• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Connection Failure - CFHTTP connecting to a https website

New Here ,
Oct 12, 2021 Oct 12, 2021

Copy link to clipboard

Copied

Hi,

 

I am testing a process we have, on CF 2016 enterpise. ( 2016.0.16.320445  )

 

A scheduled page month_end.cfm calls a number of additional processes via cfhttp.

 

This website ( on an intranet ) I have just recently implemented https. Since the move to https the calls to the other pages do not work.

 

The documentation for CFHTTP has instructions for using https, and I have imported the site certificate with the provided keytool command, however the error still occurs.  

 

CF server http.log shows the call, but does not show an error. Other logs show no info either.

 

The call is pretty straightfoward:

<cfhttp
url = "#getPageContext().getRequest().getScheme()#://#cgi.server_name##getDirectoryFromPath(cgi.SCRIPT_NAME)#runthispage.cfm?EOM=#VARIABLES.MONTH_END_DATE#&unique=#TimeFormat(Now(),"hhmmss")#"
method = "get">
</cfhttp>

 

How do I further debug the connection failure, and where do  I go from here?

 

Thanks,

 

TOPICS
Advanced techniques

Views

592

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Beginner , Oct 14, 2021 Oct 14, 2021

Hi,

 

I don't see an answered option ( or somewhere to mark a response as an answer), but one can assume it was the upgrade of the JRE, AND the import of the certificate, since idependantly the error persisted.

 

I also should have cfdump'ed the cfhttp structure earlier, as it did give further information of the error, moreso than just "Connection Failure" 

 

Thanks again!

 

I just double checked again and I can't see a "mark as answered option".

 

 

 

Votes

Translate

Translate
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

I have revised this slightly minutes after posting it, as I explain below. 

 

If you were running a new cf version, I would say first to make sure the evaluation of the functions and vars creating that url result in what you expect. Wrap them in a cfoutput above the cfhttp, to see. (It's always possible that something about a change in the new version has affected the value of the variables you are referring to.) 

 

(But you say you just changed your web server to support tls, and the cfhttp is failing, so you can skip to my last point. I'd written the previous and next points because often people experience these things. Then I realized they don't apply in your case. I've left them in case they may help others. ) 

 

Then take that url and visit it in a browser on the server. That will confirm second that there's nothing about visiting that url that is somehow blocked for the server.

 

Finally, assuming the last check works (the url works in a rowser on the server, just not from a cfhttp call), then I suspect the issue is that the version of Java that your cf2016 is running is outdated, and it's not supporting the https/tls security of the server you're calling (which in this case is your own server...such that the https/tls security is configured in your web server, not cf). This may be why importing a cert into cf did not help, and often is not needed. 

 

I have a blog post with more on this, both understanding and resolving it:

 

https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/

 

To be clear, you could update your cf2016 update 16 to the latest version of Java 8 or 12., FWIW, I have a post clarifying what cf versions and updates support what jvm versions :

 

https://coldfusion.adobe.com/2021/01/table-of-java-to-cf-versions/

 

Please let us know what you find or think about this suggestion.

 

If the update to cf's jvm doesn't suffice, there can sometimes be still more that's needed, but not typically. (Also, do beware that cf2016 is no longer supported. It's final update was in March. It was not updated last month with cf2018 and Cf2021. As such,! there are now vulnerabilities which are only addressed in the two supported versions. That said, updating the jvm that CF uses does at least address jvm vulnerabilities that are in older jvm versions.) 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

Hi Charlie,

 

Thanks for your response. After my post I did run across a number of posts on this issue, including your own.

 

The URL is placed into my log file, and when I copy thay into a browser manually the call works, so the URL is formed correctly.

 

May I ask, using CF enterprise 2016, can an instance of CF run on a different JRE to the default instance and other instances on the same server?

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

It's important that you copy that into a browser running on the same machine as CF. It's not really a matter of the URL being formed correctly, but the machine running CF being able to get to it.

 

And, yes, each instance of CF can have its own JRE. 

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

HI,

 

Its a URL within the same website site, and I have tested the URL.

The process works with http, but now that the website is https, it doesn't work  (thats the only change )

 

But that is good news about that an instance can have a  different JRE than the master instance, and other instances on that server. I am exploring the upgrade of the JRE today.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

The thirdparty installers URL Adobe - ColdFusion Support Center : More Downloads 

Java JAVA SE 11.0.12 does not have a a JRE folder.

CF Admin throws an error ( image below ). Hopefully somone knows the fix.jvm.PNG

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

Take off the /bin. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

Hi Charlie,

 

Thanks that worked. Running on 11.0.12 now.

 

Hasn't helped my http problem though, but at least it ruled it out! 

 

Next step is to re-import the certificate possibly.

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

And done!

 

Imported certificate in the ketsore with Keystore Exlporer ( stop the CF process so you can save the cacerts file)

 

Thanks for help everyone, especially Charlie.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 14, 2021 Oct 14, 2021

Copy link to clipboard

Copied

Great to hear, and glad to have helped. Hope you'll pick an *answer" to help others. Sadly, your last one would not be enough alone, as you mention there only importing the cert. You'd had to change the jvm, as I'd proposed in my first reply. Note that you could pick both. 🙂 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 14, 2021 Oct 14, 2021

Copy link to clipboard

Copied

Hi,

 

I don't see an answered option ( or somewhere to mark a response as an answer), but one can assume it was the upgrade of the JRE, AND the import of the certificate, since idependantly the error persisted.

 

I also should have cfdump'ed the cfhttp structure earlier, as it did give further information of the error, moreso than just "Connection Failure" 

 

Thanks again!

 

I just double checked again and I can't see a "mark as answered option".

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 14, 2021 Oct 14, 2021

Copy link to clipboard

Copied

Ok, thanks. I realize now you didn't ask the original question. Anyway, I do appreciate that both steps were needed, which is why I noted that two answers could be selected (by someone who can). 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 14, 2021 Oct 14, 2021

Copy link to clipboard

Copied

I did actually!

I don't understand why the username was coming up as "defaultuoeicwd8vcus" for later posts.

( I still can't mark anything as answered though )

Perhaps it is because I am logging in with my coporate email adddress, and it does the login with the single sign on feature ( for our domain), and the website is not handling that correctly.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 14, 2021 Oct 14, 2021

Copy link to clipboard

Copied

LATEST

Sounds like that's the reason. Oh well. Glad you solved the real problem. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation