Skip to main content
D
dtb26
Inspiring
June 16, 2020
Question

Tasks & SSL

  • June 16, 2020
  • 1 reply
  • 1144 views

Hello,

I have a long standing issue with SSL via tasks that has plagued me throughout CF10, 11, and now 2018.

When we initially stand up the server, we generate the certs and add them to the keystore; everything works great.  Fast foward a year, the cert expires and you update it; all tasks break with "Connection Failure".

I have tried:

- adding the new cert and restarting (continues to fail)

- deleting the inappropriate certs and then adding the new cert (continues to fail)

- searching the box for any cacerts store and adding the right cert to those (continues to fail)

- giving up on the newly gernerated crt file, I remotely connect and generate the cert from the remote site and then add it to the castores (its seen as a new cert, but connections continue to fail)

 

The fact that I can set this up during the initial install tells me my process is appropriate.  the fact that CF can never again see the cert after an update makes me think theres a cache or somthing somewhere that needs to be purged.

has anyone else ever run into this; possibly have some guidance to point me in the right direction?

 

Thank you

Dave

    This topic has been closed for replies.

    1 reply

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    June 16, 2020

    CF updates don't touch the keystore within the jvm that CF uses, so when you say things break after an update, can you be more specific: are you really saying that ONLY CF is updated? not also the JVM that CF uses? 

     

    If you look at the cf admin "java and jvm" page, what is the current "java home" (or the value of the same name in the jvm.config)? If you have updated CF to use a new jvm, then if you do NEED to import certs, you would need to do that into the cacerts under the lib/security folder of that JRE that CF is pointing to.

     

    That certainlty had tripped people up: they update their CF JVM, and find that something no longer works, and they read instructions showing how to use the keytool--and they are updating the wrong one. I know you said you looked for "any". Let's have you look at the one in the JVM that CF is pointing to. Is the cacerts file in that lib/security a different date and time than all other files in that folder? If not, then that cacerts never had any certs imported into it.

     

    Finally, perhaps you don't NEED to import certs. Perhaps instead all you REALLY need to do IS to update the JVM that CF uses. I have a blog post on this, with more detail:

    https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/

     

    Let us know if any of this helps get you going, or not.

    /Charlie (troubleshooter, carehart. org)
    D
    dtb26Author
    Inspiring
    June 16, 2020

    Hi,

     

    The only update I was referring to is the cert itself: 

    "Fast foward a year, the cert expires and you update it";  "it" being "the cert".

     

    > Let's have you look at the one in the JVM that CF is pointing to. 

    I attempt to update the store that I initially configured at install time; ([cfroot]/jre/lib/security/cacerts) coldfusion just doesnt seem to see the new cert.  Out of desperation, I have executed "find / -name cacerts" and then add the cert to all of them (coldfusion comes with two, one under the jetty file structure).

     

    > then that cacerts never had any certs imported into it.

    I'm able to verify that the certs have been imported by using the -list switch; I've no doubt that they are being imported.


    But again, this all works fine with a new install, its just updating the expired cert that seems to be a problem

     

    thank you for the response.

     

    Dave

    collaboranaut
    collaboranaut
    Participating Frequently
    June 16, 2020

    You mention cacerts, did you check keystore.jks ?

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices