Failed to retrieve session credentials due to InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Problem

Your builds fail due to Tasks for AWS encountering an InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty, for example:

Build log
1 2 3 4 5 04-Mar-2016 10:51:11 Starting task 'Upload Artifacts' of type 'net.utoolity.atlassian.bamboo.tasks-for-aws:aws.s3.object' 04-Mar-2016 10:51:11 Setting maxErrorRetry=7 and awaitTransitionInterval=15000 04-Mar-2016 10:51:11 Using session credentials provided by Identity Federation for AWS Add-on (Connector Selection). 04-Mar-2016 10:51:11 Failed to retrieve session credentials due to Identity Federation for AWS error: com.amazonaws.AmazonClientException: Unable to execute HTTP request: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 04-Mar-2016 10:51:11 Finished task 'Upload Artifacts' with result: Error

Cause

This exception stems from the Java Virtual Machine trying to execute a HTTP request via SSL, but having trouble to access the local certificate authority trust store on the host system. There seem to be many potential root causes, here are a couple of pointers:

Jira Knowledge Base

The JVM cannot find the javax.net.ssl.trustStore required for SSL, or it does not contain the required certificates.

Stack Overflow

This bizarre message means that the truststore you specified was not found, or couldn't be opened due to access permissions for example. [...]

Solution

The JVM access to local certificate authority trust store on the host system needs to be restored.

There seem to be different solutions depending on the root cause and JVM involved - for example, this is a fairly simple solution, which seems to fix the problem for many users:

  1. Restore JVM access to local certificate authority trust store on the host system

    • Ubuntu

      Shell script

      1 sudo update-ca-certificates -f
    • Amazon Linux

      Shell script

      1 2 3 sudo update-ca-trust check sudo update-ca-trust enable sudo update-ca-trust check

      Shell output

      1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [ec2-user@ip-10-10-2-107 ~]$ sudo update-ca-trust check PEM/JAVA Status: DISABLED. (Legacy setup with static files.) PKCS#11 module Status, see symbolic links reported below: lrwxrwxrwx 1 root root 28 Feb 25 13:57 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/nss/libnssckbi.so (link resolving to NSS: using legacy static list) (link resolving to p11-kit: using the new source configuration) [ec2-user@ip-10-10-2-107 ~]$ sudo update-ca-trust enable [ec2-user@ip-10-10-2-107 ~]$ sudo update-ca-trust check PEM/JAVA Status: ENABLED. (Legacy filenames are links to files produced by update-ca-trust.) PKCS#11 module Status, see symbolic links reported below: lrwxrwxrwx 1 root root 34 Mar 4 17:34 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so (link resolving to NSS: using legacy static list) (link resolving to p11-kit: using the new source configuration)
  2. Restart Bamboo