Let’s Encrypt with Tomcat 7

Using HTTPS on Tomcat with a let’s encrypt certificate is quite easy – as soon as you know how to do it (as usual). acme.sh provides a quite convenient way of getting and renewing certificates. This is extremely important as the certificates have a lifetime of just 60 days.

So get and “install” acme.sh first! And make sure Tomcat is running on port 80. Then get your first certificate!

sudo service tomcat7 stop
acme.sh --issue -d yourdomain.tld -d www.yourdomain.tld --standalone --httpport 80 --force
sudo service tomcat7 start

You should now have brand new certificates on your machine. Now setup the keystore for Tomcat.

# generate keystore
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -keysize 2048
# remember the password you set here. let's assume 'mypass'
	
keytool -importkeystore -srckeystore .keystore -destkeystore .keystore -deststoretype pkcs12

# use the following lines also to renew a certificate!!
certdir=/home/.../.acme.sh/yourdomain.tld
keystoredir=.keystore

keytool -delete -alias tomcat -storepass mypass -keystore $keystoredir
keytool -delete -alias root   -storepass mypass -keystore $keystoredir

openssl pkcs12 -export -in $certdir/fullchain.cer -inkey $certdir/yourdomain.tld.key -out $certdir/cert_and_key.p12 -name tomcat \
        -CAfile $certdir/fullchain.pem -caname root  -password pass:mypass
keytool -importkeystore -srcstorepass mypass -deststorepass mypass -destkeypass mypass -srckeystore $certdir/cert_and_key.p12 \
        -srcstoretype PKCS12 -alias tomcat -keystore $keystoredir
keytool -import -trustcacerts -alias root -deststorepass mypass -file $certdir/fullchain.cer -noprompt -keystore $keystoredir

The keystore should be ready now. Now let us tell Tomcat to use this keystore for HTTPS. Edit /etc/tomcat7/server.xml and apply the following changes to the Connector for 8443:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
       maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
       clientAuth="false" sslProtocol="TLS"
       KeystoreFile="/home/.../.keystore" KeystorePass="mypass" 
       ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, 
  TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
  TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_RC4_128_SHA" />

You should be done now. Now just restart Tomcat and test the certificate in the browser.  If all is fine, don’t forget to schedule a cron job to refresh the certificate and execute the steps above of removing and adding the certificate to the keystore.

sudo service tomcat7 stop
"/home/.../.acme.sh"/acme.sh --cron --home "/home/.../.acme.sh"
sudo service tomcat7 start
# perform the commands above to insert the renewed certificates!

 

How to run Tomcat on Port 80

A standard Tomcat installation starts the webserver on port 8080 – which is usually not the desired behavior.

In order to change this there are about two options:

The recommended one is to let Tomcat continue on port 8080 (and 8443 for https):

you don’t need to change anything in Tomcat itself, just add according Iptables-Forwarding rules:

# check that rules are not there already
sudo iptables -L -n -t nat

# Add rules
sudo iptables -t nat -I PREROUTING -p tcp --dport 80  -j REDIRECT --to-port 8080
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

# Check
sudo iptables -L -n -t nat

# Save
sudo /service iptables save

# Restart iptables
sudo /etc/init.diptables restart

# final check
sudo iptables -L -n -t nat

The other option is to run Tomcat directly on port 80. As this is a priviledged port, tomcat must run as root.
The advantage: It’s simple!
The disadvantage: A webserver shouldn’t run as root.If you want to do this nevertheless, edit /etc/tomcat7/server.xml and change the connector port from 8080 to just 80:

<Connector port="8080"   
   protocol="HTTP/1.1"
   connectionTimeout="20000"
   redirectPort="8443" />

Now edit /etc/tomcat7/tomcat7.conf and set the tomcat user to root and restart Tomcat

TOMCAT_USER="root"
sudo service tomcat7 restart

Where to install custom / portable programs in Windows10/8.x?

There are a couple of programs that cannot be installed / put into the regular locations (c:\Program Files and c:\Progam Files (x86)) as they cannot be run in non-administrator mode. So – where should you put / install those programs?

Fortunately Windows comes with a good place for those programs. Just put them into %LOCALAPPDATA%\Programs which expands to C:\Users\...\AppData\Local\Programs.
No need to tweak permissions (as it is in your user directory).

Downside: If you are part of a large domain (which you will not be with your private computer), your programs will not be synchronized to other computers where you log on. If you would like that you would have to place it in %appdata% (which expands to C:\Users\...\AppData\Roaming). But it would also mean that possibly large installations are synchronized. Don’t blame Windows if you are suffering from long login-times then!

In case you want to go deeper into the differences between Roaming, Local and LocalNow, have a look at the answers at superuser.com:

Roaming. (%appdata%) contains data that can move with your user profile from PC to PC – because data is synced with a server (e.g. web browser favorites or bookmarks.

Local. (%localappdata%) contains data that can’t move with your user profile. This data is typically specific to a PC or too large to sync with a server (e.g. temporary files).

LocalLow. (%appdata%/…/locallow) contains data that can’t move, but also has a lower level of access. E.g., a web browser in protected or safe mode, will only be able access data from the LocalLow Folder.

