In Spring Boot I have set up Micrometer to pass metrics to Cloudwatch, however I am receiving a InvalidAlgorithmParameterException / the trustAnchors parameter must be non-empty error.

I'm running Spring Boot 2.0.9, Spring Framework Cloud 2.0.1 and Micrometer 1.0.10. This application is deployed in a Docker container through ECS. What do I need to do to trust the certificate?

AWS specific properties for application.properties:

management.metrics.export.cloudwatch.namespace=test
management.metrics.export.cloudwatch.batchSize=20
cloud.aws.region.auto=true
cloud.aws.region.static=

When I run my application I am getting the following error:

22:58:38
2019-04-08 22:58:38.877 ERROR 25 --- [pool-1-thread-4] i.m.cloudwatch.CloudWatchMeterRegistry : Error sending metric data.
2019-04-08 22:58:38.877 ERROR 25 --- [pool-1-thread-4] i.m.cloudwatch.CloudWatchMeterRegistry : Error sending metric data.
22:58:38 com.amazonaws.SdkClientException: Unable to execute HTTP request: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1114) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1064) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.services.cloudwatch.AmazonCloudWatchClient.doInvoke(AmazonCloudWatchClient.java:1340) ~[aws-java-sdk-cloudwatch-1.11.280.jar:na]
22:58:38 at com.amazonaws.services.cloudwatch.AmazonCloudWatchClient.invoke(AmazonCloudWatchClient.java:1316) ~[aws-java-sdk-cloudwatch-1.11.280.jar:na]
22:58:38 at com.amazonaws.services.cloudwatch.AmazonCloudWatchClient.executePutMetricData(AmazonCloudWatchClient.java:1223) ~[aws-java-sdk-cloudwatch-1.11.280.jar:na]
22:58:38
at com.amazonaws.services.cloudwatch.AmazonCloudWatchAsyncClient$14.call(AmazonCloudWatchAsyncClient.java:774) [aws-java-sdk-cloudwatch-1.11.280.jar:na]
22:58:38 at com.amazonaws.services.cloudwatch.AmazonCloudWatchAsyncClient$14.call(AmazonCloudWatchAsyncClient.java:768) [aws-java-sdk-cloudwatch-1.11.280.jar:na]
22:58:38 at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_202]
22:58:38 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_202]
22:58:38 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_202]
22:58:38 at java.lang.Thread.run(Thread.java:748) [na:1.8.0_202]
22:58:38 Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
22:58:38 at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1903) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1886) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1402) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[na:1.8.0_202]
22:58:38 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:132) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_202]
22:58:38 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_202]
22:58:38 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_202]
22:58:38 at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_202]
22:58:38 at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.conn.$Proxy113.connect(Unknown Source) ~[na:na]
22:58:38 at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.5.jar:4.5.5]
22:58:38 at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1236) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1056) ~[aws-java-sdk-core-1.11.280.jar:na]
22:58:38 ... 15 common frames omitted
22:58:38 Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
22:58:38 at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:91) ~[na:1.8.0_202]
22:58:38 at sun.security.validator.Validator.getInstance(Validator.java:181) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[na:1.8.0_202]
22:58:38 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[na:1.8.0_202]
22:58:38 ... 36 common frames omitted

1 Answers

0
roxyblue On

The short answer to this question is to ensure Java trusts the certificates in question via the cacerts file.

See the correct way to import root and intermediate certs into java cacerts

The longer answer to my particular question is that I had an invalid cacerts file, so Java was trusting nothing. I had copied AWS Corretto JVM into the tomcat docker image and the cacerts file was an invalid symbolic link.

Replacing the cacerts file in /usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64/jre/lib with the OS version (/etc/ssl/certs/java/cacerts) solved the problem. The OS cacerts file already includes the AWS certificates.