 WARN [main] org.apache.nifi.web.server.JettyServer
> Failed to start web server... shutting down.
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'oidcService' defined in class path resource
> [nifi-web-security-context.xml]: Bean instantiation via constructor failed;
> nested exception is org.springframework.beans.BeanInstantiationException:
> Failed to instantiate [org.apache.nifi.web.security.oidc.OidcService]:
> Constructor threw exception; nested exception is java.lang.RuntimeException:
> Unable to retrieve OpenId Connect Provider metadata from:
> https://accounts.google.com/.well-known/openid-configuration
> at
> org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:315)
> at
> org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:296)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1354)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1204)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:564)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:524)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
> at
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)
> at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208)
> at
> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:944)
> at
> org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:918)
> at
> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583)
> at
> org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:401)
> at
> org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:292)
> at
> org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103)
> at
> org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:1068)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:572)
> at
> org.eclipse.jetty.server.handler.ContextHandler.contextInitialized(ContextHandler.java:997)
> at
> org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:746)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
> at
> org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
> at
> org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:911)
> at
> org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
> at
> org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
> at
> org.eclipse.jetty.server.handler.gzip.GzipHandler.doStart(GzipHandler.java:426)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> at org.eclipse.jetty.server.Server.start(Server.java:423)
> at
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:110)
> at
> org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:97)
> at org.eclipse.jetty.server.Server.doStart(Server.java:387)
> at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
> at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1129)
> at org.apache.nifi.NiFi.<init>(NiFi.java:159)
> at org.apache.nifi.NiFi.<init>(NiFi.java:71)
> at org.apache.nifi.NiFi.main(NiFi.java:303)
> Caused by: org.springframework.beans.BeanInstantiationException: Failed to
> instantiate [org.apache.nifi.web.security.oidc.OidcService]: Constructor
> threw exception; nested exception is java.lang.RuntimeException: Unable to
> retrieve OpenId Connect Provider metadata from:
> https://accounts.google.com/.well-known/openid-configuration at
> org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:225)
> at
> org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:117)
> at
> org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:311)
> ... 53 common frames omittedCaused by: java.lang.RuntimeException:
> Unable to retrieve OpenId Connect Provider metadata from:
> https://accounts.google.com/.well-known/openid-configuration at
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.initializeProvider(StandardOidcIdentityProvider.java:123)
> at
> org.apache.nifi.web.security.oidc.OidcService.<init>(OidcService.java:67)
> at
> org.apache.nifi.web.security.oidc.OidcService.<init>(OidcService.java:50)
> at
> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method) at
> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at
> java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
> at
> org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:212)
> ... 55 common frames omittedCaused by: javax.net.ssl.SSLException:
> Unexpected error: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty at
> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method) at
> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at
> java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1969)
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1964)
> at java.base/java.security.AccessController.doPrivileged(Native
> Method) at
> java.base/sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1963)
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1531)
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
> at
> java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527)
> at
> java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:334)
> at
> com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:901) at
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.retrieveOidcProviderMetadata(StandardOidcIdentityProvider.java:255)
> at
> org.apache.nifi.web.security.oidc.StandardOidcIdentityProvider.initializeProvider(StandardOidcIdentityProvider.java:121)
> ... 62 common frames omittedCaused by: javax.net.ssl.SSLException:
> Unexpected error: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty at
> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
> at
> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
> at
> java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1313)
> at
> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:408)
> at
> java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
> at
> java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
> at
> java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
> at
> java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
> at
> com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:890)
> ... 64 common frames omitted
> Caused by: java.lang.RuntimeException: Unexpected error:
> java.security.InvalidAlgorithmParameterException: the trustAnchors parameter
> must be non-empty
> at
> java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
> at
> java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:189)
> at
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
> at
> java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
> at
> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
> at
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
> at
> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
> at
> java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
> at
> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
> at
> java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151)
> at
> java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062)
> at
> java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
> ... 70 common frames omitted
> Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
> at
> java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
> at
> java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
> at
> java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
> at
> java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)
> ... 86 common frames omitted
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
