Aha! I found the problem. Turns out I was using -Djava.ext.dirs=<path to fop> to execute FOP so that the dynamic class loading worked. But there's a built in way by using -Dfop.home= instead. The java.ext.dirs causes the java SSL connection to fail with a "RSA premaster secret error" that seems to get swallowed by the FOP exception handling here (google that error for details). In general maybe FOP could better log errors.
Probably a try/catch+log around the openStream call in the NormalResourceResolver class in the getResource method, but maybe also elsewhere to catch actual I/O errors.
From: Neil Smeby
Sent: Tuesday, January 8, 2019 12:34 PM
To: '[hidden email]' <[hidden email]>
Subject: RE: https external-graphics
(sorry to break the thread chain, I just recently joined the list and missed the original responses)
So the example image I was trying to use in FOP was a random google image search result (for foo) that was on a BBC media server that had https with a valid signed (not self-signed) certificate. And when I try to fetch the image using the simple java program below, it works fine. So it doesn't seem to be a JDK or certificate problem. Can someone else test the .fo file in my original email? Feel free to replace the image url with an https reference you trust.