Mount vmWare shared folder in Ubuntu guest

If you want to share files between a Windows Host and a Ubuntu Linux guest, the “shared folder” feature is really handy. Just enable it in the VM-Settings, install guest additions and … then wonder where this shows up in the VM. “They appear under /mnt/hgfs” I read everywhere.

Well, they do – as soon as you do a

sudo mount.vmhgfs .host:/ /mnt/hgfs/

It took me a couple of minutes to figure this out as all tutorials endet with “the folder appears” …
If it doesn’t work, maybe just rerun

sudo vmware-config-tools.pl

How to fix: Windows 10 store fails to update or hangs during download / update

For a couple of days I saw some pending updates in my Windows 10 store that didn’t seem to install or download. The downloads were either in progress or done but none of them installed. Restarting the downloads didn’t help either.

Some quick research came up with all kinds of Powershell and registry hacks. Quite weird. Then I remembered about a recent issue that I had with Windows 8.1 which was solved by simply disconnecting the Microsoft account and reconnecting it after a restart. And it worked!

Dead easy

 

  • Go to account settings: Hit the Windows Key, type “Account” (german: Konto)
  • Disconnect from your Microsoft account
  • reboot (optional – I didn’t try without reboot)
  • Reconnect to the Microsoft account
  • Open the Store and do the update

 

How to enable Camera Streaming on a Raspberry Pi

This is a very brief tutorial how to get a stream of the Raspberry Pi camera into a browser. The original article can be found here.

I was searching a lot how to stream directly from the camera to the network, yet I did not find a solution. So what we are doing here is using the timelaps feature from raspistill combined with MJPG-Streamer. In the end you will be able to see the stream in a webbrowser or in VLC Media Player.

Continue reading How to enable Camera Streaming on a Raspberry Pi

How to enable WiFi auto reconnect on a Raspberry Pi

In recent times my WiFi seems to have become a bit unstable. As if this wouldn’t be annoying enough, this also means that all my Rasperry Pis loose their WiFi connections as well and thus become unreachable.

Yet the sollution is pretty simple:

Well, there is a very simple solution:

  1. cd /etc/ifplugd/action.d/
  2. sudo mv ifupdown  ifupdown.original
  3. sudo cp /etc/wpa_supplicant/ifupdown.sh ./ifupdown
  4. sudo reboot

That’s it. Thanks Stackexchange for the great hit.

Windows install error 0x80070002 unable to install App

Yesterday I tried to install a Windows App via its built in App Store. Usually this works like a charm. This time the download seemed to succees (judged by the progress bar) but the installation failed with error 0x80070002;

Googling (and Bing’ing) found various issues with kind of the same description, ranging from “download failed” to “broken registry” (including repair guides). Yet none of the proposed solutions worked for me.

Hoping it would just be a temporary failure on the store side, I hit “retry” again and again while I was searching for other solutions (interrupted by a reboot – well you never know, sometimes it just helps). And suddenly a message appeared saying that a Microsoft account was required to install the app. That was strange as I had just switched to a MS account this day – and this message appeared just once! When I wanted to reproduce it it just failed with 0x80070002 again.

So I disconnected my account from MS again, reconnected afterwards and suddenly: The installation succeeded!

To make a long story short

If you experience an error 0x80070002 when installing an App from the store in Windows 8.1: Try to disconnect and reconnect your account from and to a Microsoft account:

  • Win-C (open charms bar)
  • Go down to settings
  • Go down to PC settings
  • Go to Accounts >> your account
  • Disconnect your account
  • Repeat the above to reconnect to your MS account
  • Try to install the App

What to do in case of org.apache.spark.sql.catalyst.errors.package$TreeNodeException: Unresolved attributes

I’m currently gathering my first experiences with Apache Spark and in particular Spark SQL.

While I was playing a bit with Spark SQL Joins I suddenly faced an exception like Exception in thread "main" org.apache.spark.sql.catalyst.errors.package$TreeNodeException: Unresolved attributes: foo.
Followed by the parsed SQL statement etc …

Well, in MySQL the error message would have been
"Unknown column 'foo' in field list"
Aka: You are accessing a column/field foo where this field does not exist.
I was already a bit too close to the problem in order to see it at once – and I only found descriptions dealing with nested structures etc (which wasn’t the case in my situation). So it took me a couple of minutes to realize what Spark want to tell me.

Maybe this helps someone else, too.

How to ignore Maven build erros due to JavaDoc with Java 8

Java 8 is a bit more strict in JavaDoc parsing. This can lead to build failures in Maven when building the repo with warnings like:

Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:2.7:jar (attach-javadocs) on project [projectname]: MavenReportException: Error while creating archive:
Exit code: 1 - [path-to-file]:[linenumber]: warning: no description for @param

Sure, the good solution would be to fix the JavaDocs. But in cases where you just clone a foreign repo, you probably just want to get it run and not start fixing it.

To ignore the erros, just turn off doclint by adding the following <configuration> tag to your pom.xml:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-javadoc-plugin</artifactId>
    <version>2.10.2</version>
    <executions>
        <execution>
            <id>attach-javadocs</id>
            <goals>
                <goal>jar</goal>
            </goals>
            <configuration> <!-- add this to disable checking -->
                <additionalparam>-Xdoclint:none</additionalparam>
            </configuration>
        </execution>
    </executions>
</plugin>

Some more solutions can be found in this StackOverflow thread.