DefaultJdkTrustConfigTests fail using bundled JDK

[mark-vieira]

Some tests in DefaultJdkTrustConfigTests fail on our bundled JDK. I presume the truststore in adoptopenjdk is slightly different than the Oracle JDK 🤦

Keep in mind, to reproduce this make sure you do not have RUNTIME_JAVA_HOME set so that the build will default to using the bundled JDK for the test runtime JVM.

Build scan:
https://gradle-enterprise.elastic.co/s/tpwfhrqqwfbok/tests/:libs:elasticsearch-ssl-config:test/org.elasticsearch.common.ssl.DefaultJdkTrustConfigTests/testGetSystemTrustStoreWithNoSystemProperties#1

Repro line:
./gradlew ':libs:elasticsearch-ssl-config:test' --tests "org.elasticsearch.common.ssl.DefaultJdkTrustConfigTests"

Reproduces locally?:
yes

Applicable branches:
master, 7.x, 7.13, 7.12

Failure excerpt:

org.elasticsearch.common.ssl.DefaultJdkTrustConfigTests > testGetNonPKCS11TrustStoreWithPasswordSet FAILED
    java.lang.AssertionError: Cannot find trusted issuer with name [thawte].
        at __randomizedtesting.SeedInfo.seed([D1D1FC4A5C6CF0B4:C8E7AFA0BAF5D16E]:0)
        at org.junit.Assert.fail(Assert.java:88)
        at org.elasticsearch.common.ssl.DefaultJdkTrustConfigTests.assertHasTrustedIssuer(DefaultJdkTrustConfigTests.java:64)
        at org.elasticsearch.common.ssl.DefaultJdkTrustConfigTests.assertStandardIssuers(DefaultJdkTrustConfigTests.java:50)
        at org.elasticsearch.common.ssl.DefaultJdkTrustConfigTests.testGetNonPKCS11TrustStoreWithPasswordSet(DefaultJdkTrustConfigTests.java:40)

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[davidkyle]

Muted on master #72208, 7x #72210, 7.13 #72211 and 7.12 #72212

[albertzaharovits]

Looks like it's a problem in 6.8 as well, with adoptopen JDK 11 : https://gradle-enterprise.elastic.co/s/7uhydedtzisoi

Some CA authorities have become untrusted in the latest JDK builds:
https://www.oracle.com/java/technologies/javase/11all-relnotes.html#R11_0_11