• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CFHTTP Issue & Java Update

Community Beginner ,
May 10, 2021 May 10, 2021

Copy link to clipboard

Copied

Recently one of my CFHTTP calls stopped working, the authentication that was working on the calling page is no longer working. I verified with the owners of the page i'm calling that nothing has changed on their end.  I did some googling and found Charlie Arehart's post about CFHTTP issue might have to do with JVM and that JVM should be updated.

 

My ColdFusion 2016 server is on Java version 1.8.0_112 and CF Update 5.  I know both the Java and CF need to be updated, long story short, we lost our server guy and we have no one to keep on top of updates.  

 

Based off the article, I updated the server to Java 1.8.0_281. My CFHTTP issue still hasn't resolved but now I am receiving the following error from another CFHTTP call.  I tried a lower version of Java 1.8.0_271 and Java 1.8.0_121 but still seeing the same error.

 

struct

Charset[empty string]
ErrorDetailI/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.
FilecontentConnection Failure
Header[empty string]
MimetypeUnable to determine MIME type of file.
Responseheaderstruct [empty]
StatuscodeConnection Failure. Status code unavailable.
TextYES

 

I know it's probably a chicken and egg thing with the Java update and the CF updates but I am throwing it out to see if anyone has any ideas as how to resolve this issue.  Should I do the CF updates first then the Java update or visa-versa. I'm a programmer doing server updates with limited knowledge of Linux so it's always an adventure!

 

Server Details
Server ProductColdFusion
Version2016,0,05,303689
EditionEnterprise  
Operating SystemUNIX  
OS Version3.10.0-327.36.1.el7.x86_64  
Tomcat Version8.5.11.0  
Java Version1.8.0_112  

 

Thanks in advanced for any help you can give me,

Jennifer

 

TOPICS
Advanced techniques , Server administration

Views

835

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , May 11, 2021 May 11, 2021

After you install a new Java version, you have to import the security key of the site into the Java key store. The process is something like this:

 

1) Download a copy of the key. If you don't know how, google it. It's easy. 🙂

2) Locate the tool [JAVA_HOME]/bin/keytool of the new Java installation. Run as admin/sudo the command to import the key. It is something like 

 

keytool -import -alias myCertificateAlias -file "\path\to\myCertFile.cer" -keystore "[JAVA_HOME]\lib\security\cacerts" -storep

...

Votes

Translate

Translate
Community Expert ,
May 11, 2021 May 11, 2021

Copy link to clipboard

Copied

After you install a new Java version, you have to import the security key of the site into the Java key store. The process is something like this:

 

1) Download a copy of the key. If you don't know how, google it. It's easy. 🙂

2) Locate the tool [JAVA_HOME]/bin/keytool of the new Java installation. Run as admin/sudo the command to import the key. It is something like 

 

keytool -import -alias myCertificateAlias -file "\path\to\myCertFile.cer" -keystore "[JAVA_HOME]\lib\security\cacerts" -storepass changeit

 

where

 

  • myCertificateAlias is my custom certificate alias. Choose your own;
  • \path\to\myCertFile.cer is the absolute path to the .cer file obtained in the first step;
  • JAVA_HOME is the path to your new Java installation;
  • changeit is my custom password. Choose your own.

 

Note: Store myCertificateAlias and changeit in a safe place. You will need them if you decide in future to remove the key from the key store.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 11, 2021 May 11, 2021

Copy link to clipboard

Copied

Thank you BKBK!  I was able to download the .cert file via my broswer for the site and installed it in the new java key store and the CFHTTP call is working as expected. Thank you for your help.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
May 11, 2021 May 11, 2021

Copy link to clipboard

Copied

While importing the cert into the keystore does work, it is not always the best way to solve this problem.

