22. September 2013

Deploy Spring application by Maven to Tomcat7 via HTTPS – PKIX problem

Simple scenario: deploy spring application to remote server which has https management interface.

Easy task. When you have properly configured project with pom.xml then you can use tomcat7 plugin for Maven.

Part of pom.xml

<plugin>
 <groupId>org.apache.tomcat.maven</groupId>
 <artifactId>tomcat7-maven-plugin</artifactId>
 <version>2.0-SNAPSHOT</version>
 <configuration>
  <path>/test</path>
  <!-- username and password must be set in ~/.m2/settings.xml -->
  <server>mytomcat</server>
  <!-- URL where Maven can find Tomcat 7 Manager -->
  <url>https://test.sinusgear.com:443/manager/text</url>
 </configuration>
</plugin>

Just run:

mvn tomcat7:deploy

Upload fails with error message:

PKIX path building failed

Ups. Not that easy? :)
The problem is that Java does not trust certificate of remote server.

Here is how to fix PKIX issue in Windows.

Open url of remote server by Firefox and save certificate to file.

Run PowerShell as administrator.

Go to directory with JDK cacets and import certificate. Default password is “changeit“.

cd C:\Program Files\Java\jdk1.7.0_40\jre\lib\security
keytool -import -alias test.sinusgear.com -keystore cacerts -file C:\Users\georgik\Documents\test.sinusgear.com

Done. Now you can start mvn tomcat7:deploy again.

10. January 2012

Debian Tomcat 7 – the trustAnchors parameter must be non-empty

I was deploying application on Tomcat7/OpenJDK. This application was accessing further secure services like SMTPS and HTTPS.

Tomcat was complaining that certificates are not correct (PKIX): the trustAnchors parameter must be non-empty.

Solution for Debian was quite easy after I found correct path to cacerts. Java cacerts for OpenJDK are stored in file: /etc/ssl/certs/java/cacerts.

To import certificate it is sufficient to use keytool:

keytool -import -keystore /etc/ssl/certs/java/cacerts -file cert.pem \
-alias ci.sinusgear.com

Then I restarted Tomcat and problem with trustAnchors disappeared.