Importing Existing Keys and SSL Certificates Into Apache Tomcat

I rarely use Tomcat, but one of my clients is a Java guy and, as makes logical sense, uses Tomcat to serve the applications he writes. One of which required an SSL certificate. It’s no problem to create a new key, CSR, and import the certificate and certificate authority chains, but what if we already have an existing key and certificate for the same domain?

In our case, we had Apache serving the non-application stuff (in PHP, natch) on ports 80 and 443, with Tomcat on 8000 and 8443 (take that, Plesk!), and already had a certificate issued for the domain on the Apache side. Since the stuff used by Apache was in PEM format, I’ve added one of the steps required to convert it to PKCS12, which is what we’ll use for the Java keystore. These instructions are taken from a CentOS box, so you may need to make some modifications for other operating systems. It’s only here to serve as a guideline (and for my own future reference, primarily, because I know damned well I’ll forget again next year).

First, we need to concatenate the key, certificate (granted us by the CA) and the CA bundle into one single file. This is done most simply like so:
cat your_domain.key your_domain.crt your_ca_bundle.crt > your_domain.key_crt_bundle.pem

Next, we convert the concatenated PEM data into PKCS12:
openssl pkcs12 -export -out your_domain.key_crt_bundle.p12 -in your_domain.key_crt_bundle.pem

Create a password for the resultant PKCS12 file, and remember the password for a moment. Because you’ll need it when you import this PKCS12 into your Java keystore using the following command:
keytool -importkeystore -srckeystore your_domain.key_crt_bundle.p12 \
-srcstoretype pkcs12 -destkeystore your_domain.key_crt_bundle.jks -deststoretype jks

You’ll need to create a new password for the keystore, and then enter the password for the PKCS12 you created two steps back.

Then, edit your Tomcat server.xml file and define the full path and filename of the newly-created keystore, as well as your keystore’s password. In our case, the default location was /etc/tomcat6/server.xml. If you don’t know how to configure Tomcat6 for SSL at all, that’s beyond the scope of this particular post, and you will need to do some research. Also, do not pass GO!. Do not collect $200. And may God have mercy on your soul.

Finally, restart Tomcat doing the good ol’-fashioned service tomcat6 restart (or equivalent), and you should be good to go. And, if not…. sucks to be you.


Ubuntu Not Recognizing Changes To /etc/hosts


A moment ago, I finally figured out why changes to /etc/hosts on my local Ubuntu desktop were not being honored. In the past, it worked just fine, as expected, but this morning, it refused to recognize changes. I searched all over the web and found lots of people with the same problem, but no solutions. Plenty of helpful suggestions, mind you, but nothing would work for the folks who tried them. So, the solution? My NSCD was caching it. Perhaps there was a default value change recently, or maybe I just somehow never noticed it before because I’d add the entry prior to trying to work with the host. Not sure the ultimate reason, but the fix is in:

sudo vim /etc/nscd.conf

enable-cache hosts yes
…. to:
enable-cache hosts no

And then restart NSCD:

sudo service nscd restart

Voila! Finally, I can get on with my work for the day.


shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

Screenshot from 2012-09-14 12:07:47

A few moments ago, while trying to restart the Postfix service on a client’s system, I was getting the following error:

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

Some strace runs later, I found that my pwd had been removed and recreated, so I was essentially in a state of limbo as far as the system was concerned. Quick fix:

cd && cd -

Brings me to my ~ directory, then back to the original pwd, and – most importantly – no more errors.


Horribly Slow Speeds On USB Stick, Ubuntu 12.04LTS (100KB/s?!?)


I just finished building a new server for the house here and downloaded the latest build of Ubuntu Server 12.04LTS. My desktop is running an upgraded version of the same (but Desktop, not Server edition). Trying to create a USB boot disk to install on the new box was painfully slow: it was going to take 2.5 days.

After searching all over the web to see what others thought, checking the USB settings in my BIOS, and even rebooting for the sake of a potential fix chalked-up to voodoo, I realized the answer. Checking the USB stick’s partition, it was – unsurprisingly – FAT32. Once I dropped the partition (the stick was brand-new, just opened the package) and created a new ext4 partition in its place, I created my new USB boot disk in 38 seconds. That’s much more like it.


Custom sudo Login Prompt: Confuse Your Coworkers and Friends!


Quick way to have fun with Bash and sudo on a boring day. Insert the following into your /etc/bashrc, /etc/bash.bashrc, or similar file (as is appropriate for your distro and version):

alias sudo='sudo -p "Congratulations, %p! You are the one-millionth user to attempt to sudo to %U! Enter your password to see what you've won. "';

More info, from man sudo:

%H  expanded to the host name including the domain name (on if the machine's host name is fully qualified or the fqdn option is set in sudoers(5))
%h  expanded to the local host name without the domain name
%p  expanded to the name of the user whose password is being requested (respects the rootpw, targetpw and runaspw flags in sudoers(5))
%U  expanded to the login name of the user the command will be run as (defaults to root unless the -u option is also specified)
%u  expanded to the invoking user's login name
%%  two consecutive % characters are collapsed into a single % character
The prompt specified by the -p option will override the system password prompt on systems that support PAM unless the passprompt_override flag is disabled in sudoers.

