Peer not authenticated - Connecting to 3rd party API over SSL

Question

(CF8.01 server with Windows 2008 Server R2 - Java installed in C:\Program Files\Java\jre6)

I have no problems connecting with CFHTTP from a local dev box to one of our domains on a server with SSL. I also have a domain that uses a PayPal API over SSL which appears to be working still. However I've recently tried to integrate with another 3rd party and I can't get it to connect

I receive a peer not authenticating error, as detailed in the link below

Diagnosing a CFHTTP issue - peer not authenticated · Raymond Camden

I tried the fix at the top of Raymonds page but it would not work, it just throw errors. I've been through the thread which at one point led me to an instructional page here Naveen Chhabra's Blog | Just another WordPress.com site which suggested that you take the certificate from the third party server and install it on the CF server. However I struggled with that because it was asking for a keystore password, which I don't know and can't seem to figure out how to set.

The more I read the more complex this appears to get.This page from Oracle gave me a headache keytool-Key and Certificate Management Tool

It's odd how I'm able to use PayPal, and also connect to my other domains on SSL from the dev box, and yet this particular third party won't work.

I'm also concerned that if I install their certificate that once it expires that the function will then fail.

I've read the previous forum posts and can't seem to find a solution, I also seem to be the only person with this issue on CF8, the other reports are CF9 or CF10

Can anybody please help me resolve this issue

Thanks

Mark

Charlie Arehart · Answer

The default keystore password is simply “changeit” (no quotes).

Sometimes importing the key is the solution. If you do that, there are gotchas. Some key ones are:

- you need to point to the lib\cacerts as found in the JVM folder that CF is pointing to, in the java.home of the jvm.config—it may not be CF’s default jvm, so importing the cert there will do no good.

- you need to run the keytool at a command line that is running as admin (on Windows)

Then again, perhaps you don’t need to import a cert. Perhaps instead you need to update your JVM. Many have found that such SSL/TLS issues are fixed by updating that JVM that CF points to, to Java 8. CF8 runs on Java 1.6 and was never certified even for 7. And CF9 was never certified for 8. But some CF9 users have pointed it to Java 8 and solved such problems.

Updating the JVM CF uses is, on the surface, very easy. A 5-minute job if you know what you’re doing. If you don’t, it can leave you thinking CF is hosed with no choice but to reinstall. That is usually not necessarily. I discuss more in this post:

http://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start

Finally, as for why this may be needed for some sites and not others you connect to, it’s often due to the web server of the destination site having changed what SSL/TLS encryption algorithms it will support. Perhaps the sites having trouble have implemented some tighter requirement than those that are working for you.

Let us know if you fix things or learn more.

/charlie

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded