CFHTTP issues on CF2018 Update 7

Question

Hello,

We have recently update our ColdFusion 2016 install to 2018 on two load balanced RHEL 7.9 servers. Both servers are currently running CF2018 Update 7 with Java version 11.0.10 and we are having issues with making cfhttp calls to various HTTPS sites like Google and Facebook.

These cfhttp calls work fine when CF is restarted but we eventually see errors like "I/O Exception: Could not generate secret" , "I/O Exception: Peer not authenticated", and "I/O Exception: Couldn't kickstart handshaking". After updating to Update 7, here's the more prominent error we've seen:

Here are my JVM arguments:

-server --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/sun.util.cldr=ALL-UNNAMED --add-opens=java.base/sun.util.locale.provider=ALL-UNNAMED -XX:MaxMetaspaceSize=1024m -XX:+UseParallelGC -Xbatch -Djdk.attach.allowAttachSelf=true -Dcoldfusion.home={application.home} -Djava.security.egd=/dev/urandom -Duser.language=en -Dcoldfusion.rootDir={application.home} -Dcom.sun.xml.bind.v2.bytecode.ClassTailor.noOptimize=true -Dcoldfusion.libPath={application.home}/lib -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcoldfusion.jsafe.defaultalgo=FIPS186Random -Dorg.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.JavaUtilLog -Djava.util.logging.config.file={application.home}/lib/logging.properties -Djava.locale.providers=COMPAT,SPI -Dsun.font.layoutengine=icu -javaagent:/opt/fusionreactor/instance/cfusion.cf2018/fusionreactor.jar=name=cfusion.cf2018,address=8088 -agentpath:/opt/fusionreactor/instance/cfusion.cf2018/libfrjvmti_x64.so -Duser.timezone=US/Central -Dcoldfusion.http.usepooling=false

The -Dcoldfusion.http.usepooling=false argument was something that CF Support suggested but hasn't worked.

Any help is greatly appreciated.

Thank you!

Charlie Arehart · Answer

Erik, your problem really sounds like you have NOT update the JVM. I realize you say you updated to Java 11.0.10, but could you confirm for us that your CF really is using that? (I've seen people install a new JVM on the box and mistakenly presume that CF would "just use it".)

If you go to the "settings summary" pge in the CF Admin (the link right next to the "java and jvm" link), that has two sections at the top, and the second is the JVM info, and it reports the version CF is using. (You showed your CF's java args, but that doesn't confirm this for us.)

If it's not showing 11.0.10, then the problem is that the JVM CF is using is NOT updated. You will see on that page also that java.home which is how CF points to the JVM it uses. If you do have Java 11.0.10 installed, you can point CF to that. Do be careful, as if you make a mistake CF won't start. I have a blog post of many common problems that can happen in changing the JVM, and how to fix them.

Along the same lines, if one ever DOES need to import certs, it is also then critical to import them to the lib/security/cacerts of the jvm CF is using, whereas many resources blithely say to update the one within [coldfusion]\jre folder. Again, if CF has been changed to point to a different JVM, then importing certs there will be pointless.

All that said, you may not neeed to bother importing certs at all. Often just updating the JVM will solve problems of cfhttp calls to ssl urls. I have a blog post on that also. (And yes, even just updates with Java 11 can solve such problems. I help people do it about weekly.)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded