mdq download failure - trustAnchors parameter must be non-empty

Paul B. Henson henson at cpp.edu
Fri Dec 3 20:27:07 UTC 2021 

I received a few reports of "Unsupported Request" errors from users trying to access various services. It appeared there was a failure downloading the metadata via mdq:

2021-12-03 10:30:22,111 - 2600:6c51:7c7f:760:b5d2:3497:da48:698d/node0ct4oh8f0w5dx1rsjwqiqgweku1932339 - ERROR [org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver:869] - Metadata Resolver FunctionDrivenDynamicHTTPMetadataResolver incommon-mdq: Error fetching metadata from origin source
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)

The failures were sporadic and intermittent. The specific error seems to be generally associated with client configuration, but given it popped up out of the blue with no changes and was only happening on some requests that didn't seem likely. At first I thought there was a problem with Incommon's infrastructure, but then noticed that the errors were only occurring on one of my three nodes, which made that theory less likely.

I ended up just restarting jetty on the problematic node and the problem seems to have gone away. My best guess is something got corrupted or into a bad state somewhere?

Dunno, just throwing it out there for the archives, thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list