Upgrade tomcat 9 server wont start (RESOLVED)

jvc · October 6, 2021, 3:13pm

Hello All

My first post, I hope someone can help as run out of ideas

We have a customer that discovered our Lucee 5.3.3.67 / Tomcat 9.0.41 install has a vulnerability or two so need to upgrade tomcat.

My working lucee installation has this state:

OS: Ubuntu 20.04
Java Version: Open jdk 11.0.9.1
Tomcat Version: 9.0.41
Lucee Version: 5.3.3.67 (UPDATE: also tried 5.3.8.206)

I have tried upgrades to tomcat 9.0.48,.54 and .53 by doing the following

sudo systemctl stop lucee_ctl
cd /opt/lucee/tomcat
# backup lib
mv lib lib-working
# wget tomcat... create new lib folder from downloaded lib folder
cp -r new-tomcat/lib .  
# add execute perm to avoid canRead[false] errors
chmod g+x lib/*.jar
sudo systemctl start lucee_ctl

The service doesnt start though:

tail -f -n 50 logs/catalina.out

NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
java.lang.NoSuchMethodError: 'boolean org.apache.tomcat.util.buf.UriUtil.isAbsoluteURI(java.lang.String)'
        at org.apache.catalina.startup.CatalinaBaseConfigurationSource.getResource(CatalinaBaseConfigurationSource.java:84)
...

We have been trying to get this working off and on for the last 6 months and now it has landed on my lap.

Anyone had this before? Is there more to do for a tomcat upgrade? Do I need to upgrade Lucee as well?

Any help would be super welcome

Thank you

JC

andreas · October 6, 2021, 9:13pm

Hi @jvc,

because I need to upgrade my Tomcat too, I just did the upgrade from Apache Tomcat/9.0.40 to 9.0.54.0 (latest version). It’s up in running on my dev environment. I did the following procedure (please excuse that I’m not providing all in terminal command lines here, cause l’m not a command line expert and I like using tunneled GUIs on Ubuntu),

Step: Backup your Tomcat folder /opt/lucee/tomcat to /opt/lucee/tomcat_backup, so you can rollback at sometime if necessary.
Step: download the latest Tomcat (latest as today) with:
wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.54/bin/apache-tomcat-9.0.54.tar.gz
Step: extract the archive with
$ tar -xvzf apache-tomcat-9.0.54.tar.gz to /home/username/apache-tomcat-9.0.54/
Step: stop Lucee:
$ sudo /opt/lucee/lucee_ctl stop
Step: copy the files in /home/username/apache-tomcat-9.0.54/lib/ to /opt/lucee/tomcat/lib/ (overwriting old files)
Step: copy the files from /home/username/apache-tomcat-9.0.54/bin/ to /opt/lucee/tomcat/bin/ (overwriting old files). You’ll note that setenv.sh will be left unchanged. Keep that file right there, because it has the starting configuration settings for Tomcat/Lucee created by the Lucee installer. That file is still valid and needed.
Step: Give the user that is running tomcat on your machine “read and execution” permisson for the copied files in /opt/lucee/tomcat/bin/ (execution permission is needed by the shell script files)
Step: Give the user that is running tomcat on your machine read permisson for the copied files in /opt/lucee/tomcat/jar/
Step: Start Lucee/Tomcat with
$ sudo /opt/lucee/lucee_ctl start

Then watch the catalina logs.

It’s always good to update Lucee to the latest stable release. You can update Lucee from within your Lucee Server Administrator. Also, I always like to backup my Lucee Server Administrators/Lucee Web Administrator settings before doing such upgrades (just to be sure).

jvc · October 7, 2021, 12:06pm

Hello @andreas,

Thank you for the super-prompt response! Based on testing so far it worked! All I was missing was the “bin/” folder. The instructions I had didn’t mention bin/ .Thanks a lot

And yes I agree is always good to upgrade Lucee, and we normally do, I was just wondering if Lucee 5.3.3.67 had a problem with Tomcat > 9.0.41.

We now have a Lucee@5.3.8.206/Tomcat@9.0.54 server to test the apps with.

Thanks again!

Knut · October 11, 2021, 8:07am

In my case the file ‘/opt/lucee/tomcat/lib/ecj-4.18.jar’ was not overwritten when copying the new *.jar files because it contains a version number in its file name and the new *.jar file has a different version number (‘ecj-4.20.jar’) in its file name .

