ColdFusion 2021 tasks: how to run as https?
Copy link to clipboard
Copied
Greetings,
I have not been able to find instructions on this, nor am I able to get it to work by trial and error. Currently I have 20 or so scheduled tasks that run in the ColdFusion 2021 Scheduled tasks manager as http://localhost....task.cfm format. I need them to run as https instead due to regulations where I work which disallows ALL http, even to localhost. Can anyone direct me to instructions on how to get this to work? I tried simply changing the url to https://localhost and https://ip and https://sitename but none of them execute properly. Also, when I try to run the same tasks via the command line using cf.bat, they error out, unable to find the variables such as the mail server specificed in the task. These tasks all run fine when submitted as http requests via the scheduler. Any guidance would be appreciated.
Copy link to clipboard
Copied
Todd, the solution lies in configuring https support in the web server serving the pages.
So if you're forming those urls without any port at the end, it's typically your "external web server" that's handling those (like iis or apache, or perhaps even nginx). If instead , your urls end with a port number like 8500, that would be the "internal" or "built-in" web server in cf (technically in tomcat) handling them.
(That's a generalization, if course. Things can be configured anyway one wants in regard to ports and domain names.)
So you'll want to look into configuring whichever web server is serving your requests. And since you don't name any port in your examples (and they "work" if called via http://), I'll assume you're using an external web server. And each of those (iis, apache, nginx, etc) have their own ways to configure https support. Which are you using?
And in setting up such https support for such a web server you'd also need to implement at least one server certificate, whether that's a self-signed one, one paid for from a cert vendor, or one implemented for free using let's encrypt, for example. Each of those is their own realm of discovery for you to choose among.
So no, I'm not offering here EXACTLY what you need to do--as those steps will vary based on your setup among the various options above. But this points you in a starting direction, and if you clarify your web server setup and familiarity with things, that can guide us to recommend more specific steps.
(One last point: when testing things in this regard--about using http/https or specifying ports--note that you can test things in your browser rather than only as a scheduled task, t+which can simplify your initial testing. That said, it's often best to test from a web browser ON THE SERVER if possible, for various reasons, to more closely mimic how CF would call the url from that server.)
/Charlie (troubleshooter, carehart.org)
Copy link to clipboard
Copied
Hi Charlie,
Thanks for the response. I would guess that coldfusion tasks have to be run in the context of the internal web server, which in this case is Apache Tomcat. The admin page runs at the default 8500, assuming internally on the included tomcat. I do not know how to get the internal web server to accept tasks on a different port, nor how to bind the server certificate to whatever port is used, and I was unable to find instructions on it. I don't have a lot of experience configuring tomcat. I am sure there is a conf or xml somewhere that needs to be edited, and some way to bind the existing server certificiate. I just can't find it. Do you know where to find that document?
I do all my testing on the server itself via web browser. For the scheduled tasks, I just copy them into the address bar and hit enter. Http runs, https does not.
TG
Copy link to clipboard
Copied
Todd, please re-read what I wrote. If your current urls (called as tasks) do NOT use a port, then you are almost assuredly running them NOT via ColdFusion's/Tomcat's web server but instead IIS (if on windows). As you note, it's not obvious how to change the Tomcat web server to listen on another port, let alone support different domain names or ip's, so I doubt you've done that.
So again, focus on setting up IIS (or whatever is your "real" web server, serving the called pages) to support https. It has nothing to do with CF at all, in that case (even if the cf admin itself Is running on the built-in xf/tomcat web server).
And if you're not sure whether it's really iis serving the called task requests, stop iis and request the task's url in the browser. If it fails with iis stopped, then clearly iis is serving that url.
And don't worry if this all feels confusing or overwhelming. It's just part of the process of becoming familiar with the many moving parts and how to configure them. And because there can be different ways people do or want to have things configured, that's why there's no single answer that works for anyone trying to accomplish this task. That also would explain why you've found little on "how to do it".
Again, once you clarify your setup, I or others will be able to offer more specifics.
But if indeed it's iis you're using, you can find many resources (unrelated to cf) talking about how to configure iis sites for https support, including that need to setup a server cert for the web server to use.
/Charlie (troubleshooter, carehart.org)
Copy link to clipboard
Copied
Charlie,
Be assured that I read your suggestions very carefully, every time. Neither do you need to concern yourself with my level of worry or confusion. I assure you they are manageable!
The reason I thought that the tasks were utilizing the tomcat server was because selecting "Ignore client certificates" in IIS had no effect. I see now that this was a red herring. I did indeed confirm that the tasks are run by IIS per your suggestion of disabling IIS. The admin page on port 8500 continued to be accessible while the tasks give an error indicating that IIS needs to be running.
