I made upgrade of Tomcat7 server on Linux Debian.
Tomcat stopped serving https. Port was open, no strange message in log, but it was not possible to connect from browser.
Here is configuration of https connector:
Connector port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
Long story short. Old version of Tomcat7 was using keystore from file /etc/tomcat7/keystore, but new version expects /etc/tomcat7/keystore.jks.
ln -s keystore keystore.jks
Restart Tomcat. 🙂
The default installation of Tomcat 7 for Linux Debian is listening on port 8080.
When you want to change the port to 80 then you have several options.
You can use iptables and redirect communication from port 8080 to port 80.
iptables -t nat -P PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080
The more straight forward approach is to bind Tomcat directly to port 80. First of all change port 8080 to 80 in file /etc/tomcat7/server.xml.
You’ll see error messages in /var/log/tomcat7/catalina.out when you try to restart Tomcat:
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-80]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-80]]
Caused by: java.net.BindException: Permission denied
The problem is that default installation of Tomcat 7 for Linux Debian allows to bind only ports higher than 1023. You need to allow binding to privileged ports.
Open file /etc/defaults/tomcat7 and change option from:
Restart Tomcat and it will listen on port 80.
There is very annoying bug in Open SSL 1.0 which affects curl. When you try to access Tomcat 7 with https with curl you’ll get fancy error:
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
-k parameter is not working at all
You’re not able to invoke any request against Tomcat 7 with https in default configuration.
The solution is to restrict available ciphers in Tomcat’s https connector:
Restart Tomcat and curl will work.
I was deploying application on Tomcat7/OpenJDK. This application was accessing further secure services like SMTPS and HTTPS.
Tomcat was complaining that certificates are not correct (PKIX): the trustAnchors parameter must be non-empty.
Solution for Debian was quite easy after I found correct path to cacerts. Java cacerts for OpenJDK are stored in file: /etc/ssl/certs/java/cacerts.
To import certificate it is sufficient to use keytool:
keytool -import -keystore /etc/ssl/certs/java/cacerts -file cert.pem \
Then I restarted Tomcat and problem with trustAnchors disappeared.