Connection problems with SSL/TLS peers in Java on Ubuntu Server 14.12 (with fix!)

I ran into some trouble with the Android SDK on a freshly installed Ubuntu Server 14.12 with OpenJDK due to an empty Java CA certificates keystore. Both version 7 and 8 of OpenJDK seemed to be affected. A fix is described below.Whenever I fired up the android tool in the SDK to install additional components it failed to download repository data from Google’s server and instead showed these errors:

Failed to fetch URL, reason: peer not authenticated
Fetched Add-ons List successfully
Fetching URL:
Failed to fetch URL, reason: SSLPeerUnverified peer not authenticated

The source of the problem turned out to be an empty Certificate Authority keystore. Somehow dpkg seems to try to build the Java keystore (/etc/ssl/certs/java/cacerts) before it actually installs Java, which the the tool to build the store requires. The result is an empty store:

root@gl:/etc/ssl/certs/java# keytool -list -keystore cacerts
Enter keystore password: 

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 0 entries

Note: the default password for the keystore is “changeit”.

Fix: To properly build the keystore with all trusted CA certificates, run this:

root@gl:~# rm /etc/ssl/certs/java/cacerts
root@gl:~# /var/lib/dpkg/info/ca-certificates-java.postinst configure

You should see a long list of added certificates (*.pem) and finally a “done”.
Problem solved.

5 thoughts on “Connection problems with SSL/TLS peers in Java on Ubuntu Server 14.12 (with fix!)

  1. Thanks, that’s the issue and the solution for several problems while installing studio or the sdk.

  2. Thank you! That’s precisely what I needed to do and it worked. This bug is very annoying and this is the only place I’ve seen with a clear explanation of what’s going wrong.

Leave a Reply

Your email address will not be published. Required fields are marked *