So in the end, it seems you cannot assist with this because it is some odd configuration of Windows that is forcing a client certificate check even when I have selected "ignore." I have scoured the web for suggestions on how to absolutely disable client certificate checking but no suggestion prevents it. I tried disabling client cert revocation checking in the binding as well on the off chance that it was forcing a certificate selection. Apparently no one has solved this issue because of all the threads that mention this here, not one person has ever managed to get it to work. The only advice in the end is go back to running tasks as http which in our environment is not going to be approved. Thanks for trying, but it seems there may not be a solution. If I do discover a solution at some point I will come back and leave a note.
Best regards,
Todd
Copy link to clipboard
Copied
Todd, before you give up on this as unsolvable, you've brought up an entirely new wrinkle here (client certs), and if that's indeed the crux of your problem, there is still a solution for that.
1) First, for the sake of folks reading along, let's clarify that requiring a client cert is NOT the default behavior of a site setup for https/ssl/tls. More specifically, in iis you absolutely can use the option to "require SSL" (tls) while NOT choosing on that same setting page to "require" use of a "client certificate". See the "SSL settings" feature in iis for the site in question. (Or see step 3 of this site for example.) Unless someone changes that to "require" a client cert, then no such client cert is required by iis to visit the site via https.
And indeed you say here that you set iis TO IGNORE client certs. I'll assume you're doing it that same way I just showed. Therefore it would indeed seem there's no reason that client certs should be playing a role.
2) But then you go on here to assert that something else besides iis could be requiring them. It's not clear why you think that. Is there some situation (not involving calling the urls as scheduled tasks) where you've confirmed that a cert is being required to call the url?
And is it that you know that your client machine/browser is configured to send along a client cert, created for this added security mechanism?
3) If so then here finally is a workaround to consider for cf scheduled tasks to use such a cert.
While it is/seems true that the cf scheduled task mechanism offers no support for setting or passing along client certs in calls to a url, did you know that cfhttp DOES support that , with its clientcert attribute?
As such, one COULD easily configure a scheduled task url to call a cfm page which itself then does the cfhttp call to the "real" url, passing in a needed clientcert. (That could even be setup as a single page that takes the url to call as an input arg, and uses the same cert for all such calls. You'd want to secure such a flexible page so as not to be abused.)
4) Before doing that, can you first try calling the url in question via cfhttp, as a sanity check?
Does it work WITHOUT any such clientcert attribute? If so, then it would seem none is required after all.
But if that fails, there can be many reasons having nothing to do with client certs. Assuming again that calling the url in a browser on the server works, then something about cf calling the url fails.
(It could be about cf running on an old Java version, with outdated info on its key store. If you find you can't even cfhttp to ANY url like google.com via https, that may be your real issue here.)
5) But if indeed this really is all down to client certs being required for you url being tested, try pointing to it with the clientcert attribute. Does it work? If so, this workaround I propose would work.
6) If it still fails with the cfhttp clientcert specified, then it would surely seem the problem is NOT about client certs after all.
In that case, I've offered several ideas in this comment and previous ones that should get you able to run a cf scheduled task that uses an https url. Again, start with getting it to work via cfhttp as a sanity check.
Let us know if you'll be considering the above or have chosen instead to not bother with any further effort on this matter. (In that case, I hope what I've written may helpful for future readers.)
/Charlie (troubleshooter, carehart.org)
Copy link to clipboard
Copied
Hi Charlie,
I assert that something besides IIS is causing a cert request because 1)I have explicitly chosen to have IIS ignore client certificates. I still get a client cert request whether I go to the site from within my network COI or from outside via the hosting enclave. Neither system has anything on the client side causing this, and IIS is set to explicitly ignore client certs, so the only likely culprit is Tomcat. If there's something wrong with that logic, I can't see it. It occurs for any url called on that server, from anywhere that can reach it.
You ask if I can make a call via cfhttp. I am not a developer. I don't know how to do that. A quick search shows I would need to construct some file and call it somehow, but the details are unclear. I can ask one of my developers to provide a method if that would provide any helpful information.
CF is not running on an "old" java version. It is CF 2021 with HF 12. That should be current enough to not be considered "old," no? We are still working out some code issues with HF 13 and 14 so I haven't upgraded production yet, just our dev and test environments.
Number 5 is meaningless to me. I dont know what "pointing to it" means or where/how to set the mentioned attribute. Sounds like a developer action is needed, but the developers insist this is a server setting, so they have been a bit reluctant to get involved.
Number 6 is also opaque. Not knowing what cfhttp is, nor how to specify a clientcert applies here, too.
While I definitely appreciate your comments, and believe they could help shed light on the issue at hand, it seems to me I'd need to get the developers involved. I will run your response by them and see what they say.
I've managed to get Splunk, Crystal Server, and several dot net sites all to work perfectly on https with smart caard login. The main site we serve with CF works on https. It's only the scheduled tasks and admin page that are tricky to get working. I'm not worried about the admin page, as it will have user interaction to select a cert. It's the scheduled jobs that need to run https without any interaction.
I also see there's a way to import a cert into the java store and have CF respond with that cert. I may dig into that and figure out how to implement it. If that works, then I won't have to figure out how to stop the server from insisting on a client cert.
Best regards,
Todd