Java high-level REST client fails to connect over https

shivkumar.chelwa · February 19, 2021, 8:41pm

Hi, I am trying to connect Elastic over https using high-level REST client. But the clients fails with below exception.

java.io.IOException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:884)

at org.elasticsearch.client.RestClient.performRequest(RestClient.java:283)

at org.elasticsearch.client.RestClient.performRequest(RestClient.java:270)

at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1632)

at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1617)

at org.elasticsearch.client.IndicesClient.exists(IndicesClient.java:974)

at org.me.elastic.ElasticSSLClient.createIndexes(ElasticSSLClient.java:70)

at org.me.elastic.ElasticSSLClient.main(ElasticSSLClient.java:34)

Caused by: javax.net.ssl.SSLException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

at org.apache.http.nio.reactor.ssl.SSLIOSession.convert(SSLIOSession.java:262)

at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:269)

at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)

at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:523)

at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)

at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)

at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)

at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)

at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)

at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)

at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)

at java.base/java.lang.Thread.run(Thread.java:834)

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)

at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)

at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)

at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:99)

at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)

at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:300)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:246)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)

at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1334)

at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231)

at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174)

at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)

at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)

at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)

at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)

at java.base/java.security.AccessController.doPrivileged(Native Method)

at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)

at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:285)

at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:345)

... 9 more

The java client code is available at https://github.com/shivchelwa/elastic-ssl-client. Please advice if any correction required in this case.

shivkumar.chelwa · February 23, 2021, 3:44am

I got it fixed. The truststore password was blank and I have to use below peace of code to load certificates from truststore.

    KeyStore truststore = KeyStore.getInstance("pkcs12");
    truststore.load(is, "".toCharArray());

But, I am not able to use Basic Authentication with HTTPS. I am use default "native" realm. Is Basic Authentication not supported when HTTPS is enabled and realm is "native"?

system · March 23, 2021, 3:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.