I think it makes perfect sense to delete the outdated file (for example: ecj-4.18.jar) in the target directory /opt/lucee/tomcat/lib/ to be on the safe side.

Otherwise I would like to say thank you to @andreas for the good Tomcat update description.

Wouldn’t it make sense to include this Tomcat update description in the Lucee documentation?
I think this could be very helpful for many Lucee users in the future.

andreas · October 11, 2021, 10:27am

This is a very valuable information. Didn’t see that! Thank you very much Knut!

Yes @Knut, I just didn’t had the time for contributing to the Lucee docs lately. I’m going to PR it as a Hacktoberfest 2021 contribution soon!

Knut · October 11, 2021, 11:19am

@andreas
In addition, I would suggest that you also copy the following files into the target directory /opt/lucee/tomcat in order to have the latest information about the new Tomcat version:

BUILDING.txt
CONTRIBUTING.md
LICENSE
NOTICE
README.md
RELEASE NOTES
RUNNING.txt

That would be great.

Question:
What do you think, will this Tomcat update method only work for minor version updates (for example 9.0.48 → 9.0.54) or also for major version updates (for example 8.5.72 → 9.0.54)?

If it could lead to problems with major updates, in my opinion it should be pointed out later in the Lucee documentation.

andreas · October 11, 2021, 6:52pm

I can’t tell for sure Knut. I did various upgrades from 8.0 up to 9.0.x that way and that always worked, and that way is also pretty widespread around the community. But I wouldn’t bet that it will always go well. Such mayor upgrades can always have unpredictable breaking changes. But that steps are the usual way I do it, then after restarting the engine I watch the logs for errors and read/look the offical Tomcat documentation.
,

Knut · October 12, 2021, 11:56am

Ok I understand. Thank you.

I just saw that there is an Apache Tomcat Migration Guide (Apache Tomcat® - Migration Guide). It certainly doesn’t hurt to take a look at this Migration Guide.

There is also a practical DIFF viewer in each Migration Guide. This is a very good way of looking at the version differences in the various Tomcat configuration files.

Terry_Whitney · October 12, 2021, 6:04pm

This is the procedure We follow

install tomcat X
configure tomcat x
install lucee as war
update configuration
point / code
test / deploy

Michele_Scaletta · March 19, 2025, 8:55am

Hello,
At point 7 you wrote Give the user that is running tomcat on your machine “read and execute”
Okay I think it is enough to assign the user with chown since the extracted and copied files already have the correct permissions set.

At point 9 you wrote:

“/opt/lucee/tomcat/jar/”
maybe you meant:
“/opt/lucee/tomcat/lib/”

andreas · March 19, 2025, 8:51pm

Really can’t say right now, it has been almost 4 years I did that post and it may depend on the configuration of your Tomcat. If yours is lib, then thanks for pointing it out, so others will have an additional hint.

Michele_Scaletta · March 20, 2025, 12:35pm

The upgrade is necessary because there are serious vulnerabilities (CVE-2025-24813) in Apache Tomcat versions:
11.0.0-M1 to 11.0.2
10.1.0-M1 to 10.1.34
9.0.0-M1 to 9.0.98

fixed in versions 9.0.99, 10.1.35 and 11.0.3

https://tomcat.apache.org/security-11.html

This worked great on CentOs.

cp -Rf /opt/lucee/tomcat/bin /opt/lucee/tomcat_backup/bin
cp -Rf /opt/lucee/tomcat/conf /opt/lucee/tomcat_backup/conf
cp -Rf /opt/lucee/tomcat/lib /opt/lucee/tomcat_backup/lib

wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.102/bin/apache-tomcat-9.0.102.tar.gz
mkdir /tmp/tom102
tar -xvzf apache-tomcat-9.0.102.tar.gz -C /tmp/tom102
/opt/lucee/lucee_ctl stop
cp -Rf /tmp/tom102/apache-tomcat-9.0.102/lib/ /opt/lucee/tomcat/
cp -Rf /tmp/tom102/apache-tomcat-9.0.102/bin/ /opt/lucee/tomcat/
chown lucee:lucee /opt/lucee/tomcat/lib/
chown lucee:lucee /opt/lucee/tomcat/bin/
/opt/lucee/lucee_ctl start