24. July 2014

couriertls: /etc/courier/esmtpd.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line

After upgrade of Linux distribution Courier stopped to accept emails delivered over TLS or SSL.

There was just nice error message in the log file:

couriertls: /etc/courier/esmtpd.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line

Long story short. The problem was in pem file.

Previous versions of Courier-SSL were able to read files with Windows EOL. The new version is failing with this nice error.

Solution is simple: get rid of Windos EOL.

You can use e.g. dos2unix

dos2unix esmptd.pem

Restart services and everything will work 🙂

22. September 2013

Deploy Spring application by Maven to Tomcat7 via HTTPS – PKIX problem

Simple scenario: deploy spring application to remote server which has https management interface.

Easy task. When you have properly configured project with pom.xml then you can use tomcat7 plugin for Maven.

Part of pom.xml

<plugin>
 <groupId>org.apache.tomcat.maven</groupId>
 <artifactId>tomcat7-maven-plugin</artifactId>
 <version>2.0-SNAPSHOT</version>
 <configuration>
  <path>/test</path>
  <!-- username and password must be set in ~/.m2/settings.xml -->
  <server>mytomcat</server>
  <!-- URL where Maven can find Tomcat 7 Manager -->
  <url>https://test.sinusgear.com:443/manager/text</url>
 </configuration>
</plugin>

Just run:

mvn tomcat7:deploy

Upload fails with error message:

PKIX path building failed

Ups. Not that easy? 🙂
The problem is that Java does not trust certificate of remote server.

Here is how to fix PKIX issue in Windows.

Open url of remote server by Firefox and save certificate to file.

Run PowerShell as administrator.

Go to directory with JDK cacets and import certificate. Default password is “changeit“.

cd C:\Program Files\Java\jdk1.7.0_40\jre\lib\security
keytool -import -alias test.sinusgear.com -keystore cacerts -file C:\Users\georgik\Documents\test.sinusgear.com

Done. Now you can start mvn tomcat7:deploy again.

10. January 2012

Debian Tomcat 7 – the trustAnchors parameter must be non-empty

I was deploying application on Tomcat7/OpenJDK. This application was accessing further secure services like SMTPS and HTTPS.

Tomcat was complaining that certificates are not correct (PKIX): the trustAnchors parameter must be non-empty.

Solution for Debian was quite easy after I found correct path to cacerts. Java cacerts for OpenJDK are stored in file: /etc/ssl/certs/java/cacerts.

To import certificate it is sufficient to use keytool:

keytool -import -keystore /etc/ssl/certs/java/cacerts -file cert.pem \
-alias ci.sinusgear.com

Then I restarted Tomcat and problem with trustAnchors disappeared.

  • Where’s the fish?

  • Translations

  • Further info

  • Twitter

    Follow @jurajmichalek on twitter.

  • Comments

  • Tags

  • Topics