Copy link to clipboard
Copied
Hi
I have a CF application sending newsletter emails last 10 years and working just fine. Here is the simple code. As you see I let all connection settings to be taken from the CF server settings (see below)
<cfmail
subject="blah blah"
from="...."
to="....."
type="html" charset="utf-8" timeout="120">
Recently others did an update to the certificates of the email server (smtp.mydomain.com).
Now my application can not send emails anymore, although I changed nothing to my system and code. My emails from spool folder go to the Undelivr. The error message I get in the mail.log is
"Error","scheduler-1","06/16/20","16:37:56",,"javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed"
What's does that mean?
Does it mean now something about certificates in my server is not compatible to the new certificate version they have in the email server, so it's problem of certificate incompatibility between server and client???
If this is the case, what can I do to solve the problem?
- Is it all about a setting or something in my server?
- Do I just have to download and install something (something about OS or java)?
- Could an OS upgrade to Windows 2012 solve the problem?
==========================
- Windows Server 2008 Standard v.6.0.6003 SP 2, wth
- CF 10 Standard server
- Java Version 1.7.0_15
- Java VM Version 23.7-b01
----------------
My Mail Connection Settings are
Default Server Port 587
Maintain Connection to Mail Server No
Use SSL Connection No
Use TLS Yes
Default Mail Server smtp.mydomain.com
Port 587
-------------
My CF 10 is updated (I think)
ColdFusion 10 Update 23
Update Level: 23
Update Type: General
ColdFusion 10 Update 23 has Tomcat upgraded to version 7.0.75.
-----------
Thank you in advance
Anastasios
Hi Anastasios,
You're on CF10, so Java 1.4, Java 1.6 and JRun are too old and irrelevant for you. In addition, as you have found out, the correct command is importcert.
I shall start from the beginning, making no assumptions.
1) Copy your certificate file to the temp directory, so that its path is something like:
c:\temp\certificate_file.cer
2) Install the Java Development Kit (JDK) that fits with your Java 1.7
3) Open the DOS Command (CMD) Prompt as Administrator;
Use the CD command to naviga
Copy link to clipboard
Copied
Your CF server needs to have the correct certificate chain in its keystore, just like when you use CFHTTP to connect to HTTPS sites. There are lots of resources out there about how to fix that problem. Here's one.
https://helpx.adobe.com/coldfusion/kb/import-certificates-certificate-stores-coldfusion.html
Upgrading Windows won't change anything here. Note also that you're using a really old and unsupported version of CF, and you may have additional certificate problems in the future as protocols change and libraries are updated accordingly.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Dave,
thank you so much for your reply. The page was very usefull and on the point. So as I understand
- I have to ask the email server administrator for the needed cerificate and recieve from him a file like "someServerCertFile.cer" from him.
- To use the keytool.exe to import this cer file in my CF keystore (truststore) according to the example in the page.
Question 1
Below is what the link you gave says about importing a certificate file.
- In the general command it says "-alias someServer-cert"
- In the example it replaces it with "-alias wa-cert"
Does this mean that for alias
a) I can replace "someServer" with any word I want (like "wa", "abcd" etc), or
b) the word has to be a specific one that comes from the specific someServerCertFile.cer or the cerificate name and I have to ask email administrator for it?
As I see in the example they use alias wa-cert, which has nothing to do with the certificate file "test.cer"
Question 2
The page says
...To import a remote server's certificate from a certificate file into the JRE's truststore, type the following into a command prompt:
"keytool -import -v -alias someServer-cert -file someServerCertFile.cer -keystore JAVA_HOME\jre\lib\security\cacerts -storepass changeit"
Example :
"C:\JRun4\jre\bin>keytool -importcert -v -alias wa-cert -file C:\temp\test.cer -keystore C:\JRun4\jre\lib\security\cacerts -storepass changeit"
I guess it was a mistake, because as it's written in the page -import is used with Java 1.4.2, and -importcert with 1.6.0.
Thank again for your help
Anastasios
Copy link to clipboard
Copied
You should be able to get the certificates yourself, using a tool like openssl. But you could also ask the mail server administrator.
https://www.booches.nl/2015/05/export-starttls-certificate-from-smtp-server/
There are other pages, blog posts etc that cover the certificate import process, which I suspect has changed since JRun was around. I'd just look for the latest one of those, that's what I did (and you should probably spend more time on it than I did, too).
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Hi Anastasios,
You're on CF10, so Java 1.4, Java 1.6 and JRun are too old and irrelevant for you. In addition, as you have found out, the correct command is importcert.
I shall start from the beginning, making no assumptions.
1) Copy your certificate file to the temp directory, so that its path is something like:
c:\temp\certificate_file.cer
2) Install the Java Development Kit (JDK) that fits with your Java 1.7
3) Open the DOS Command (CMD) Prompt as Administrator;
Use the CD command to navigate to {JDK_INSTALLATION_DIRECTORY}\bin;
Run the DOS command keytool /?
You will see that importcert is indeed the flag for importing certificates.
4) Run the DOS command:
keytool -importcert -storepass changeit -noprompt -alias your_unique_chosen_name -keystore C:/ColdFusion10/jre/lib/security/cacerts -trustcacerts -file C:/temp/certificate_file.cer
(I have assumed your ColdFusion installation directory is C:/ColdFusion10)
5) Restart ColdFusion.
Some references:
https://community.adobe.com/t5/coldfusion/cfhttp-ssl-connection-failure/m-p/3854329?page=1
https://stackoverflow.com/questions/13863292/import-certificate-for-coldfusion10
Copy link to clipboard
Copied
Dear BKBK,
thank you so much for your step by step help.
I did exactly what you wrote and the problem is solved.
My CF10 communicates and delivers emails to email server as before.
Best regards
Anastasios