Java cacerts bad, where to get good ones and where to put them?

I have learned that my java ca certificates are bad because certain applications (minecraft, don’t laugh :wink: ) give me errors on startup and do not run. i.e.,

Downloading: java.lang.NegativeArraySizeException


FATAL ERROR: net.minecraft.bootstrap.FatalBootstrapError: Unable to download while being forced
    at net.minecraft.bootstrap.Bootstrap.execute(
    at net.minecraft.bootstrap.Bootstrap.main(

I’ve done my homework and it looks like due to bad cacerts, java (jre 8u121 to be specific, just updated with the tarball to be sure!) does not trust amazon web services.

However, I could use some hand-holding (or even just a pointer or two) on what I need to do next. I have copied year-old good cacerts from a friend’s windows machine, and have tried placing them as




Neither of these has fixed the problem. It’s my understanding that these are respectively the general certifications directory and the security directory of my jre.
I am now curious if there are some symlinks i need to create, (so many of those…) or if I’m on completely the wrong track with the cacerts.
Perhaps I’ll even get lucky and some of you folks will be minecraft experts!

Thanks for reading,

–Henry Wilson

I have no issues here with minecraft (1.11.2) starts up fine, I’m using java-1_8_0-openjdk not jre on 42.2…

Maybe look at update-alternatives, check with;

update-alternatives --help
update-alternatives --list java

Oho, I just assumed I needed the JRE. Perhaps that’s not being used at all, and can be removed. I’ll try my copied certs in jre-1.8.0-openjdk/lib/security, mentioned by update-alternatives. Update-alternatives seems like a useful tool, thanks for telling me about it!

Hmm. Not so good. Copied certs, no luck. I’ll try uninstalling and reinstalling openjdk. Perhaps that can just replace everything.

No beans, dice, cigar, et cetera.

My fail by the way is in minecraft installation, it’s trying to download all the files it needs. All I’m running is the launcher, with no version involved.

Thanks, Malcolm. I’ll get back to this tomorrow, try more things. Until then, I’ve got to sleep. All sorts of classes tomorrow.

If I were to guess,
You’ve installed the JRE or JDK from and munged up your system.

When you install any Oracle Java, it over-writes any existing Java on your system by default (because Oracle always believes it and only it should exist on any system). What this means is that it likely stomped all over your openjdk and anything else.

When this happens,
I don’t know of any easy way to remove Oracle Java or re-install openjdk with guaranteed success, it’s one of those things that once it’s done there really isn’t an easy way to undo it.

It looks like someone has updated the SDB “Install Java” page again, I haven’t reviewed it… Maybe there is something in there for you to move forward in your situation

If there is sufficiently complete info about Oracle 8, I’ll take a look again at scripting its install so that it plays nice with openjdk.
I did that with Oracle 7, but the architectural changes in Oracle 8 were too great for me to confidently do the same for it.


I did indeed install a JRE from Oracle, but this was a couple weeks ago, and my java applications broke three days ago. Also, the way I installed it was not by any install script, but by extracting a tarball into (i believe) “/usr/java”. I have since removed the files via simple “rm -rf” at the directory. My java still launches things, but it does not trust websites like If this is the problem, I’d be pretty surprised, as I probably never ended up using it whatsoever, given all of my calls to java would just have hit my openjdk installation. But I’ll take a look at those links, see what I can find. Thanks!

Okay, I completely removed openjdk 7; fixed all the issues. Not sure what caused these issues in the first place, but now they are gone.

Thanks for your help, all!

–Henry Wilson

I suppose what you described here <might> work if you set your environmental variables accordingly (which you didn’t post).

I’m glad you say that you believe you resolved your situation, but without understanding every detail of what you did be prepared for possible problems in the future. In general, I’ve found that the SDB:Install Java link I posted for you can be considered authoritative and current recommendations. Even if/when I’ve modified or created scripts, all have been based on the info posted there.