British PHP? Cheers!


Several minutes ago, one of the regular and long-term contributors to the PHP community, a gentleman by the name of Daevid Vincent, posted a link to a blog post on the PHP General mailing list. (Enough links yet? Hang on, there’s more to come.)

The blog post, If PHP Were British, was something I enjoyed — despite my apparently inferior dialect of English, the bastardized American version. So I figured, what the hell? We got the land (after we, as Redcoats, knocked off a few million of those pesky Indians), so why not offer a peace treaty in the form of a few lines or reworked PHP core?

After about fifteen minutes of work, the result: BPHP (lifted straight from their comments section). It’s based upon the latest stable of the 5.4 branch as of this writing (5.4.4), and has the changes requested specifically by the main article, as well as few other related changes. Nothing serious, but it shows that, yes, most Americans are willing to reach out and be friendly and helpful world citizens, regardless of how we may appear to the rest of the nations around the globe.

Want to give it a test drive? Go ahead and download it in .tar.gz or in .tar.bz2 format.

You’ll no doubt see errors and such, but have no fear — I have absolute no intention of supporting this release, nor providing bug fixes, or really even acknowledging that I did, in fact, spend several minutes of my evening doing this.

I should probably mention that I did this in my own free time (I have about an hour before another client is re-running on the ABC network TV show “Shark Tank,” and finished some other work ahead of time), and not as part of the PHP team. And of course, it is licensed under the actual PHP license, is intended only for entertainment purposes, and neither myself (acting alone) nor the PHP Group, community, or anyone else is responsible for any damage, incompatibilities, et cetera. Just in case there are any future BPHP users out there who are lawyers. ;-P

Happy Friday…. mates.


2012 Redesign Proposal


Please view it here and send feedback to


PHP Saturation Survey


For the last few years, I’d wanted to write a spider that would crawl the web and gather some statistical information.  Specifically, I wanted to see how many sites reported being capable of serving PHP pages.  Finally, about two hours ago, I sat down to write the system that would collect this data, and within about 25 minutes, I had it doing my dirty work for me.  After I finished writing the core of the system, I then added a quick reporting tool to give me real-time statistics, because I was far too impatient to wait a few days, weeks, or even months before I could look at some numbers.

Keep in mind the following:

  • The spider gathers hostnames dynamically; it started by spidering the Google homepage (not search results), and went from there.
  • The recursion algorithm is not only imperfect — it’s impatient.  If a site doesn’t respond within 5 seconds, it’s omitted (uncommon).
  • Only homepages (indexes) are spidered.  This is still very effective, but will limit the results.
  • The recursion algorithm skips /^www[0-9]?/ subdomains, but will crawl others.
  • The system does not care if one site resides on the same physical or virtual server as any of the others.
  • The stats collection engine only gathers what the server is configured to tell it
  • We only check the HTTP headers; we do not spider the site itself to see if it links to any PHP scripts within itself.

This initial crawl will probably take at least a couple of weeks to reach some useful numbers.  Spidering sites to grab new URLs, check the database, ignore dupes, and recurse into the index to do it all again takes an average of 1.7 seconds per hostname.  Grabbing header data and recording statistics eats up about 3.0 seconds per host, and only works in chunks of hosts per run.

Since all you likely care about – much like myself – are the numbers themselves, you can find them here.  (Statistical data is no longer available.)  The text file will be updated there every five minutes.  If you’re interested in the latest figures and that file seems to be stale (i.e. – >10 minutes old), send me an email and I’ll go kick the crap out of the server and remind it who’s boss (until it becomes sentient, that is).

Over the next couple of days and weeks, I’ll spend a few more minutes here and there to improve the collection times, but the actual data itself is quite obviously of the most value in this project.  For now, all I care about is PHP market saturation, but I’m also collecting data on rival languages, web server software, cookies, page caching, OS and version information, and more.  Sure, other folks collect the same kind of information, but look at me…. do I look like them?  Then shut up.


Quick: How Many Potential Key Combinations Exist In 4096-bit Encryption?


Quite simple, glad you asked! That number is 24096. Or, in decimal format (forgive the lack of commas):


Bash ‘for’ Loop and Filenames With Spaces

A quick post for my own future reference, primarily.

After banging me face off the desk for a while trying to figure out how to batch-convert a heaping spoonful of space-laden-named Excel files to CSV for a project I’m doing for my wife, I found a solution in the $IFS environment variable. Thus:

IFS=$(echo -en "\n\b");
for i in $(ls -1 *.xls); do
xls2csv $i > $i.csv 2>/dev/null;

Easy as pie. And I don’t mean like a mince pie or something that many folks don’t even like, but like convincing toddler to eat a chocolate cream pie. Yeah, that easy.