SSL / Certificate errors when connecting to the global canton domain

I’m trying to connect to the global canton domain. However, during the first connection attempt I get this exception here:

 GrpcServiceUnavailable: UNAVAILABLE/io exception
  Request: perform handshake with remote domain
  Causes: General OpenSslEngine problem
    Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    the trustAnchors parameter must be non-empty
javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1695)
 ...
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:102)
        at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)

I’m using a default debian image on GCP:
Debian, Debian GNU/Linux, 9 (stretch), amd64 built on 20200521
and debians standard openjdk package (headless). Any idea what this could be?

My guess is that is has to do with a change in certificate formats: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914424

There are some workarounds suggested there.

I think you ran in a debian jdk installation problem: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914424
Apparently the shipped openjdks certificate store is corrupted.

There are a few workarounds if you want to use the default debian JDK version.

Alternatively, just download the openjdk11 from https://adoptopenjdk.net/