Nginx reverse proxy => tomcat problem


I’m running a tomcat server behing a nginx reverse proxy
I forward the requests to non ssl tomcat connection
When I run an java app deployed on the tomcat, I got a popup that the certificate is not trusted?
The certificate works for non tomcat requests perfectly?

Here’s my nginx setup

listen 80;

   access_log off;

   root /usr/share/nginx/html;
   if ($http_host != "") {
             rewrite ^$request_uri permanent;
   index index.php index.html;

   ## Certificates
   ssl_certificate         /etc/letsencrypt/live/;
   ssl_certificate_key     /etc/letsencrypt/live/;
   ssl_trusted_certificate /etc/letsencrypt/live/;
   ## Common SSL config
   include ssl.conf;

   location /services/ {


If it uses Java default trust store, this is expected:

If you control client-side, load IdenTrust root on demand.

Hm, sorry I don’t understand :frowning:
The mentioned page is loading without any problems!

As I thought certificates should be no problem at java side, because I’m rerouting internally to http:// of tomcat?


Could you be more specific here? How do you "run" the app, are we talking about simply accessing the website? Are you referring to a browser warning, or is this some error Tomcat generates on the server-side? What are the error details (exact message, etc.)?


the app I’m calling is an java applet, which is encapsulated in a html

you have to run it in FireFox, because IE and Chrome deny running applets :frowning:

Okay, so Java itself is loading the content.

Java has its own list of trusted CAs. Neither the ISRG root nor the cross-signed DST root are part of it. I believe Oracle is aware and there is a process to get it added, but it would require Java to be updated when that happens.

If you have full control of all end-user systems, you could add the root to the certificate store. Other than that, you’ll either need to deal with the error or use a vendor that’s already on the trusted list.

Thanks for your reply! Where to I get this root certficate which I need to import in local java keystore?

From the Certificates page linked on the main site.

Double-check which root you’re using on the server. You probably will want the DST root as the cross-signed chain is what’s being generated on the official client right now.

If certificates wouldn't be a problem, why using them in the first place? The logic is lost here, since client doesn't know what you're doing internally. It uses HTTPS connections and fortunately does its job well by failing on a not trusted certificate.