2

I'm upgrading Jenkins on my void-linux server, which involves updating the JRE. I installed openjdk21-jre with xbps, deinstalled the old one (openjdk14-jre) and installed Jenkins 2.528.

It started normally, and I was going to update all the plug-ins, when I got hit with an exception:

"java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty".

After some googling and trying to find the source of the exception, I noticed a broken symlink.

$JAVA_HOME/lib/security/cacerts was pointing to a non-existing /etc/ssl/certs/java/cacerts.

I reinstalled and reconfigured the JRE, but the cacerts were still missing. I also tried building it myself with keytool and the certificates from /etc/ssl/certs, but that didn't work.

How can I fix this?

Improve this question
2
  • 2
    AFAIK on a lot Linux distributions the cacerts file is not shipped with the java package but generated from the "system trust store" (e.g. /etc/ssl/certs) upon installation. Possible that this generation mechanism is broken on your system. Commented Sep 23, 2025 at 11:28
  • I just checked the install script of the OpenJDK package and it only creates the symlink. So now I'm trying to find whatever creates the file in the first place. Commented Sep 23, 2025 at 13:56

1 Answer 1

Reset to default
1

I found the solution. I had to install openjdk-common package, which for some reason is not a dependency of the openjdk21-jre package.

For anyone interested how I found this. I git cloned the package repository and ran a grep -r cacerts . on it.

Improve this answer
1
  • "I had to install openjdk-common package"? Commented Sep 24, 2025 at 8:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.