Alpine Package libcrypto3 (3.1.4-r0) crash java-cacerts /etc/ssl/certs/java/cacerts

Question

I tried to build a Java 17 image based on Alpine (3.18.4).

I ran the following command:

apk upgrade --no-cache && apk add --no-cache openjdk17-jre="17.0.9_p8-r0"

When I tried to execute my container, it raised the following error:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

After some investigation, this problem raises if the /usr/lib/jvm/java-17-openjdk/lib/security/cacerts -> /etc/ssl/certs/java/cacerts does not exist

It looks like openjdk17-jre depends on openjdk17-jre-headless -> java-cacerts -> ca-certificates -> libcrypto3

With my libcrypto3 and libssl3 in version 3.1.3-r0, after installing the openjdk17-jre, the file /etc/ssl/certs/java/cacerts was generated

Since I upgraded libcrypto3 and libssl3 to version 3.1.4-r0, the file wasn't generated anymore.

Answer 1

I run the following minimal docker container you mentioned(alpine:3.18.4) and symlink from /usr/lib/jvm/java-17-openjdk/lib/security/cacerts -> /etc/ssl/certs/java/cacerts was successfully created during installation of the packages. I suspect the issue somewhere else, can you provide a minimal Dockerfile which still produces the java.security.InvalidAlgorithmParameterException when executing ? Even when installing the latest openjdk17-jre (17.0.9_p8-r0) the symlink is still present.

$ docker run -it --rm alpine:3.18.4 sh
# apk upgrade --no-cache && apk add --no-cache openjdk17-jre="17.0.9_p8-r0" 
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
(1/7) Upgrading musl (1.2.4-r1 -> 1.2.4-r2)
(2/7) Upgrading busybox (1.36.1-r2 -> 1.36.1-r5)
Executing busybox-1.36.1-r5.post-upgrade
(3/7) Upgrading busybox-binsh (1.36.1-r2 -> 1.36.1-r5)
(4/7) Upgrading libcrypto3 (3.1.3-r0 -> 3.1.4-r0)
(5/7) Upgrading libssl3 (3.1.3-r0 -> 3.1.4-r0)
(6/7) Upgrading ssl_client (1.36.1-r2 -> 1.36.1-r5)
(7/7) Upgrading musl-utils (1.2.4-r1 -> 1.2.4-r2)
Executing busybox-1.36.1-r5.trigger
OK: 7 MiB in 15 packages
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
(1/27) Installing java-common (0.5-r0)
(2/27) Installing libffi (3.4.4-r2)
(3/27) Installing p11-kit (0.24.1-r2)
(4/27) Installing libtasn1 (4.19.0-r1)
(5/27) Installing p11-kit-trust (0.24.1-r2)
(6/27) Installing ca-certificates (20230506-r0)
(7/27) Installing java-cacerts (1.0-r1)
(8/27) Installing openjdk17-jre-headless (17.0.9_p8-r0)
(9/27) Installing libxau (1.0.11-r2)
(10/27) Installing libmd (1.0.4-r2)
(11/27) Installing libbsd (0.11.7-r1)
(12/27) Installing libxdmcp (1.1.4-r2)
(13/27) Installing libxcb (1.15-r1)
(14/27) Installing libx11 (1.8.7-r0)
(15/27) Installing libxext (1.3.5-r2)
(16/27) Installing libxi (1.8.1-r0)
(17/27) Installing libxrender (0.9.11-r3)
(18/27) Installing libxtst (1.2.4-r2)
(19/27) Installing alsa-lib (1.2.9-r1)
(20/27) Installing brotli-libs (1.0.9-r14)
(21/27) Installing libbz2 (1.0.8-r5)
(22/27) Installing libpng (1.6.39-r3)
(23/27) Installing freetype (2.13.0-r5)
(24/27) Installing giflib (5.2.1-r4)
(25/27) Installing libjpeg-turbo (2.1.5.1-r3)
(26/27) Installing lcms2 (2.15-r2)
(27/27) Installing openjdk17-jre (17.0.9_p8-r0)
Executing busybox-1.36.1-r5.trigger
Executing java-common-0.5-r0.trigger
Executing ca-certificates-20230506-r0.trigger
OK: 199 MiB in 42 packages
/ # ls -lah /usr/lib/jvm/java-17-openjdk/lib/security/cacerts
lrwxrwxrwx    1 root     root          27 Nov  7 15:56 /usr/lib/jvm/java-17-openjdk/lib/security/cacerts -> /etc/ssl/certs/java/cacerts