 

Usually this problem is caused by a server misconfiguration on the server you are trying to cfhttp to. It is probably missing the intermediate certificate, which leads to this error. Some http clients (like your browser) are pretty forgiving of this issues because they are able to cache the intermediate certificates of trused certificate authorities.  This site is the easiest way I've found to check for the missing intermediate cert: https://whatsmychaincert.com/

 

The reason importing the certificate into cacerts is not a great idea, is because that is for Certificate Authority certificates, meaning you are saying that this certificate you imported is now authorized to sign certificates for any domain. I find it to be necessary to import only if you are using a self signed certificate / ca cert.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
May 11, 2021 May 11, 2021

Copy link to clipboard

Copied

I should clarify - when I say usually this problem is caused by missing intermediate cert. That is about 50% of the time, the other 49.9% of the time updating the JVM fixes the problem because old JVM's might not have the latest trusted certificates defined in the cacerts. You stated you had already updated it so I didn't expand on that in my last reply. 

 

There is a small chance (I'm giving that 0.1%) that the cacerts file that the latest JVM has doesn't have a new CA certificate for the site you are trying to connect to. This was a lot more common of a problem many years ago, but I've found over the last 5+ years or so that they have done a very good job at keeping it updated with each release. So I haven't in practice actually seen that problem in many many years, but it's still possible in theory. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 13, 2021 May 13, 2021

Copy link to clipboard

Copied

This worked on the first server i updated but the next server I upgraded is throwing this error "I/O Exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.validator.ValidatorException: TrustAnchor with subject "EMAILADDRESS=acme@XXX.com, CN=*.XXX.com, OU=XXX, O="XXX", L=XX, ST=XX, C=XX" is not a CA certificate"

I updated the JDK the same way and I also imported the certificate the same way as I did the first server.

 

Thanks in advance,

Jennifer

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 13, 2021 May 13, 2021

Copy link to clipboard

Copied

The new issue is likely related to what Pete said. Namely, "There is a small chance (I'm giving that 0.1%) that the cacerts file that the latest JVM has doesn't have a new CA certificate for the site you are trying to connect to. ".

 

That is, the root cause is most likely a missing or outdated certificate root CA on the server you're trying to connect to. You could debug this using the keytool as is done in https://www.hass.de/content/coldfusion-java-pkix-path-building-failed-javasecuritycertcertpathbuilde...

Having identified the correct certificate CA, you could notify the server admin to update their root CA.

 

For the time being, there is an alternative you can try. Add the following JVM flag - on the Java page in the ColdFusion Administrator or in jvm.config - in the hope that it might persuade Java to load certificates that don't have a known root CA:

 

    -Djdk.security.allowNonCaAnchor=true

 

Restart ColdFusion.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
May 13, 2021 May 13, 2021

Copy link to clipboard

Copied

That error sounds like you are trying to import the leaf certificate instead of a CA certificate. Perhaps newer versions of java are no longer letting you import leaf certificates into the cacerts file. Are both servers running the same version of java?

 

For most HTTPS sites these days there are three certificates involved, a Root, Intermediate and a Leaf.  They have this hierarchy:

 

Root (trusted by browsers)

 |-- Intermediate Certificate (signed by root)

        |---- Leaf (signed by intermediate, this is the one you pay for, etc)

 

Both the root certificate and the intermediate certificates are CA Certificates and you should be able to import those without problem. 

 

Adding the system property jdk.security.allowNonCaAnchor=true would only be necessary if the site certificate is a self signed certificate (not signed by a CA, you generated it yourself). If it is not self signed, then you should just import the missing intermediate or root certificate into cacerts instead. All assuming you trust this site, and the CA that signed it's cert that you are trying to connect to.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 13, 2021 May 13, 2021

Copy link to clipboard

Copied

Yes, both servers were updated to the same version of java, jdk1.8.0_281.  

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
May 14, 2021 May 14, 2021

Copy link to clipboard

Copied

LATEST

Adding the java flag to my server worked.  Strangly this is the only server I needed to add the flag.  The other two accepted the certificate.

 

Thank you for all your help!

Jennifer

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation