mdq download failure - trustAnchors parameter must be non-empty

Krug, Jeff Jeff.Krug at gtri.gatech.edu
Wed Jan 19 18:34:32 UTC 2022 

Had this same problem crop up and was a problem for almost a month it seems, before the metadata actually expired.  Same deal though that restarting seems to have fixed it.  My best guess is that the version of java got updated by Linux updates and somehow that corrupted the cacerts file in some way?  But likewise not sure exactly what happened.



________________________________
From: users <users-bounces at shibboleth.net> on behalf of Paul B. Henson <henson at cpp.edu>
Sent: Friday, December 3, 2021 3:27:07 PM
To: Shib Users
Subject: mdq download failure - trustAnchors parameter must be non-empty

I received a few reports of "Unsupported Request" errors from users trying to access various services. It appeared there was a failure downloading the metadata via mdq:

2021-12-03 10:30:22,111 - 2600:6c51:7c7f:760:b5d2:3497:da48:698d/node0ct4oh8f0w5dx1rsjwqiqgweku1932339 - ERROR [org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver:869] - Metadata Resolver FunctionDrivenDynamicHTTPMetadataResolver incommon-mdq: Error fetching metadata from origin source
javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)

The failures were sporadic and intermittent. The specific error seems to be generally associated with client configuration, but given it popped up out of the blue with no changes and was only happening on some requests that didn't seem likely. At first I thought there was a problem with Incommon's infrastructure, but then noticed that the errors were only occurring on one of my three nodes, which made that theory less likely.

I ended up just restarting jetty on the problematic node and the problem seems to have gone away. My best guess is something got corrupted or into a bad state somewhere?

Dunno, just throwing it out there for the archives, thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220119/30f7446f/attachment.htm>

More information about the users mailing list